Hi,
Is it a safety concern for not allowing socket to register in OUTPUT
and POSTROUTING hooks?
I have modified the socket match module to allow OUTPUT and
POSTROUTING rules, but wonder if there is a reason for explicitly
registering these hooks.
net/netfilter/xt_socket.c
static struct xt_match socket_mt_reg[] __read_mostly = {
...
...
.name = "socket",
...
...
.hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN),
---> add OUTPUT OR POSTROUTING or remove .hooks
},
My goal is to read the SO_MARK on tx.
example:
iptables -I OUTPUT -m socket --restore-mark -j SET-DSCP
iptables -I SET_DSCP -t mangle -m mark 5 -j DSCP --set-dscp 5
instead of going through all the work of restoring the mark, I added a
match option to socket.
example.
iptables -I OUTPUT -m socket --match-skmark 5 -j DSCP --set-dscp 5
If there isn't a reason for not using socket on tx, does the team have
interest in me submit a patch for --match-skmark?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
