On Fri, Oct 14, 2016 at 11:53:30AM +0200, Pablo Neira Ayuso wrote:
[...]
> BTW, looking at ipt_mangle_out():
>
> ret = ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);
> /* Reroute for ANY change. */
> if (ret != NF_DROP && ret != NF_STOLEN) {
> iph = ip_hdr(skb);
>
> if (iph->saddr != saddr ||
> iph->daddr != daddr ||
> skb->mark != mark ||
> iph->tos != tos) {
> err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
> if (err < 0)
> ret = NF_DROP_ERR(err);
> }
> }
>
> It seems that we're triggering an expensive re-reroute for dropped
> packets from the mangle table, since ret != NF_DROP evaluates false
> given the errno number is encoded in the most significant 16 bits.
Forget this, we never see errno at this stage, so this is fine.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
