Re: [PATCH nf-next v4 1/2] net: netfilter: Add IPIP flowtable SW acceleration

[Lorenzo Bianconi <lorenzo@kernel.org>]

[-- Attachment #1: Type: text/plain, Size: 1741 bytes --]

> Lorenzo Bianconi <lorenzo@kernel.org> wrote:
> > > Lorenzo Bianconi <lorenzo@kernel.org> wrote:
> > > > +static bool nf_flow_ip4_encap_proto(struct sk_buff *skb, u16 *size)
> > > > +{
> > > > +	struct iphdr *iph;
> > > > +
> > > > +	if (!pskb_may_pull(skb, sizeof(*iph)))
> > > > +		return false;
> > > 
> > > Nit: I think this could be 2 * sizeof() and a comment that we will
> > > also need the inner ip header later, might save one reallocation.
> > 
> > nf_flow_ip4_encap_proto() is used even for plain IP traffic but I guess we can
> > assume the IP payload is at least 20B, right?
> 
> Oh, right, I missed that.  But even if we have a.g. ip header with icmp
> header, then the postconditions are the same, no?
> 
> as-is:
> pskb_may_pull -> ok, then iph->protocol == IPPROTO_IPIP -> return false
> 
> with 2*iph:
> pskb_may_pull -> return false
> 
> ... but I'll leave it up to you, if you prefer pskb_may_pull(skb, sizeof(*iph)))
> for clarity then lets keep it as-is.

I guess the point is we run nf_flow_skb_encap_protocol() not only for IPIP
traffic but even for plain IP traffic (e.g. IP+UDP) in nf_flow_offload_lookup().
In particular, we run the following check in nf_flow_tuple_ip() for IP+UDP
traffic:

pskb_may_pull(, 28)

That is less restrictive with respect to

pskb_may_pull(, 40)

I guess it is better to keep the original check in
nf_flow_skb_encap_protocol(). What do you think?

Regards,
Lorenzo

> 
> > > > +	iph = (struct iphdr *)skb_network_header(skb);
> > > > +	*size = iph->ihl << 2;
> > > 
> > > I think this should be sanity tested vs. sizeof(iph).
> > 
> > I guess this is already done in ip_has_options(), agree?
> 
> Indeed it is!  Nevermind then :-)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]