Re: [PATCH 1/3] netfilter: xt_ipvs (netfilter matcher for IPVS)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Hannes Eder <heder@google.com>
Cc: lvs-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
	"Fabien Duchêne" <mad_fab@skynet.be>,
	"Jan Engelhardt" <jengelh@medozas.de>,
	"Jean-Luc Fortemaison" <jl.fortemaison@uclouvain.be>,
	"Julian Anastasov" <ja@ssi.bg>,
	"Julius Volz" <julius.volz@gmail.com>,
	"Laurent Grawet" <laurent.grawet@uclouvain.be>,
	"Simon Horman" <horms@verge.net.au>,
	"Wensong Zhang" <wensong@linux-vs.org>
Subject: Re: [PATCH 1/3] netfilter: xt_ipvs (netfilter matcher for IPVS)
Date: Wed, 02 Sep 2009 17:36:04 +0200	[thread overview]
Message-ID: <4A9E90E4.9080805@trash.net> (raw)
In-Reply-To: <b5ddba180909020833w1739bd54t11fded8150007abc@mail.gmail.com>

Hannes Eder wrote:
> On Wed, Sep 2, 2009 at 16:54, Patrick McHardy<kaber@trash.net> wrote:
>> Hannes Eder wrote:
>>> This implements the kernel-space side of the netfilter matcher
>>> xt_ipvs.
>> Looks mostly fine to me, just one question:
>>
>>> +bool ipvs_mt(const struct sk_buff *skb, const struct xt_match_param *par)
>>> +{
>>> +     const struct xt_ipvs *data = par->matchinfo;
>>> +     const u_int8_t family = par->family;
>>> +     struct ip_vs_iphdr iph;
>>> +     struct ip_vs_protocol *pp;
>>> +     struct ip_vs_conn *cp;
>>> +     int af;
>>> +     bool match = true;
>>> +
>>> +     if (data->bitmask == XT_IPVS_IPVS_PROPERTY) {
>>> +             match = skb->ipvs_property ^
>>> +                     !!(data->invert & XT_IPVS_IPVS_PROPERTY);
>>> +             goto out;
>>> +     }
>>> +
>>> +     /* other flags than XT_IPVS_IPVS_PROPERTY are set */
>>> +     if (!skb->ipvs_property) {
>>> +             match = false;
>>> +             goto out;
>>> +     }
>>> +
>>> +     switch (skb->protocol) {
>>> +     case  htons(ETH_P_IP):
>>> +             af = AF_INET;
>>> +             break;
>>> +#ifdef CONFIG_IP_VS_IPV6
>>> +     case  htons(ETH_P_IPV6):
>>> +             af = AF_INET6;
>>> +             break;
>>> +#endif
>>> +     default:
>>> +             match = false;
>>> +             goto out;
>>> +     }
>> In the NF_INET_LOCAL_OUT hook skb->protocol is invalid. So if you
>> don't need this, it would make sense to restrict the match to the
>> other hooks.
>>
>> Even easier would be to use par->family, which contains the address
>> family and doesn't need any translation.
> 
> Nice, I'll use par->family.
> 
> So in theory I do not even need a check like the following in the beginning?
> 
> 	if (family != NFPROTO_IPV4
> #ifdef CONFIG_IP_VS_IPV6
> 	    && family != NFPROTO_IPV6
> #endif
> 		) {
> 		match = false;
> 		goto out;
> 	}

With the AF_UNSPEC registration of your match, it might be used
with different families. But you could add two seperate IPV4/IPV6
registrations or catch an invalid family in ->checkentry() and
remove the runtime check.

next prev parent reply	other threads:[~2009-09-02 15:36 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-09-02 14:38 [PATCH 0/3] IPVS full NAT support + netfilter 'ipvs' match support Hannes Eder
2009-09-02 14:38 ` Hannes Eder
2009-09-02 14:39 ` [PATCH 1/3] netfilter: xt_ipvs (netfilter matcher for IPVS) Hannes Eder
2009-09-02 14:39   ` Hannes Eder
2009-09-02 14:54   ` Patrick McHardy
2009-09-02 15:33     ` Hannes Eder
2009-09-02 15:36       ` Patrick McHardy [this message]
2009-09-02 15:49         ` Jan Engelhardt
2009-09-02 16:05           ` Hannes Eder
2009-09-02 17:51           ` Patrick McHardy
2009-09-02 14:39 ` [PATCH 2/3] IPVS: make friends with nf_conntrack Hannes Eder
2009-09-02 14:39   ` Hannes Eder
2009-09-02 14:56   ` Patrick McHardy
2009-09-03 10:22     ` Hannes Eder
2009-09-03 11:04       ` Simon Horman
2009-09-03 19:50   ` Julian Anastasov
2009-09-02 14:41 ` [PATCH 3/3] libxt_ipvs: user-space lib for netfilter matcher xt_ipvs Hannes Eder
2009-09-02 14:41   ` Hannes Eder

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A9E90E4.9080805@trash.net \
    --to=kaber@trash.net \
    --cc=heder@google.com \
    --cc=horms@verge.net.au \
    --cc=ja@ssi.bg \
    --cc=jengelh@medozas.de \
    --cc=jl.fortemaison@uclouvain.be \
    --cc=julius.volz@gmail.com \
    --cc=laurent.grawet@uclouvain.be \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lvs-devel@vger.kernel.org \
    --cc=mad_fab@skynet.be \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=wensong@linux-vs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.