[patch 0/3] Add addr_type to ip_route_me_harder()

[patch 0/3] Add addr_type to ip_route_me_harder()

[Horms]

Hi,

this is the latest incarntation of patches to

1. Allow the address type to be passed to ip_route_me_harder(),
   which allows it to be called from locations where this is know,
   but calling ip_route_me_harder() was previously too expensive.

2. Make use of ip_route_me_harder() to honour source routing in IPVS

3. Remove ipt_REJECT's reverse_route(), which is largely a duplication
   of ip_route_me_harder().

IMHO, the first 2 patches are in reasonable shape, but 3rd needs review.

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

[patch 1/3] add type parameter to ip_route_me_harder

[Horms]

[-- Attachment #1: ip_route_me_harder-type.patch --]
[-- Type: text/plain, Size: 3191 bytes --]

By adding a type parameter to ip_route_me_harder() the
expensive call to inet_addr_type() can be avoided in some cases.
A followup patch where ip_route_me_harder() is called from within
ip_vs_out() is one such example.

Signed-Off-By: Simon Horman <horms@verge.net.au>

--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -77,7 +77,7 @@ enum nf_ip_hook_priorities {
 #define SO_ORIGINAL_DST 80
 
 #ifdef __KERNEL__
-extern int ip_route_me_harder(struct sk_buff **pskb);
+extern int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type);
 extern int ip_xfrm_me_harder(struct sk_buff **pskb);
 extern unsigned int nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
 				   unsigned int dataoff, u_int8_t protocol);
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index f88347d..1d8ae67 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -7,8 +7,14 @@ #include <net/route.h>
 #include <net/xfrm.h>
 #include <net/ip.h>
 
+/*
+ * addr_type: 0 - determine automatically
+ *            1 - local
+ *            2 - non-local
+ */
+
 /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
-int ip_route_me_harder(struct sk_buff **pskb)
+int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type)
 {
 	struct iphdr *iph = (*pskb)->nh.iph;
 	struct rtable *rt;
@@ -16,10 +22,15 @@ int ip_route_me_harder(struct sk_buff **
 	struct dst_entry *odst;
 	unsigned int hh_len;
 
+	if (addr_type > 2)
+		return -1;
+
 	/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
 	 * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
 	 */
-	if (inet_addr_type(iph->saddr) == RTN_LOCAL) {
+	if (addr_type == 0)
+		addr_type = inet_addr_type(iph->saddr) == RTN_LOCAL ? 1 : 2;
+	if (addr_type == 1) {
 		fl.nl_u.ip4_u.daddr = iph->daddr;
 		fl.nl_u.ip4_u.saddr = iph->saddr;
 		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
@@ -156,7 +167,7 @@ static int nf_ip_reroute(struct sk_buff 
 		if (!(iph->tos == rt_info->tos
 		      && iph->daddr == rt_info->daddr
 		      && iph->saddr == rt_info->saddr))
-			return ip_route_me_harder(pskb);
+			return ip_route_me_harder(pskb, 0);
 	}
 	return 0;
 }
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index f3b7783..d2e9578 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -269,7 +269,7 @@ #ifdef CONFIG_XFRM
 		       ct->tuplehash[!dir].tuple.src.u.all
 #endif
 		    )
-			return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+			return ip_route_me_harder(pskb, 0) == 0 ? ret : NF_DROP;
 	}
 	return ret;
 }
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 79336cb..24ce30c 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -157,7 +157,7 @@ #ifdef CONFIG_IP_ROUTE_FWMARK
 		|| (*pskb)->nfmark != nfmark
 #endif
 		|| (*pskb)->nh.iph->tos != tos))
-		return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+		return ip_route_me_harder(pskb, 0) == 0 ? ret : NF_DROP;
 
 	return ret;
 }

--

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

Re: [patch 1/3] add type parameter to ip_route_me_harder

[Patrick McHardy]

Horms wrote:
> +/*
> + * addr_type: 0 - determine automatically
> + *            1 - local
> + *            2 - non-local
> + */
> +
>  /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
> -int ip_route_me_harder(struct sk_buff **pskb)
> +int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type)

I liked the RTN_ types better .. is there a reason for not using
them? Otherwise I'll just change it before applying.

Re: [patch 1/3] add type parameter to ip_route_me_harder

[Horms]

On Wed, Sep 20, 2006 at 12:30:58PM +0200, Patrick McHardy wrote:
> Horms wrote:
> > +/*
> > + * addr_type: 0 - determine automatically
> > + *            1 - local
> > + *            2 - non-local
> > + */
> > +
> >  /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
> > -int ip_route_me_harder(struct sk_buff **pskb)
> > +int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type)
> 
> I liked the RTN_ types better .. is there a reason for not using
> them? Otherwise I'll just change it before applying.

Mainly because it seemed difficult to shoe-horn into the
reworking of ipt_REJECT's reverse_route(). In particular,
what value should be passed for non-local? auto and local 
are of course easy.

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

Re: [patch 1/3] add type parameter to ip_route_me_harder

[Patrick McHardy]

Horms wrote:
> On Wed, Sep 20, 2006 at 12:30:58PM +0200, Patrick McHardy wrote:
> 
>>I liked the RTN_ types better .. is there a reason for not using
>>them? Otherwise I'll just change it before applying.
> 
> 
> Mainly because it seemed difficult to shoe-horn into the
> reworking of ipt_REJECT's reverse_route(). In particular,
> what value should be passed for non-local? auto and local 
> are of course easy.

Just explicitly using ip_route_output on the LOCAL_IN/LOCAL_OUT
hooks (and for the bridging case) should be fine for ipt_REJECT.
A local source address can not occur in FORWARD, so ip_route_input
will be chosen through inet_addr_type. So how about:

RTN_LOCAL: route as locally originating packet
RTN_UNSPEC: use inet_addr_type to find out

I think thats also what you did in your first patch.

Re: [patch 1/3] add type parameter to ip_route_me_harder

[Horms]

On Wed, Sep 20, 2006 at 05:45:23PM +0200, Patrick McHardy wrote:
> Horms wrote:
> > On Wed, Sep 20, 2006 at 12:30:58PM +0200, Patrick McHardy wrote:
> > 
> >>I liked the RTN_ types better .. is there a reason for not using
> >>them? Otherwise I'll just change it before applying.
> > 
> > 
> > Mainly because it seemed difficult to shoe-horn into the
> > reworking of ipt_REJECT's reverse_route(). In particular,
> > what value should be passed for non-local? auto and local 
> > are of course easy.
> 
> Just explicitly using ip_route_output on the LOCAL_IN/LOCAL_OUT
> hooks (and for the bridging case) should be fine for ipt_REJECT.
> A local source address can not occur in FORWARD, so ip_route_input
> will be chosen through inet_addr_type. So how about:
> 
> RTN_LOCAL: route as locally originating packet
> RTN_UNSPEC: use inet_addr_type to find out
> 
> I think thats also what you did in your first patch.

No problem, I'll resend with the original RTN_LOCAL/RTN_UNSPEC approach.

The main thing that I was trying to avoid was having ipt_REJECT cause a
call to inet_addr_type() in the FORWARD case, though I'm not sure if
performance is a concern or not. If it is, we could always pass some
value other than RTN_LOCAL or RTN_UNSPEC, for instance RTN_UNSPEC, as
its just used as a key to the if statement in ip_route_me_harder(). I
was shying away from that approach as it somewhat overloads the meaning
of RTN_*.

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

[patch 0/3] Add addr_type to ip_route_me_harder()

[Horms]

Hi,

this is the latest incarntation of patches to

1. Allow the address type to be passed to ip_route_me_harder(),
   which allows it to be called from locations where this is know,
   but calling ip_route_me_harder() was previously too expensive.

2. Make use of ip_route_me_harder() to honour source routing in IPVS

3. Remove ipt_REJECT's reverse_route(), which is largely a
   duplication of ip_route_me_harder().

IMHO, the first 2 patches are in reasonable shape, but 3rd needs review.

As requested by Patrick McHardy, these patches use the original approach of
using RTN_LOCAL/RTN_UNSPEC as the new argiment to ip_route_me_harder.

This patchest replaces a similar one sent on Tue, 19 Sep 2006 11:45:07 +0900.
Lead Message-Id: <20060919024507.458115000@tabatha.lab.ultramonkey.org>

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

[patch 1/3] add type parameter to ip_route_me_harder

[Horms]

[-- Attachment #1: ip_route_me_harder-type.patch --]
[-- Type: text/plain, Size: 3397 bytes --]

By adding a type parameter to ip_route_me_harder() the
expensive call to inet_addr_type() can be avoided in some cases.
A followup patch where ip_route_me_harder() is called from within
ip_vs_out() is one such example.

Signed-Off-By: Simon Horman <horms@verge.net.au>

Index: net-2.6.19/include/linux/netfilter_ipv4.h
===================================================================
--- net-2.6.19.orig/include/linux/netfilter_ipv4.h	2006-09-21 17:56:47.000000000 +0900
+++ net-2.6.19/include/linux/netfilter_ipv4.h	2006-09-21 17:56:58.000000000 +0900
@@ -77,7 +77,7 @@
 #define SO_ORIGINAL_DST 80
 
 #ifdef __KERNEL__
-extern int ip_route_me_harder(struct sk_buff **pskb);
+extern int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type);
 extern int ip_xfrm_me_harder(struct sk_buff **pskb);
 extern unsigned int nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
 				   unsigned int dataoff, u_int8_t protocol);
Index: net-2.6.19/net/ipv4/netfilter.c
===================================================================
--- net-2.6.19.orig/net/ipv4/netfilter.c	2006-09-21 17:56:47.000000000 +0900
+++ net-2.6.19/net/ipv4/netfilter.c	2006-09-21 18:00:26.000000000 +0900
@@ -8,7 +8,7 @@
 #include <net/ip.h>
 
 /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
-int ip_route_me_harder(struct sk_buff **pskb)
+int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type)
 {
 	struct iphdr *iph = (*pskb)->nh.iph;
 	struct rtable *rt;
@@ -16,10 +16,13 @@
 	struct dst_entry *odst;
 	unsigned int hh_len;
 
+	if (addr_type == RTN_UNSPEC)
+		addr_type = inet_addr_type(iph->saddr);
+
 	/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
 	 * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
 	 */
-	if (inet_addr_type(iph->saddr) == RTN_LOCAL) {
+	if (addr_type == RTN_LOCAL) {
 		fl.nl_u.ip4_u.daddr = iph->daddr;
 		fl.nl_u.ip4_u.saddr = iph->saddr;
 		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
@@ -156,7 +159,7 @@
 		if (!(iph->tos == rt_info->tos
 		      && iph->daddr == rt_info->daddr
 		      && iph->saddr == rt_info->saddr))
-			return ip_route_me_harder(pskb);
+			return ip_route_me_harder(pskb, RTN_UNSPEC);
 	}
 	return 0;
 }
Index: net-2.6.19/net/ipv4/netfilter/ip_nat_standalone.c
===================================================================
--- net-2.6.19.orig/net/ipv4/netfilter/ip_nat_standalone.c	2006-09-21 17:56:47.000000000 +0900
+++ net-2.6.19/net/ipv4/netfilter/ip_nat_standalone.c	2006-09-21 18:00:45.000000000 +0900
@@ -269,7 +269,8 @@
 		       ct->tuplehash[!dir].tuple.src.u.all
 #endif
 		    )
-			return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+			return ip_route_me_harder(pskb, RTN_UNSPEC) == 0 ?
+				ret : NF_DROP;
 	}
 	return ret;
 }
Index: net-2.6.19/net/ipv4/netfilter/iptable_mangle.c
===================================================================
--- net-2.6.19.orig/net/ipv4/netfilter/iptable_mangle.c	2006-09-21 17:56:47.000000000 +0900
+++ net-2.6.19/net/ipv4/netfilter/iptable_mangle.c	2006-09-21 18:00:58.000000000 +0900
@@ -157,7 +157,8 @@
 		|| (*pskb)->nfmark != nfmark
 #endif
 		|| (*pskb)->nh.iph->tos != tos))
-		return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+		return ip_route_me_harder(pskb, RTN_UNSPEC) == 0 ?
+			ret : NF_DROP;
 
 	return ret;
 }

--

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

[patch 2/3] Honour source routing for LVS-NAT

[Horms]

[-- Attachment #1: ip_route_me_harder-ipvs.patch --]
[-- Type: text/plain, Size: 1272 bytes --]

For policy routing, packets originating from this machine itself may be
routed differently to packets passing through. We want this packet to be
routed as if it came from this machine itself. So re-compute the routing
information using ip_route_me_harder().

This patch is derived from work by Ken Brownfield

Cc: Ken Brownfield <krb@irridia.com>
Signed-Off-By: Simon Horman <horms@verge.net.au>

Index: net-2.6.19/net/ipv4/ipvs/ip_vs_core.c
===================================================================
--- net-2.6.19.orig/net/ipv4/ipvs/ip_vs_core.c	2006-09-21 17:56:30.000000000 +0900
+++ net-2.6.19/net/ipv4/ipvs/ip_vs_core.c	2006-09-21 18:27:34.000000000 +0900
@@ -813,6 +813,16 @@
 	skb->nh.iph->saddr = cp->vaddr;
 	ip_send_check(skb->nh.iph);
 
+ 	/* For policy routing, packets originating from this
+ 	 * machine itself may be routed differently to packets
+ 	 * passing through.  We want this packet to be routed as
+ 	 * if it came from this machine itself.  So re-compute
+ 	 * the routing information.
+ 	 */
+ 	if (ip_route_me_harder(pskb, RTN_LOCAL) != 0)
+ 		goto drop;
+	skb = *pskb;
+
 	IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
 
 	ip_vs_out_stats(cp, skb);

--

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

Re: [patch 2/3] Honour source routing for LVS-NAT

[Patrick McHardy]

Horms wrote:
> For policy routing, packets originating from this machine itself may be
> routed differently to packets passing through. We want this packet to be
> routed as if it came from this machine itself. So re-compute the routing
> information using ip_route_me_harder().

Thanks, I've applied the first two patches.

Re: [patch 2/3] Honour source routing for LVS-NAT

[Horms]

On Fri, Sep 29, 2006 at 03:38:28PM +0200, Patrick McHardy wrote:
> Horms wrote:
> > For policy routing, packets originating from this machine itself may be
> > routed differently to packets passing through. We want this packet to be
> > routed as if it came from this machine itself. So re-compute the routing
> > information using ip_route_me_harder().
> 
> Thanks, I've applied the first two patches.

Thanks. To which tree did you apply them?

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

[patch 3/3] Replace reverse_route() with a call to ip_route_me_harder()

[Horms]

[-- Attachment #1: ip_route_me_harder-reverse_route-merge.patch --]
[-- Type: text/plain, Size: 3887 bytes --]

Signed-Off-By: Simon Horman <horms@verge.net.au>

Index: net-2.6.19/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- net-2.6.19.orig/net/ipv4/netfilter/ipt_REJECT.c	2006-09-19 12:50:43.000000000 +0900
+++ net-2.6.19/net/ipv4/netfilter/ipt_REJECT.c	2006-09-21 17:55:37.000000000 +0900
@@ -38,13 +38,9 @@
 #define DEBUGP(format, args...)
 #endif
 
-static inline struct rtable *route_reverse(struct sk_buff *skb, 
-					   struct tcphdr *tcph, int hook)
+static inline int send_reset_route(struct sk_buff **pskb, int hook)
 {
-	struct iphdr *iph = skb->nh.iph;
-	struct dst_entry *odst;
-	struct flowi fl = {};
-	struct rtable *rt;
+	int addr_type;
 
 	/* We don't require ip forwarding to be enabled to be able to
 	 * send a RST reply for bridged traffic. */
@@ -52,62 +48,23 @@
 #ifdef CONFIG_BRIDGE_NETFILTER
 	    || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
 #endif
-	   ) {
-		fl.nl_u.ip4_u.daddr = iph->saddr;
-		if (hook == NF_IP_LOCAL_IN)
-			fl.nl_u.ip4_u.saddr = iph->daddr;
-		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
+	   )
+		addr_type = RTN_LOCAL;
+	else
+		addr_type = RTN_UNSPEC;
 
-		if (ip_route_output_key(&rt, &fl) != 0)
-			return NULL;
-	} else {
-		/* non-local src, find valid iif to satisfy
-		 * rp-filter when calling ip_route_input. */
-		fl.nl_u.ip4_u.daddr = iph->daddr;
-		if (ip_route_output_key(&rt, &fl) != 0)
-			return NULL;
-
-		odst = skb->dst;
-		if (ip_route_input(skb, iph->saddr, iph->daddr,
-		                   RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-			dst_release(&rt->u.dst);
-			return NULL;
-		}
-		dst_release(&rt->u.dst);
-		rt = (struct rtable *)skb->dst;
-		skb->dst = odst;
-
-		fl.nl_u.ip4_u.daddr = iph->saddr;
-		fl.nl_u.ip4_u.saddr = iph->daddr;
-		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-	}
-
-	if (rt->u.dst.error) {
-		dst_release(&rt->u.dst);
-		return NULL;
-	}
-
-	fl.proto = IPPROTO_TCP;
-	fl.fl_ip_sport = tcph->dest;
-	fl.fl_ip_dport = tcph->source;
-	security_skb_classify_flow(skb, &fl);
-
-	xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-
-	return rt;
+	return ip_route_me_harder(pskb, addr_type);
 }
 
 /* Send RST reply */
 static void send_reset(struct sk_buff *oldskb, int hook)
 {
-	struct sk_buff *nskb;
+	struct sk_buff *nskb, **pnskb;
 	struct iphdr *iph = oldskb->nh.iph;
 	struct tcphdr _otcph, *oth, *tcph;
-	struct rtable *rt;
 	u_int16_t tmp_port;
 	u_int32_t tmp_addr;
 	int needs_ack;
-	int hh_len;
 
 	/* IP header checks: fragment. */
 	if (oldskb->nh.iph->frag_off & htons(IP_OFFSET))
@@ -126,23 +83,15 @@
 	if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP))
 		return;
 
-	if ((rt = route_reverse(oldskb, oth, hook)) == NULL)
-		return;
-
-	hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
-
 	/* We need a linear, writeable skb.  We also need to expand
 	   headroom in case hh_len of incoming interface < hh_len of
-	   outgoing interface */
-	nskb = skb_copy_expand(oldskb, hh_len, skb_tailroom(oldskb),
+	   outgoing interface. As routing happens later, using
+	   ip_route_me_harder(), LL_MAX_HEADER is used as hh_len,
+	   to ensure there will always be enough space. */
+	nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
 			       GFP_ATOMIC);
-	if (!nskb) {
-		dst_release(&rt->u.dst);
+	if (!nskb)
 		return;
-	}
-
-	dst_release(nskb->dst);
-	nskb->dst = &rt->u.dst;
 
 	/* This packet will not be the same as the other: clear nf fields */
 	nf_reset(nskb);
@@ -204,6 +153,12 @@
 	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, 
 					   nskb->nh.iph->ihl);
 
+	/* Route - this may not need to be so late */
+	pnskb = &nskb;
+	if (send_reset_route(pnskb, hook) < 0)
+		goto free_nskb;
+	nskb = *pnskb;
+
 	/* "Never happens" */
 	if (nskb->len > dst_mtu(nskb->dst))
 		goto free_nskb;

--

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

Re: [patch 3/3] Replace reverse_route() with a call to ip_route_me_harder()

[Patrick McHardy]

Horms wrote:
> Index: net-2.6.19/net/ipv4/netfilter/ipt_REJECT.c
> ===================================================================
> --- net-2.6.19.orig/net/ipv4/netfilter/ipt_REJECT.c	2006-09-19 12:50:43.000000000 +0900
> +++ net-2.6.19/net/ipv4/netfilter/ipt_REJECT.c	2006-09-21 17:55:37.000000000 +0900
> @@ -38,13 +38,9 @@
>  #define DEBUGP(format, args...)
>  #endif
>  
> -static inline struct rtable *route_reverse(struct sk_buff *skb, 
> -					   struct tcphdr *tcph, int hook)
> +static inline int send_reset_route(struct sk_buff **pskb, int hook)
>  {
> ...
> -	security_skb_classify_flow(skb, &fl);


With this patch we loose the security_skb_classify_flow call.
I think it is also needed in ip_route_me_harder, if so your
patch seems fine (but I get large rejects with the current
tree, so I'm going to redo it).

Venkat, is it correct to place a security_skb_classify_flow
call in ip_route_me_harder (which also handles currently
unlabeled protocols)?

[patch 2/3] Honour source routing for LVS-NAT

[Horms]

[-- Attachment #1: ip_route_me_harder-ipvs.patch --]
[-- Type: text/plain, Size: 1098 bytes --]

For policy routing, packets originating from this machine itself may be
routed differently to packets passing through. We want this packet to be
routed as if it came from this machine itself. So re-compute the routing
information using ip_route_me_harder().

This patch is derived from work by Ken Brownfield

Cc: Ken Brownfield <krb@irridia.com>
Signed-Off-By: Simon Horman <horms@verge.net.au>

--- a/net/ipv4/ipvs/ip_vs_core.c
+++ b/net/ipv4/ipvs/ip_vs_core.c
@@ -813,6 +813,16 @@ ip_vs_out(unsigned int hooknum, struct s
 	skb->nh.iph->saddr = cp->vaddr;
 	ip_send_check(skb->nh.iph);
 
+ 	/* For policy routing, packets originating from this
+ 	 * machine itself may be routed differently to packets
+ 	 * passing through.  We want this packet to be routed as
+ 	 * if it came from this machine itself.  So re-compute
+ 	 * the routing information.
+ 	 */
+ 	if (ip_route_me_harder(pskb, 1) != 0)
+ 		goto drop;
+	skb = *pskb;
+ 
 	IP_VS_DBG_PKT(10, pp, skb, 0, "After SNAT");
 
 	ip_vs_out_stats(cp, skb);

--

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

[patch 3/3] Replace reverse_route() with a call to ip_route_me_harder()

[Horms]

[-- Attachment #1: ip_route_me_harder-reverse_route-merge.patch --]
[-- Type: text/plain, Size: 3810 bytes --]

*** Please review this patch carefully, I'm not sure that it is correct ***

ip_route_me_harder() can now be passed the address type,
which means that inet_addr_type() is not called internally,
and thus ip_route_me_harder() is now reasonably cheap.

Make use of this by replacing ipt_REJECT's the reverse route,
which is largely a duplication of ip_route_me_harder().

Signed-Off-By: Simon Horman <horms@verge.net.au>

diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index b81821e..bfbeb37 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -38,13 +38,9 @@ #else
 #define DEBUGP(format, args...)
 #endif
 
-static inline struct rtable *route_reverse(struct sk_buff *skb, 
-					   struct tcphdr *tcph, int hook)
+static inline send_reset_route(struct sk_buff **pskb)
 {
-	struct iphdr *iph = skb->nh.iph;
-	struct dst_entry *odst;
-	struct flowi fl = {};
-	struct rtable *rt;
+	int addr_type;
 
 	/* We don't require ip forwarding to be enabled to be able to
 	 * send a RST reply for bridged traffic. */
@@ -52,49 +48,12 @@ static inline struct rtable *route_rever
 #ifdef CONFIG_BRIDGE_NETFILTER
 	    || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
 #endif
-	   ) {
-		fl.nl_u.ip4_u.daddr = iph->saddr;
-		if (hook == NF_IP_LOCAL_IN)
-			fl.nl_u.ip4_u.saddr = iph->daddr;
-		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-
-		if (ip_route_output_key(&rt, &fl) != 0)
-			return NULL;
-	} else {
-		/* non-local src, find valid iif to satisfy
-		 * rp-filter when calling ip_route_input. */
-		fl.nl_u.ip4_u.daddr = iph->daddr;
-		if (ip_route_output_key(&rt, &fl) != 0)
-			return NULL;
-
-		odst = skb->dst;
-		if (ip_route_input(skb, iph->saddr, iph->daddr,
-		                   RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-			dst_release(&rt->u.dst);
-			return NULL;
-		}
-		dst_release(&rt->u.dst);
-		rt = (struct rtable *)skb->dst;
-		skb->dst = odst;
-
-		fl.nl_u.ip4_u.daddr = iph->saddr;
-		fl.nl_u.ip4_u.saddr = iph->daddr;
-		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-	}
-
-	if (rt->u.dst.error) {
-		dst_release(&rt->u.dst);
-		return NULL;
-	}
-
-	fl.proto = IPPROTO_TCP;
-	fl.fl_ip_sport = tcph->dest;
-	fl.fl_ip_dport = tcph->source;
-	security_skb_classify_flow(skb, &fl);
-
-	xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
+	   )
+		addr_type = 1;
+	} else
+		addr_type = 2;
 
-	return rt;
+	return ip_route_me_harder(pskb, addr_type);
 }
 
 /* Send RST reply */
@@ -107,7 +66,6 @@ static void send_reset(struct sk_buff *o
 	u_int16_t tmp_port;
 	u_int32_t tmp_addr;
 	int needs_ack;
-	int hh_len;
 
 	/* IP header checks: fragment. */
 	if (oldskb->nh.iph->frag_off & htons(IP_OFFSET))
@@ -129,12 +87,12 @@ static void send_reset(struct sk_buff *o
 	if ((rt = route_reverse(oldskb, oth, hook)) == NULL)
 		return;
 
-	hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
-
 	/* We need a linear, writeable skb.  We also need to expand
 	   headroom in case hh_len of incoming interface < hh_len of
-	   outgoing interface */
-	nskb = skb_copy_expand(oldskb, hh_len, skb_tailroom(oldskb),
+	   outgoing interface. As routing happens later, using
+	   ip_route_me_harder(), LL_MAX_HEADER is used as hh_len,
+	   to ensure there will always be enough space. */
+	nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
 			       GFP_ATOMIC);
 	if (!nskb) {
 		dst_release(&rt->u.dst);
@@ -204,6 +162,10 @@ static void send_reset(struct sk_buff *o
 	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, 
 					   nskb->nh.iph->ihl);
 
+	/* Route - this may not need to be so late */
+	if (ip_route_me_harder(nskb) < 0)
+		goto free_nskb;
+
 	/* "Never happens" */
 	if (nskb->len > dst_mtu(nskb->dst))
 		goto free_nskb;

--

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/

Re: [patch 3/3] Replace reverse_route() with a call to ip_route_me_harder()

[Horms]

Sorry, the previous invocation of this patch was hopelessly broken.
This should be a little better.

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/


*** Please review this patch carefully, I'm not sure that it is correct ***

ip_route_me_harder() can now be passed the address type,
which means that inet_addr_type() is not called internally,
and thus ip_route_me_harder() is now reasonably cheap.

Make use of this by replacing ipt_REJECT's the reverse route,
which is largely a duplication of ip_route_me_harder().

Signed-Off-By: Simon Horman <horms@verge.net.au>

Index: net-2.6.19/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- net-2.6.19.orig/net/ipv4/netfilter/ipt_REJECT.c	2006-09-19 12:50:43.000000000 +0900
+++ net-2.6.19/net/ipv4/netfilter/ipt_REJECT.c	2006-09-19 12:53:42.000000000 +0900
@@ -38,13 +38,9 @@
 #define DEBUGP(format, args...)
 #endif
 
-static inline struct rtable *route_reverse(struct sk_buff *skb, 
-					   struct tcphdr *tcph, int hook)
+static inline int send_reset_route(struct sk_buff **pskb, int hook)
 {
-	struct iphdr *iph = skb->nh.iph;
-	struct dst_entry *odst;
-	struct flowi fl = {};
-	struct rtable *rt;
+	int addr_type;
 
 	/* We don't require ip forwarding to be enabled to be able to
 	 * send a RST reply for bridged traffic. */
@@ -52,62 +48,23 @@
 #ifdef CONFIG_BRIDGE_NETFILTER
 	    || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
 #endif
-	   ) {
-		fl.nl_u.ip4_u.daddr = iph->saddr;
-		if (hook == NF_IP_LOCAL_IN)
-			fl.nl_u.ip4_u.saddr = iph->daddr;
-		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
+	   )
+		addr_type = 1;
+	else
+		addr_type = 2;
 
-		if (ip_route_output_key(&rt, &fl) != 0)
-			return NULL;
-	} else {
-		/* non-local src, find valid iif to satisfy
-		 * rp-filter when calling ip_route_input. */
-		fl.nl_u.ip4_u.daddr = iph->daddr;
-		if (ip_route_output_key(&rt, &fl) != 0)
-			return NULL;
-
-		odst = skb->dst;
-		if (ip_route_input(skb, iph->saddr, iph->daddr,
-		                   RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-			dst_release(&rt->u.dst);
-			return NULL;
-		}
-		dst_release(&rt->u.dst);
-		rt = (struct rtable *)skb->dst;
-		skb->dst = odst;
-
-		fl.nl_u.ip4_u.daddr = iph->saddr;
-		fl.nl_u.ip4_u.saddr = iph->daddr;
-		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-	}
-
-	if (rt->u.dst.error) {
-		dst_release(&rt->u.dst);
-		return NULL;
-	}
-
-	fl.proto = IPPROTO_TCP;
-	fl.fl_ip_sport = tcph->dest;
-	fl.fl_ip_dport = tcph->source;
-	security_skb_classify_flow(skb, &fl);
-
-	xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-
-	return rt;
+	return ip_route_me_harder(pskb, addr_type);
 }
 
 /* Send RST reply */
 static void send_reset(struct sk_buff *oldskb, int hook)
 {
-	struct sk_buff *nskb;
+	struct sk_buff *nskb, **pnskb;
 	struct iphdr *iph = oldskb->nh.iph;
 	struct tcphdr _otcph, *oth, *tcph;
-	struct rtable *rt;
 	u_int16_t tmp_port;
 	u_int32_t tmp_addr;
 	int needs_ack;
-	int hh_len;
 
 	/* IP header checks: fragment. */
 	if (oldskb->nh.iph->frag_off & htons(IP_OFFSET))
@@ -126,23 +83,15 @@
 	if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP))
 		return;
 
-	if ((rt = route_reverse(oldskb, oth, hook)) == NULL)
-		return;
-
-	hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
-
 	/* We need a linear, writeable skb.  We also need to expand
 	   headroom in case hh_len of incoming interface < hh_len of
-	   outgoing interface */
-	nskb = skb_copy_expand(oldskb, hh_len, skb_tailroom(oldskb),
+	   outgoing interface. As routing happens later, using
+	   ip_route_me_harder(), LL_MAX_HEADER is used as hh_len,
+	   to ensure there will always be enough space. */
+	nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
 			       GFP_ATOMIC);
-	if (!nskb) {
-		dst_release(&rt->u.dst);
+	if (!nskb)
 		return;
-	}
-
-	dst_release(nskb->dst);
-	nskb->dst = &rt->u.dst;
 
 	/* This packet will not be the same as the other: clear nf fields */
 	nf_reset(nskb);
@@ -204,6 +153,12 @@
 	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, 
 					   nskb->nh.iph->ihl);
 
+	/* Route - this may not need to be so late */
+	pnskb = &nskb;
+	if (send_reset_route(pnskb, hook) < 0)
+		goto free_nskb;
+	nskb = *pnskb;
+
 	/* "Never happens" */
 	if (nskb->len > dst_mtu(nskb->dst))
 		goto free_nskb;