From: Serhey Popovych Date: Fri, 29 Nov 2019 09:21:33 +0000 (+0200) Subject: netfilter: xt_set: Do not restrict --map-set to the mangle table X-Git-Tag: v7.5~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55b1b5093c6bb1c0330699cdfdd1f6a8254eead7;p=thirdparty%2Fipset.git netfilter: xt_set: Do not restrict --map-set to the mangle table While mangle table is primary place for packet modification setting mark, traffic class priority or hardware NIC queue can be done in any table with exception similar to using mark in policy-based routing setups (configured with ip-rule(8)) should be done before routing happens (i.e. in PREROUTING chain that usable in mangle or raw tables only). There is no such restriction in MARK target used to set packet mark and CLASSIFY target used to set traffic class priority. Both are free to use in any table. There is no known target that can modify hardware queue for packet. This helps in keeping filtering and packet modification rules together in filter table. Tested with rule in filter table with SET target using --map-prio and HTB for scheduling packets at egress. Signed-off-by: Serhey Popovych Signed-off-by: Jozsef Kadlecsik --- diff --git a/kernel/net/netfilter/xt_set.c b/kernel/net/netfilter/xt_set.c index 07ebf551..c2735c4d 100644 --- a/kernel/net/netfilter/xt_set.c +++ b/kernel/net/netfilter/xt_set.c @@ -499,11 +499,6 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par) } if (info->map_set.index != IPSET_INVALID_ID) { - if (strncmp(par->table, "mangle", 7)) { - pr_warn("--map-set only usable from mangle table\n"); - ret = -EINVAL; - goto cleanup_del; - } if (((info->flags & IPSET_FLAG_MAP_SKBPRIO) | (info->flags & IPSET_FLAG_MAP_SKBQUEUE)) && (par->hook_mask & ~(1 << NF_INET_FORWARD |