From: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
To: kadlec@blackhole.kfki.hu
Cc: yasuyuki.kozakai@toshiba.co.jp, kaber@trash.net,
netfilter-devel@lists.netfilter.org, laforge@netfilter.org,
kisza@securityaudit.hu, usagi-core@linux-ipv6.org
Subject: Re: [PATCH]: 1st step to remove skb_linearize() in ip6_tables.c and optimization
Date: Sat, 26 Jun 2004 16:25:13 +0900 (JST) [thread overview]
Message-ID: <200406260725.QAA11173@toshiba.co.jp> (raw)
In-Reply-To: <Pine.LNX.4.33.0406251133230.11001-100000@blackhole.kfki.hu>
Hi,
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Fri, 25 Jun 2004 12:01:37 +0200 (CEST)
> > > >Sorry, I misstook. But why nf_hook_slow() ? I think users expect that
> > > >skb is not linearized if ip_tables.ko is not loaded.
> > > >Then how about ipt_do_table() or hooks in iptable_filter.c ?
> > > >
> > > It would be nice if the skb_copy_bits calls in conntrack and nat copying
> > > only the transport protocol headers could be removed as well. We could
> > > register for the PREROUTING hook with highest priority and linearize the
> > > headers when a global flag is set. ip_conntrack and ip_tables would both
> > > set this flag.
> >
> > flag is good idea. But in the case of IPv6, the fact remains that
> > skipping IPv6 ext headers are needed to find transport protocol.
>
> - conntrack requires linearized protocol headers
> - with the TCP window tracking code it means the complete
> TCP header, including the options due to the SACK support
> - nat requires writable protocol headers, including the TCP options
> due to the SACK support
> - raw/filter tables require linearized protocol headers in general (we can
> safely assume port matching rules :-)
> - mark table requires writable protocol headers if we mangle the packet
> headers
That's right at this point.
> So I think when any component of netfilter is enabled, we can assume that
> at least linearized protocol headers are required. Therefore I suggested
> to add such a function to nf_hook_slow.
As you said, I think nf_hook_slow is best point for IPv4 modules.
And I found that the issue of IPv6 can be solved by adding flag to the
argument nf_hook_register(). This flag tell whether request to linearize
or not.
And I have a (maybe) last issue. Are we allowed to add protocol dependent
codes to nf_hook_slow() ?
> We cannot add (back) a general skb_linearize: that was a constant complain
> against netfilter from performance reason and was therefore removed.
I think so, too.
> In order to spare skipping again and again the extension headers in IPv6,
> wouldn't it make sense to add a new argument to the hook functions which
> argument would point then to the protocol header?
If so, the transport protocol number is needed, too. You can find the
transport protocol number at Next Header field in previous header.
> Best regards,
> Jozsef
> -
> E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
> H-1525 Budapest 114, POB. 49, Hungary
Best regards,
-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@toshiba.co.jp>
next prev parent reply other threads:[~2004-06-26 7:25 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-24 4:04 [PATCH]: 1st step to remove skb_linearize() in ip6_tables.c and optimization Yasuyuki Kozakai
2004-06-24 8:13 ` Andras Kis-Szabo
2004-06-24 10:12 ` Yasuyuki Kozakai
2004-06-24 10:24 ` Jozsef Kadlecsik
2004-06-24 10:35 ` Yasuyuki Kozakai
2004-06-24 11:26 ` Patrick McHardy
2004-06-24 11:50 ` Jozsef Kadlecsik
2004-06-24 13:04 ` Yasuyuki Kozakai
2004-06-24 13:25 ` Jozsef Kadlecsik
2004-06-24 13:48 ` (usagi-core 18584) " YOSHIFUJI Hideaki / 吉藤英明
2004-06-24 15:06 ` Yasuyuki Kozakai
2004-06-24 16:50 ` Patrick McHardy
2004-06-25 4:57 ` Yasuyuki Kozakai
2004-06-25 10:01 ` Jozsef Kadlecsik
2004-06-26 7:25 ` Yasuyuki Kozakai [this message]
2004-07-21 21:36 ` Harald Welte
2004-07-29 6:09 ` Yasuyuki Kozakai
2004-08-01 16:46 ` Harald Welte
2004-08-01 17:08 ` Patrick McHardy
2004-08-01 18:11 ` Harald Welte
2004-08-02 4:05 ` Yasuyuki Kozakai
2004-08-07 21:05 ` Yasuyuki Kozakai
2004-08-09 1:40 ` Yasuyuki Kozakai
2004-06-25 9:53 ` Harald Welte
2004-06-28 20:31 ` Patrick McHardy
2004-07-06 10:20 ` Patrick McHardy
2004-07-06 10:35 ` Harald Welte
2004-07-06 22:59 ` Pablo Neira
2004-07-06 23:33 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200406260725.QAA11173@toshiba.co.jp \
--to=yasuyuki.kozakai@toshiba.co.jp \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=kisza@securityaudit.hu \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=usagi-core@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.