From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 4/4] netfilter: xtables: remove old comments about reentrancy
Date: Tue, 20 Apr 2010 14:24:11 +0200 [thread overview]
Message-ID: <4BCD9CEB.3040801@trash.net> (raw)
In-Reply-To: <4BCC63E1.6080808@trash.net>
[-- Attachment #1: Type: text/plain, Size: 633 bytes --]
Patrick McHardy wrote:
> Also applied, thanks Jan. I'll push everything out after
> some more intensive testing.
Not using oif was broken due to an incorrect check for a device
name, there also was a device reference leak. I took the
opportunity to convert it to notifier based device resolving.
If a oif is given, we register a netdevice notifier to resolve
the name on NETDEV_REGISTER or NETDEV_CHANGE and unresolve it
again on NETDEV_UNREGISTER or NETDEV_CHANGE (to a different name).
The behaviour should be equivalent to the runtime resolving.
Please review, if things are fine I'll commit the patch and
push everything out.
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 4796 bytes --]
diff --git a/include/linux/netfilter/xt_TEE.h b/include/linux/netfilter/xt_TEE.h
index 55d4a50..5c21d5c 100644
--- a/include/linux/netfilter/xt_TEE.h
+++ b/include/linux/netfilter/xt_TEE.h
@@ -4,6 +4,9 @@
struct xt_tee_tginfo {
union nf_inet_addr gw;
char oif[16];
+
+ /* used internally by the kernel */
+ struct xt_tee_priv *priv __attribute__((aligned(8)));
};
#endif /* _XT_TEE_TARGET_H */
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 842e701..1dbef1d 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -15,6 +15,7 @@
#include <linux/percpu.h>
#include <linux/route.h>
#include <linux/skbuff.h>
+#include <linux/notifier.h>
#include <net/checksum.h>
#include <net/icmp.h>
#include <net/ip.h>
@@ -32,6 +33,12 @@
# define WITH_IPV6 1
#endif
+struct xt_tee_priv {
+ struct notifier_block notifier;
+ struct xt_tee_tginfo *tginfo;
+ int oif;
+};
+
static const union nf_inet_addr tee_zero_address;
static DEFINE_PER_CPU(bool, tee_active);
@@ -49,20 +56,6 @@ static struct net *pick_net(struct sk_buff *skb)
return &init_net;
}
-static bool tee_tg_route_oif(struct flowi *f, struct net *net,
- const struct xt_tee_tginfo *info)
-{
- const struct net_device *dev;
-
- if (*info->oif != '\0')
- return true;
- dev = dev_get_by_name(net, info->oif);
- if (dev == NULL)
- return false;
- f->oif = dev->ifindex;
- return true;
-}
-
static bool
tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
{
@@ -72,8 +65,11 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
struct flowi fl;
memset(&fl, 0, sizeof(fl));
- if (!tee_tg_route_oif(&fl, net, info))
- return false;
+ if (info->priv) {
+ if (info->priv->oif == -1)
+ return false;
+ fl.oif = info->priv->oif;
+ }
fl.nl_u.ip4_u.daddr = info->gw.ip;
fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
@@ -149,8 +145,11 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
struct flowi fl;
memset(&fl, 0, sizeof(fl));
- if (!tee_tg_route_oif(&fl, net, info))
- return false;
+ if (info->priv) {
+ if (info->priv->oif == -1)
+ return false;
+ fl.oif = info->priv->oif;
+ }
fl.nl_u.ip6_u.daddr = info->gw.in6;
fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
@@ -198,15 +197,70 @@ tee_tg6(struct sk_buff *skb, const struct xt_target_param *par)
}
#endif /* WITH_IPV6 */
+static int tee_netdev_event(struct notifier_block *this, unsigned long event,
+ void *ptr)
+{
+ struct net_device *dev = ptr;
+ struct xt_tee_priv *priv;
+
+ priv = container_of(this, struct xt_tee_priv, notifier);
+ switch (event) {
+ case NETDEV_REGISTER:
+ if (!strcmp(dev->name, priv->tginfo->oif))
+ priv->oif = dev->ifindex;
+ break;
+ case NETDEV_UNREGISTER:
+ if (dev->ifindex == priv->oif)
+ priv->oif = -1;
+ break;
+ case NETDEV_CHANGENAME:
+ if (!strcmp(dev->name, priv->tginfo->oif))
+ priv->oif = dev->ifindex;
+ else if (dev->ifindex == priv->oif)
+ priv->oif = -1;
+ break;
+ }
+
+ return NOTIFY_DONE;
+}
+
static int tee_tg_check(const struct xt_tgchk_param *par)
{
- const struct xt_tee_tginfo *info = par->targinfo;
+ struct xt_tee_tginfo *info = par->targinfo;
+ struct xt_tee_priv *priv;
- if (info->oif[sizeof(info->oif)-1] != '\0')
- return -EINVAL;
/* 0.0.0.0 and :: not allowed */
- return (memcmp(&info->gw, &tee_zero_address,
- sizeof(tee_zero_address)) == 0) ? -EINVAL : 0;
+ if (memcmp(&info->gw, &tee_zero_address,
+ sizeof(tee_zero_address)) == 0)
+ return -EINVAL;
+
+ if (info->oif[0]) {
+ if (info->oif[sizeof(info->oif)-1] != '\0')
+ return -EINVAL;
+
+ priv = kmalloc(sizeof(*priv), GFP_KERNEL);
+ if (priv == NULL)
+ return -ENOMEM;
+
+ priv->tginfo = info;
+ priv->oif = -1;
+ priv->notifier.notifier_call = tee_netdev_event;
+
+ register_netdevice_notifier(&priv->notifier);
+ } else
+ info->priv = NULL;
+
+ return 0;
+}
+
+static void tee_tg_destroy(const struct xt_tgdtor_param *par)
+{
+ struct xt_tee_tginfo *info = par->targinfo;
+
+ if (info->priv) {
+ unregister_netdevice_notifier(&info->priv->notifier);
+ kfree(info->priv);
+ }
}
static struct xt_target tee_tg_reg[] __read_mostly = {
@@ -217,6 +271,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
.target = tee_tg4,
.targetsize = sizeof(struct xt_tee_tginfo),
.checkentry = tee_tg_check,
+ .destroy = tee_tg_destroy,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
@@ -227,6 +282,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
.target = tee_tg6,
.targetsize = sizeof(struct xt_tee_tginfo),
.checkentry = tee_tg_check,
+ .destroy = tee_tg_destroy,
.me = THIS_MODULE,
},
#endif
next prev parent reply other threads:[~2010-04-20 12:24 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-15 23:25 nf-next: TEE 20100215 Jan Engelhardt
2010-04-15 23:25 ` [PATCH 1/4] netfilter: xtables: inclusion of xt_TEE Jan Engelhardt
2010-04-19 12:20 ` Patrick McHardy
2010-04-19 12:36 ` Jan Engelhardt
2010-04-19 12:42 ` Patrick McHardy
2010-04-15 23:25 ` [PATCH 2/4] netfilter: xtables2: make ip_tables reentrant Jan Engelhardt
2010-04-19 12:22 ` Patrick McHardy
2010-04-19 12:54 ` Jan Engelhardt
2010-04-19 14:06 ` Patrick McHardy
2010-04-20 13:18 ` Patrick McHardy
2010-04-20 13:21 ` Patrick McHardy
2010-04-20 18:26 ` Jan Engelhardt
2010-04-21 12:47 ` Patrick McHardy
2010-04-15 23:25 ` [PATCH 3/4] netfilter: xt_TEE: have cloned packet travel through Xtables too Jan Engelhardt
2010-04-19 14:07 ` Patrick McHardy
2010-04-15 23:25 ` [PATCH 4/4] netfilter: xtables: remove old comments about reentrancy Jan Engelhardt
2010-04-19 14:08 ` Patrick McHardy
2010-04-20 12:24 ` Patrick McHardy [this message]
2010-04-20 12:29 ` Jan Engelhardt
2010-04-20 12:36 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2010-04-13 23:21 nf-next: TEE only Jan Engelhardt
2010-04-13 23:21 ` [PATCH 4/4] netfilter: xtables: remove old comments about reentrancy Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BCD9CEB.3040801@trash.net \
--to=kaber@trash.net \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.