Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE

[Patrick McHardy <kaber@trash.net>]

Jan Engelhardt wrote:
> +static void tee_tg_send(struct sk_buff *skb)
> +{
> +	const struct dst_entry *dst  = skb_dst(skb);
> +	const struct net_device *dev = dst->dev;
> +	unsigned int hh_len = LL_RESERVED_SPACE(dev);
> +
> +	/* Be paranoid, rather than too clever. */
> +	if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops != NULL)) {
> +		struct sk_buff *skb2;
> +
> +		skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
> +		if (skb2 == NULL) {
> +			kfree_skb(skb);
> +			return;
> +		}
> +		if (skb->sk != NULL)
> +			skb_set_owner_w(skb2, skb->sk);
> +		kfree_skb(skb);
> +		skb = skb2;
> +	}
> +
> +	if (dst->hh != NULL) {
> +		neigh_hh_output(dst->hh, skb);
> +	} else if (dst->neighbour != NULL) {
> +		dst->neighbour->output(skb);
> +	} else {
> +		if (net_ratelimit())
> +			pr_debug(KBUILD_MODNAME
> +				"no hdr & no neighbour cache!\n");
> +		kfree_skb(skb);
> +	}
> +}

Remind me again why we need this duplicated output function?

> +
> +/*
> + * To detect and deter routed packet loopback when using the --tee option, we
> + * take a page out of the raw.patch book: on the copied skb, we set up a fake
> + * ->nfct entry, pointing to the local &route_tee_track. We skip routing
> + * packets when we see they already have that ->nfct.
> + */
> +static unsigned int
> +tee_tg4(struct sk_buff *skb, const struct xt_target_param *par)
> +{
> +	const struct xt_tee_tginfo *info = par->targinfo;
> +
> +#ifdef WITH_CONNTRACK
> +	if (skb->nfct == &tee_track.ct_general) {
> +		/*
> +		 * Loopback - a packet we already routed, is to be
> +		 * routed another time. Avoid that, now.
> +		 */
> +		if (net_ratelimit())
> +			pr_debug(KBUILD_MODNAME "loopback - DROP!\n");
> +		return NF_DROP;
> +	}
> +#endif
> +	if (!skb_make_writable(skb, sizeof(struct iphdr)))
> +		return XT_CONTINUE;
> +	/*
> +	 * If we are in INPUT, the checksum must be recalculated since
> +	 * the length could have changed as a result of defragmentation.
> +	 */
> +	if (par->hooknum == NF_INET_LOCAL_IN) {
> +		struct iphdr *iph = ip_hdr(skb);
> +
> +		iph->check = 0;
> +		iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
> +	}

I guess it might make sense to decrease the TTL by one to
avoid TEE loops between two hosts.

> +	/*
> +	 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
> +	 * the original skb, which should continue on its way as if nothing has
> +	 * happened. The copy should be independently delivered to the TEE
> +	 * --gateway.
> +	 */
> +	skb = skb_copy(skb, GFP_ATOMIC);
> +	if (skb == NULL)
> +		return XT_CONTINUE;
> +
> +#ifdef WITH_CONNTRACK
> +	nf_conntrack_put(skb->nfct);
> +	skb->nfct     = &tee_track.ct_general;
> +	skb->nfctinfo = IP_CT_NEW;
> +	nf_conntrack_get(skb->nfct);
> +#endif
> +	/*
> +	 * Normally, we would just use ip_local_out. Because iph->check is
> +	 * already correct, we could take a shortcut and call dst_output
> +	 * [forwards to ip_output] directly. ip_output however will invoke
> +	 * Netfilter hooks and cause reentrancy. So we skip that too and go
> +	 * directly to ip_finish_output. Since we should not do XFRM, control
> +	 * passes to ip_finish_output2. That function is not exported, so it is
> +	 * copied here as tee_ip_direct_send.
> +	 *
> +	 * We do no XFRM on the cloned packet on purpose! The choice of
> +	 * iptables match options will control whether the raw packet or the
> +	 * transformed version is cloned.
> +	 *
> +	 * Also on purpose, no fragmentation is done, to preserve the
> +	 * packet as best as possible.
> +	 */
> +	if (tee_tg_route4(skb, info))
> +		tee_tg_send(skb);
> +
> +	return XT_CONTINUE;
> +}
> +