Török Edwin wrote: > Patrick what is the status of solving the skfilter issues? Can I help with > testing patches, etc.?
Not yet. If nothing gets in between I plan to get the patches ready next week. > On Monday 20 February 2006 18:42, Patrick McHardy wrote: > >>Confirmation of conntrack entries. They shouldn't be confirmed before >>packets have passed the socket hooks. This is the tricky part because >>we don't know if packets will be delivered to a raw socket or not >>when calling the regular LOCAL_IN hook. >>The only way to solve this >>seems to be to use the socket hooks for all incoming packets, that >>way we can defer confirmation unconditionally. > > Are there any problems with using socket hooks for all packets? Not really, just that some protocols don't use sockets, so its a bit pointless for them. OTOH it should make rule management easier if everything can be done in the same table. >>The nicest way would >>be to just move the regular LOCAL_IN hook to the socket hooks, but >>this doesn't work with SNAT in LOCAL_IN because the socket lookup >>needs the already NATed address. > > Move just the non SNAT part of LOCAL_IN to socket hooks?(does this make > sense?) That would be my prefered way, but it changes user-visible behaviour. Currently filtering is done before SNAT, this change would reverse that. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
