From: Patrick McHardy <kaber@trash.net>
To: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Cc: netfilter-devel@lists.netfilter.org, usagi-core@linux-ipv6.org
Subject: Re: [PATCH]: prearation of removing skb_linearize()
Date: Tue, 21 Sep 2004 13:37:51 +0200 [thread overview]
Message-ID: <4150128F.4020400@trash.net> (raw)
In-Reply-To: <200409160318.i8G3IAOw010298@toshiba.co.jp>
Hi Yasuyuki,
Yasuyuki Kozakai wrote:
>Hi,
>
>I updated the patch which prepares to remove skb_linearize() from ip6_tables.c
>
>This patch uses skb_header_pointer() so that packets can be parsed even though
>skb_linearize() doesn't exist. But this patch doesn't remove skb_linearize()
>yet. We can remove it after changing all match/target modules.
>
>Moreover ...
> - I deleted the optimization not to parse IPv6 extension header
> many time from previous patch. I'll send the patch to do this
> separately.
> - fixed the bug that "offset" argument of match functions are always 0.
> - deleted "hdr" and "datalen" argument and added "protoff" argument
> to match functions. "protoff" means the offset to Layer 4 protocol
> header.
> - the argument order of target function is changed likely IPv4 modules.
> This prevents user from meeting kernel panic when they use old
> match modules.
> - changed {tcp,udp,icmp6}_match(). These functions became very similar
> to codes in ip_tables.c again.
>
>I tested this patch with some configurations(attached file: "tests.txt")
>In these tests, I also used quick hack to fragment skb at the end of IPv6
>header before filtering to confirm that I didn't forget to use
>skb_header_pointer() somewhere.
>
>Double checks and more tests are welcome.
>
>
Looks good, I'm going to review your patch more in-depth tonight.
One thing I noticed while looking over it:
>@@ -1535,26 +1546,31 @@
>
> static int
> tcp_find_option(u_int8_t option,
>- const struct tcphdr *tcp,
>- u_int16_t datalen,
>+ const struct sk_buff *skb,
>+ unsigned int tcpoff,
>+ unsigned int optlen,
> int invert,
> int *hotdrop)
> {
>- unsigned int i = sizeof(struct tcphdr);
>- const u_int8_t *opt = (u_int8_t *)tcp;
>+ /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
>+ char _opt[60 - sizeof(struct tcphdr)], *op;
>
>
This should stay a u_int8_t, look at
http://netfilter.org/security/2004-06-30-2.6-tcpoption.html
Regards
Patrick
next prev parent reply other threads:[~2004-09-21 11:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-16 3:18 [PATCH]: prearation of removing skb_linearize() Yasuyuki Kozakai
2004-09-21 11:37 ` Patrick McHardy [this message]
2004-09-21 12:40 ` Yasuyuki Kozakai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4150128F.4020400@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=usagi-core@linux-ipv6.org \
--cc=yasuyuki.kozakai@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.