[PATCH] netfilter : nfmark routing in OUTPUT, mangle, NFQUEUE

[PATCH] netfilter : nfmark routing in OUTPUT, mangle, NFQUEUE

[Laurent Licour]

This patch let nfmark to be evaluated for routing decision for OUTPUT 
packet, in mangle
table, when process paquet in NFQUEUE
Until now, only change (in NFQUEUE process) on fields src_addr, 
dest_addr and tos
could make netfilter to reevalute the routing.
Similar code could also be applied to ipv6 code...


--- linux-2.6.18.i386.ori/net/ipv4/netfilter.c  2006-09-20 
05:42:06.000000000 +0200
+++ linux-2.6.18.i386/net/ipv4/netfilter.c      2008-07-07 
02:04:34.000000000 +0200
@@ -131,6 +131,9 @@
       u_int32_t daddr;
       u_int32_t saddr;
       u_int8_t tos;
+#ifdef CONFIG_IP_ROUTE_FWMARK
+       __u32 nfmark;
+#endif
};

static void nf_ip_saveroute(const struct sk_buff *skb, struct nf_info 
*info)
@@ -143,6 +146,9 @@
               rt_info->tos = iph->tos;
               rt_info->daddr = iph->daddr;
               rt_info->saddr = iph->saddr;
+#ifdef CONFIG_IP_ROUTE_FWMARK
+               rt_info->nfmark = skb->nfmark;
+#endif
       }
}

@@ -154,6 +160,9 @@
               struct iphdr *iph = (*pskb)->nh.iph;

               if (!(iph->tos == rt_info->tos
+#ifdef CONFIG_IP_ROUTE_FWMARK
+                     && (*pskb)->nfmark == rt_info->nfmark
+#endif
                     && iph->daddr == rt_info->daddr
                     && iph->saddr == rt_info->saddr))
                       return ip_route_me_harder(pskb);

Re: [PATCH] netfilter : nfmark routing in OUTPUT, mangle, NFQUEUE

[Patrick McHardy]

Laurent Licour wrote:
> 
> This patch let nfmark to be evaluated for routing decision for OUTPUT 
> packet, in mangle
> table, when process paquet in NFQUEUE
> Until now, only change (in NFQUEUE process) on fields src_addr, 
> dest_addr and tos
> could make netfilter to reevalute the routing.
> Similar code could also be applied to ipv6 code...
> 
> 
> --- linux-2.6.18.i386.ori/net/ipv4/netfilter.c  2006-09-20 
> 05:42:06.000000000 +0200
> +++ linux-2.6.18.i386/net/ipv4/netfilter.c      2008-07-07 
> 02:04:34.000000000 +0200

Please resend against the current kernel tree if you want me to
apply this. Also it appears the patch is whitespace damaged,
please make sure you'll send it in a way that doesn't corrupt
it (f.i. as attachment).

Re: [PATCH] netfilter : nfmark routing in OUTPUT, mangle, NFQUEUE

[Laurent Licour]

[-- Attachment #1: Type: text/plain, Size: 268 bytes --]


> Please resend against the current kernel tree if you want me to
> apply this. Also it appears the patch is whitespace damaged,
> please make sure you'll send it in a way that doesn't corrupt
> it (f.i. as attachment).

Here is the patch against the 2.6.26-stable



[-- Attachment #2: netfilter.nfmark.output.mangle.patch --]
[-- Type: text/plain, Size: 716 bytes --]

--- linux-2.6.26/net/ipv4/netfilter.c.ori	2008-07-15 22:39:02.000000000 +0200
+++ linux-2.6.26/net/ipv4/netfilter.c	2008-07-16 18:10:14.000000000 +0200
@@ -121,6 +121,7 @@
 	__be32 daddr;
 	__be32 saddr;
 	u_int8_t tos;
+	__u32 mark;
 };
 
 static void nf_ip_saveroute(const struct sk_buff *skb,
@@ -134,6 +135,7 @@
 		rt_info->tos = iph->tos;
 		rt_info->daddr = iph->daddr;
 		rt_info->saddr = iph->saddr;
+		rt_info->mark = skb->mark;
 	}
 }
 
@@ -146,6 +148,7 @@
 		const struct iphdr *iph = ip_hdr(skb);
 
 		if (!(iph->tos == rt_info->tos
+		      && skb->mark == rt_info->mark
 		      && iph->daddr == rt_info->daddr
 		      && iph->saddr == rt_info->saddr))
 			return ip_route_me_harder(skb, RTN_UNSPEC);