On Fri, Oct 14, 2016 at 06:47:20PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 14, 2016 at 05:38:12PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > On Fri, Oct 14, 2016 at 04:06:15PM +0800, Liping Zhang wrote:
> > > > Hi Pablo,
> > > >
> > > > 2016-10-13 20:02 GMT+08:00 Pablo
On Fri, Oct 14, 2016 at 05:38:12PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Fri, Oct 14, 2016 at 04:06:15PM +0800, Liping Zhang wrote:
> > > Hi Pablo,
> > >
> > > 2016-10-13 20:02 GMT+08:00 Pablo Neira Ayuso :
> > > > +int nf_queue(struct sk_buff *skb, const struct nf_hook_
Pablo Neira Ayuso wrote:
> On Fri, Oct 14, 2016 at 04:06:15PM +0800, Liping Zhang wrote:
> > Hi Pablo,
> >
> > 2016-10-13 20:02 GMT+08:00 Pablo Neira Ayuso :
> > > +int nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
> > > +unsigned int queuenum, bool bypass)
> > > +{
On Fri, Oct 14, 2016 at 11:53:30AM +0200, Pablo Neira Ayuso wrote:
[...]
> BTW, looking at ipt_mangle_out():
>
> ret = ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);
> /* Reroute for ANY change. */
> if (ret != NF_DROP && ret != NF_STOLEN) {
> i
On Fri, Oct 14, 2016 at 04:06:15PM +0800, Liping Zhang wrote:
> Hi Pablo,
>
> 2016-10-13 20:02 GMT+08:00 Pablo Neira Ayuso :
> > +int nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
> > +unsigned int queuenum, bool bypass)
> > +{
> > + int ret;
> > +
> > + r
Hi Pablo,
2016-10-13 20:02 GMT+08:00 Pablo Neira Ayuso :
> +int nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
> +unsigned int queuenum, bool bypass)
> +{
> + int ret;
> +
> + ret = __nf_queue(skb, state, queuenum);
> + if (ret < 0) {
> +
On Thu, Oct 13, 2016 at 02:38:21PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
[...]
> > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
> > index de4fa03f46f3..7040842c34f4 100644
> > --- a/net/ipv4/netfilter/ip_tables.c
> > +++ b/net/ipv4/netfilter/ip_t
Pablo Neira Ayuso wrote:
> > Any reason why this is needed?
> > AFAICS xt_NFQUEUE will never return NF_QUEUE after this patch.
>
> -j QUEUE uses the standard target to return NF_QUEUE. This is very
> primitive way to queue packets to userspace queue 0 via nf_queue, but
> still may break. I can pl
Pablo Neira Ayuso wrote:
> Export a new nf_queue() function that translates the NF_QUEUE verdict
> depending on the scenario:
>
> 1) Drop packet if queue is full.
> 2) Accept packet if bypass is enabled.
> 3) Return stolen if packet is enqueued.
>
> We can call this function from xt_NFQUEUE and
Export a new nf_queue() function that translates the NF_QUEUE verdict
depending on the scenario:
1) Drop packet if queue is full.
2) Accept packet if bypass is enabled.
3) Return stolen if packet is enqueued.
We can call this function from xt_NFQUEUE and nft_queue. Thus, we
move packet queuing to
Export a new nf_queue() function that translates the NF_QUEUE verdict
depending on the scenario:
1) Drop packet if queue is full.
2) Accept packet if bypass is enabled.
3) Return stolen if packet is enqueued.
We can call this function from xt_NFQUEUE and nft_queue. Thus, we
move packet queuing to
11 matches
Mail list logo