From: KOVACS Krisztian <hidden@sch.bme.hu>
To: David Miller <davem@davemloft.net>
Cc: Patrick McHardy <kaber@trash.net>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: [net-next PATCH 07/16] Make Netfilter's ip_route_me_harder() non-local address compatible
Date: Wed, 01 Oct 2008 16:24:31 +0200 [thread overview]
Message-ID: <20081001142431.4893.46493.stgit@este> (raw)
In-Reply-To: <20081001142431.4893.48078.stgit@este>
Netfilter's ip_route_me_harder() tries to re-route packets either generated or
re-routed by Netfilter. This patch changes ip_route_me_harder() to handle
packets from non-locally-bound sockets with IP_TRANSPARENT set as local and to
set the appropriate flowi flags when re-doing the routing lookup.
Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
---
include/net/ip.h | 9 +++++++++
net/ipv4/inet_connection_sock.c | 1 +
net/ipv4/ip_output.c | 4 +++-
net/ipv4/netfilter.c | 3 +++
net/ipv4/syncookies.c | 2 ++
5 files changed, 18 insertions(+), 1 deletions(-)
diff --git a/include/net/ip.h b/include/net/ip.h
index 250e6ef..d678ea3 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -29,6 +29,7 @@
#include <net/inet_sock.h>
#include <net/snmp.h>
+#include <net/flow.h>
struct sock;
@@ -140,12 +141,20 @@ static inline void ip_tr_mc_map(__be32 addr, char *buf)
struct ip_reply_arg {
struct kvec iov[1];
+ int flags;
__wsum csum;
int csumoffset; /* u16 offset of csum in iov[0].iov_base */
/* -1 if not needed */
int bound_dev_if;
};
+#define IP_REPLY_ARG_NOSRCCHECK 1
+
+static inline __u8 ip_reply_arg_flowi_flags(const struct ip_reply_arg *arg)
+{
+ return (arg->flags & IP_REPLY_ARG_NOSRCCHECK) ? FLOWI_FLAG_ANYSRC : 0;
+}
+
void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *arg,
unsigned int len);
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 0c1ae68..432c570 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -335,6 +335,7 @@ struct dst_entry* inet_csk_route_req(struct sock *sk,
.saddr = ireq->loc_addr,
.tos = RT_CONN_FLAGS(sk) } },
.proto = sk->sk_protocol,
+ .flags = inet_sk_flowi_flags(sk),
.uli_u = { .ports =
{ .sport = inet_sk(sk)->sport,
.dport = ireq->rmt_port } } };
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index d533a89..d2a8f8b 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -340,6 +340,7 @@ int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
.saddr = inet->saddr,
.tos = RT_CONN_FLAGS(sk) } },
.proto = sk->sk_protocol,
+ .flags = inet_sk_flowi_flags(sk),
.uli_u = { .ports =
{ .sport = inet->sport,
.dport = inet->dport } } };
@@ -1371,7 +1372,8 @@ void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *ar
.uli_u = { .ports =
{ .sport = tcp_hdr(skb)->dest,
.dport = tcp_hdr(skb)->source } },
- .proto = sk->sk_protocol };
+ .proto = sk->sk_protocol,
+ .flags = ip_reply_arg_flowi_flags(arg) };
security_skb_classify_flow(skb, &fl);
if (ip_route_output_key(sock_net(sk), &rt, &fl))
return;
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index f8edacd..01671ad 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -20,6 +20,8 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
unsigned int type;
type = inet_addr_type(&init_net, iph->saddr);
+ if (skb->sk && inet_sk(skb->sk)->transparent)
+ type = RTN_LOCAL;
if (addr_type == RTN_UNSPEC)
addr_type = type;
@@ -33,6 +35,7 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
fl.oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
fl.mark = skb->mark;
+ fl.flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
if (ip_route_output_key(&init_net, &rt, &fl) != 0)
return -1;
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 9d38005..929302b 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -16,6 +16,7 @@
#include <linux/cryptohash.h>
#include <linux/kernel.h>
#include <net/tcp.h>
+#include <net/route.h>
/* Timestamps: lowest 9 bits store TCP options */
#define TSBITS 9
@@ -337,6 +338,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
.saddr = ireq->loc_addr,
.tos = RT_CONN_FLAGS(sk) } },
.proto = IPPROTO_TCP,
+ .flags = inet_sk_flowi_flags(sk),
.uli_u = { .ports =
{ .sport = th->dest,
.dport = th->source } } };
next prev parent reply other threads:[~2008-10-01 15:25 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-01 14:24 [net-next PATCH 00/16] Transparent proxying patches, take six KOVACS Krisztian
2008-10-01 14:24 ` [net-next PATCH 11/16] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2008-10-01 14:24 ` [net-next PATCH 14/16] iptables socket match KOVACS Krisztian
2008-10-02 9:26 ` Patrick McHardy
2008-10-02 10:26 ` KOVACS Krisztian
2008-10-02 10:35 ` Patrick McHardy
2008-10-03 14:04 ` Jan Engelhardt
2008-10-01 14:24 ` [net-next PATCH 10/16] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2008-10-01 14:50 ` David Miller
2008-10-01 15:38 ` KOVACS Krisztian
2008-10-01 15:51 ` David Miller
2008-10-02 15:43 ` KOVACS Krisztian
2008-10-02 17:09 ` Arnaldo Carvalho de Melo
2008-10-02 19:58 ` David Miller
2008-10-03 8:57 ` KOVACS Krisztian
2008-10-03 13:47 ` Arnaldo Carvalho de Melo
2008-10-07 7:36 ` KOVACS Krisztian
2008-10-07 12:36 ` Arnaldo Carvalho de Melo
2008-10-07 18:42 ` David Miller
2008-10-07 7:42 ` [net-next PATCH] Add udplib_lookup_skb() helpers (was: [net-next PATCH 10/16] Don't lookup the socket if there's a socket attached to the skb) KOVACS Krisztian
2008-10-07 12:34 ` Arnaldo Carvalho de Melo
2008-10-07 19:39 ` [net-next PATCH] Add udplib_lookup_skb() helpers David Miller
2008-10-07 7:59 ` [net-next PATCH] Don't lookup the socket if there's a socket attached to the skb (was: Re: [net-next PATCH 10/16] Don't lookup the socket if there's a socket attached to the skb) KOVACS Krisztian
2008-10-07 12:36 ` Arnaldo Carvalho de Melo
2008-10-07 19:41 ` [net-next PATCH] Don't lookup the socket if there's a socket attached to the skb David Miller
2008-10-01 14:24 ` [net-next PATCH 12/16] Split Netfilter IPv4 defragmentation into a separate module KOVACS Krisztian
2008-10-02 9:18 ` Patrick McHardy
2008-10-01 14:24 ` [net-next PATCH 02/16] Implement IP_TRANSPARENT socket option KOVACS Krisztian
2008-10-01 14:30 ` David Miller
2008-10-01 14:24 ` KOVACS Krisztian [this message]
2008-10-01 14:45 ` [net-next PATCH 07/16] Make Netfilter's ip_route_me_harder() non-local address compatible David Miller
2008-10-01 14:24 ` [net-next PATCH 03/16] Allow binding to non-local addresses if IP_TRANSPARENT is set KOVACS Krisztian
2008-10-01 14:31 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 15/16] iptables TPROXY target KOVACS Krisztian
2008-10-02 9:28 ` Patrick McHardy
2008-10-01 14:24 ` [net-next PATCH 16/16] Add documentation KOVACS Krisztian
2008-10-01 16:22 ` Randy Dunlap
2008-10-02 9:37 ` [RESEND net-next " KOVACS Krisztian
2008-10-02 9:38 ` Patrick McHardy
2008-10-03 14:01 ` [net-next " Jan Engelhardt
2008-10-07 7:01 ` KOVACS Krisztian
2008-10-07 13:25 ` [patch] Update tproxy documentation Jan Engelhardt
2008-10-07 19:50 ` [net-next PATCH 16/16] Add documentation David Miller
2008-10-07 20:02 ` KOVACS Krisztian
2008-10-07 20:47 ` Patrick McHardy
2008-10-07 20:53 ` David Miller
2008-10-08 0:32 ` Philip Craig
2008-10-01 14:24 ` [net-next PATCH 04/16] Make inet_sock.h independent of route.h KOVACS Krisztian
2008-10-01 14:34 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 13/16] iptables tproxy core KOVACS Krisztian
2008-10-02 9:19 ` Patrick McHardy
2008-10-01 14:24 ` [net-next PATCH 05/16] Conditionally enable transparent flow flag when connecting KOVACS Krisztian
2008-10-01 14:36 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 01/16] Loosen source address check on IPv4 output KOVACS Krisztian
2008-10-01 14:28 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 08/16] Port redirection support for TCP KOVACS Krisztian
2008-10-01 14:47 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 09/16] Export UDP socket lookup function KOVACS Krisztian
2008-10-01 14:48 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 06/16] Handle TCP SYN+ACK/ACK/RST transparency KOVACS Krisztian
2008-10-01 14:42 ` David Miller
2008-10-01 14:46 ` KOVACS Krisztian
2008-10-02 13:20 ` [net-next PATCH 00/16] Transparent proxying patches, take six Amos Jeffries
2008-10-02 15:38 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081001142431.4893.46493.stgit@este \
--to=hidden@sch.bme.hu \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.