I'm developing some chains/rules for use in the mangle table which will make use of connection marking for packets related to TCP servers running on the local machine. I want to modify packets sent by the local server based on information in incoming packets. It seems to me that the obvious way to do this is to mark the connection appropriately in the mangle INPUT chain and then modify the outgoing packets in the OUTPUT chain based on on the connection marks. However, I'm concerned about the atomicity of packet processing by xtables. Since incoming packets may not be synchronized with outgoing packets, there is the possibility that the INPUT chain rules might be modifying the connection marking at the same time that the OUTPUT chain rules are using the mark to modify the packet. Even worse, I'm considering building up the connection mark in the INPUT chain one bit at a time and the correct mark won't be in place until after all rules in the INPUT chain (or subchains) are completed. So my questions are: Does iptables/xtables fully process one packet at a time or can multiple packets be in various tables/chains at the same time? If the answer is multiple packets, can someone suggest a way for these packets/connections to make processing single threaded AND run to completion? On a related note, how atomic is single rule processing? If in a single rule, I use CONNMARK to mark a connection can I assume that no other CONNMARK can modify the mark at the same time. (--set-xmark involves two operations: zeroing based on mask and XOR based on value which may be a race condition.) If there are any other issues involving connection marks/parallel processing/race conditions etc., I would like to here about them as well. Thanks, Bill Bogstad -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
