Follow packets in rules
Patrick McHardy
kaber at trash.net
Fri Jun 22 16:20:00 CEST 2007
Jozsef Kadlecsik wrote:
> Attached you can find the reworked TRACE target, which does not suffer
> from backward incompatibility. Unfortunately I had to steal one unused
> bit from skbuff to be able to mark the packets so that it surely does
> not clash with any rules using the standard "MARK" target. Logging
> level, flags and type are hardcoded. What do you think?
Could you send me a Signed-off-by: line so I can queue this for 2.6.23?
> +static inline void trace_packet(struct sk_buff *skb,
> + unsigned int hook,
> + const struct net_device *in,
> + const struct net_device *out,
> + char *tablename,
> + struct xt_table_info *private,
> + struct ipt_entry *e)
I'm going to remove the inline here ..
> /* Returns one of the generic firewall policies, like NF_ACCEPT. */
> unsigned int
> ipt_do_table(struct sk_buff **pskb,
> @@ -267,6 +371,12 @@
>
> t = ipt_get_target(e);
> IP_NF_ASSERT(t->u.kernel.target);
> +
> + /* The packet is traced: log it */
> + if ((*pskb)->nf_trace)
> + trace_packet(*pskb, hook, in, out,
> + table->name, private, e);
> +
and mark this unlikely so we don't bloat the main loop of ipt_do_table.
More information about the netfilter-devel
mailing list