From: Patrick McHardy <kaber@trash.net>
To: KOVACS Krisztian <hidden@sch.bme.hu>
Cc: David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: [net-next PATCH 14/16] iptables socket match
Date: Thu, 02 Oct 2008 11:26:36 +0200 [thread overview]
Message-ID: <48E493CC.9020502@trash.net> (raw)
In-Reply-To: <20081001142431.4893.56954.stgit@este>
KOVACS Krisztian wrote:
> Add iptables 'socket' match, which matches packets for which a TCP/UDP
> socket lookup succeeds.
>
It seems sufficiently different from what xt_owner does to justify a
separate module.
Minor nitpicking:
> +static int
> +extract_icmp_fields(const struct sk_buff *skb,
> + u8 *protocol,
> + __be32 *raddr,
> + __be32 *laddr,
> + __be16 *rport,
> + __be16 *lport)
> +{
> + struct iphdr *outside_iph = ip_hdr(skb);
> + struct iphdr *inside_iph, _inside_iph;
> + struct icmphdr *icmph, _icmph;
> + __be16 *ports, _ports[2];
> +
> + icmph = skb_header_pointer(skb, outside_iph->ihl << 2, sizeof(_icmph), &_icmph);
>
The "ihl << 2" is repeating multiple times. Maybe just store it in a
variable,
also it would be nicer to use ip_hdrlen().
> + if (icmph == NULL)
> + return 1;
> +
> + switch (icmph->type) {
> + case ICMP_DEST_UNREACH:
> + case ICMP_SOURCE_QUENCH:
> + case ICMP_REDIRECT:
> + case ICMP_TIME_EXCEEDED:
> + case ICMP_PARAMETERPROB:
> + break;
> + default:
> + return 1;
> + }
> +
> + inside_iph = skb_header_pointer(skb, (outside_iph->ihl << 2) + sizeof(struct icmphdr), sizeof(_inside_iph), &_inside_iph);
>
And these lines (few more below) should break at 80 characters.
> + if (inside_iph == NULL)
> + return -EINVAL;
>
What is the return convention here? It seems this should also return 1
as the
other exit paths.
> +static bool
> +socket_mt(const struct sk_buff *skb,
> + const struct net_device *in,
> + const struct net_device *out,
> + const struct xt_match *match,
> + const void *matchinfo,
> + int offset,
> + unsigned int protoff,
> + bool *hotdrop)
> +{
>
...
> + if (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_TCP) {
> + hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
> + if (hp == NULL)
> + return false;
> +
> + protocol = iph->protocol;
> + saddr = iph->saddr;
> + sport = hp->source;
> + daddr = iph->daddr;
> + dport = hp->dest;
> +
> + }
> + else if (iph->protocol == IPPROTO_ICMP) {
>
Please put the else on the same line as the closing brace.
next prev parent reply other threads:[~2008-10-02 9:27 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-01 14:24 [net-next PATCH 00/16] Transparent proxying patches, take six KOVACS Krisztian
2008-10-01 14:24 ` [net-next PATCH 05/16] Conditionally enable transparent flow flag when connecting KOVACS Krisztian
2008-10-01 14:36 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 01/16] Loosen source address check on IPv4 output KOVACS Krisztian
2008-10-01 14:28 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 08/16] Port redirection support for TCP KOVACS Krisztian
2008-10-01 14:47 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 06/16] Handle TCP SYN+ACK/ACK/RST transparency KOVACS Krisztian
2008-10-01 14:42 ` David Miller
2008-10-01 14:46 ` KOVACS Krisztian
2008-10-01 14:24 ` [net-next PATCH 09/16] Export UDP socket lookup function KOVACS Krisztian
2008-10-01 14:48 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 02/16] Implement IP_TRANSPARENT socket option KOVACS Krisztian
2008-10-01 14:30 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 10/16] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2008-10-01 14:50 ` David Miller
2008-10-01 15:38 ` KOVACS Krisztian
2008-10-01 15:51 ` David Miller
2008-10-02 15:43 ` KOVACS Krisztian
2008-10-02 17:09 ` Arnaldo Carvalho de Melo
2008-10-02 19:58 ` David Miller
2008-10-03 8:57 ` KOVACS Krisztian
2008-10-03 13:47 ` Arnaldo Carvalho de Melo
2008-10-07 7:36 ` KOVACS Krisztian
2008-10-07 12:36 ` Arnaldo Carvalho de Melo
2008-10-07 18:42 ` David Miller
2008-10-07 7:42 ` [net-next PATCH] Add udplib_lookup_skb() helpers (was: [net-next PATCH 10/16] Don't lookup the socket if there's a socket attached to the skb) KOVACS Krisztian
2008-10-07 12:34 ` Arnaldo Carvalho de Melo
2008-10-07 19:39 ` [net-next PATCH] Add udplib_lookup_skb() helpers David Miller
2008-10-07 7:59 ` [net-next PATCH] Don't lookup the socket if there's a socket attached to the skb (was: Re: [net-next PATCH 10/16] Don't lookup the socket if there's a socket attached to the skb) KOVACS Krisztian
2008-10-07 12:36 ` Arnaldo Carvalho de Melo
2008-10-07 19:41 ` [net-next PATCH] Don't lookup the socket if there's a socket attached to the skb David Miller
2008-10-01 14:24 ` [net-next PATCH 12/16] Split Netfilter IPv4 defragmentation into a separate module KOVACS Krisztian
2008-10-02 9:18 ` Patrick McHardy
2008-10-01 14:24 ` [net-next PATCH 07/16] Make Netfilter's ip_route_me_harder() non-local address compatible KOVACS Krisztian
2008-10-01 14:45 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 03/16] Allow binding to non-local addresses if IP_TRANSPARENT is set KOVACS Krisztian
2008-10-01 14:31 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 15/16] iptables TPROXY target KOVACS Krisztian
2008-10-02 9:28 ` Patrick McHardy
2008-10-01 14:24 ` [net-next PATCH 14/16] iptables socket match KOVACS Krisztian
2008-10-02 9:26 ` Patrick McHardy [this message]
2008-10-02 10:26 ` KOVACS Krisztian
2008-10-02 10:35 ` Patrick McHardy
2008-10-03 14:04 ` Jan Engelhardt
2008-10-01 14:24 ` [net-next PATCH 11/16] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2008-10-01 14:24 ` [net-next PATCH 04/16] Make inet_sock.h independent of route.h KOVACS Krisztian
2008-10-01 14:34 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 16/16] Add documentation KOVACS Krisztian
2008-10-01 16:22 ` Randy Dunlap
2008-10-02 9:37 ` [RESEND net-next " KOVACS Krisztian
2008-10-02 9:38 ` Patrick McHardy
2008-10-03 14:01 ` [net-next " Jan Engelhardt
2008-10-07 7:01 ` KOVACS Krisztian
2008-10-07 13:25 ` [patch] Update tproxy documentation Jan Engelhardt
2008-10-07 19:50 ` [net-next PATCH 16/16] Add documentation David Miller
2008-10-07 20:02 ` KOVACS Krisztian
2008-10-07 20:47 ` Patrick McHardy
2008-10-07 20:53 ` David Miller
2008-10-08 0:32 ` Philip Craig
2008-10-01 14:24 ` [net-next PATCH 13/16] iptables tproxy core KOVACS Krisztian
2008-10-02 9:19 ` Patrick McHardy
2008-10-02 13:20 ` [net-next PATCH 00/16] Transparent proxying patches, take six Amos Jeffries
2008-10-02 15:38 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48E493CC.9020502@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=hidden@sch.bme.hu \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.