Re: IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Re: IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks
@ 2003-11-23 11:13 David Stevens
  2003-11-24  6:44 ` David S. Miller
  0 siblings, 1 reply; 5+ messages in thread
From: David Stevens @ 2003-11-23 11:13 UTC (permalink / raw)
  To: Harald Welte, davem; +Cc: netdev, Netfilter Development Mailinglist

[-- Attachment #1: Type: text/plain, Size: 2017 bytes --]





Here's a patch to add netfilter hooks for MLD v1 & v2. Can you take
quick look at it, Harald?

                        +-DLS

--- linux-2.6.0-test9-bk25/net/ipv6/mcast.c     2003-11-21 19:33:41.000000000 -0800
+++ linux-2.6.0-test9-bk25F1/net/ipv6/mcast.c   2003-11-23 01:32:39.000000000 -0800
@@ -46,6 +46,9 @@
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>

+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv6.h>
+
 #include <net/sock.h>
 #include <net/snmp.h>

@@ -1265,6 +1268,7 @@
      struct mld2_report *pmr = (struct mld2_report *)skb->h.raw;
      int payload_len, mldlen;
      struct inet6_dev *idev = in6_dev_get(skb->dev);
+     int err;

      payload_len = skb->tail - (unsigned char *)skb->nh.ipv6h -
            sizeof(struct ipv6hdr);
@@ -1273,8 +1277,10 @@

      pmr->csum = csum_ipv6_magic(&pip6->saddr, &pip6->daddr, mldlen,
            IPPROTO_ICMPV6, csum_partial(skb->h.raw, mldlen, 0));
-     dev_queue_xmit(skb);
-     ICMP6_INC_STATS(idev,Icmp6OutMsgs);
+     err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev,
+           dev_queue_xmit);
+     if (!err)
+           ICMP6_INC_STATS(idev,Icmp6OutMsgs);
      if (likely(idev != NULL))
            in6_dev_put(idev);
 }
@@ -1603,12 +1609,15 @@

      idev = in6_dev_get(skb->dev);

-     dev_queue_xmit(skb);
-     if (type == ICMPV6_MGM_REDUCTION)
-           ICMP6_INC_STATS(idev, Icmp6OutGroupMembReductions);
-     else
-           ICMP6_INC_STATS(idev, Icmp6OutGroupMembResponses);
-     ICMP6_INC_STATS(idev, Icmp6OutMsgs);
+     err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev,
+           dev_queue_xmit);
+     if (!err) {
+           if (type == ICMPV6_MGM_REDUCTION)
+                 ICMP6_INC_STATS(idev, Icmp6OutGroupMembReductions);
+           else
+                 ICMP6_INC_STATS(idev, Icmp6OutGroupMembResponses);
+           ICMP6_INC_STATS(idev, Icmp6OutMsgs);
+     }

      if (likely(idev != NULL))
            in6_dev_put(idev);

(See attached file: MLDNF.patch)

[-- Attachment #2: MLDNF.patch --]
[-- Type: application/octet-stream, Size: 1639 bytes --]

--- linux-2.6.0-test9-bk25/net/ipv6/mcast.c	2003-11-21 19:33:41.000000000 -0800
+++ linux-2.6.0-test9-bk25F1/net/ipv6/mcast.c	2003-11-23 01:32:39.000000000 -0800
@@ -46,6 +46,9 @@
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv6.h>
+
 #include <net/sock.h>
 #include <net/snmp.h>
 
@@ -1265,6 +1268,7 @@
 	struct mld2_report *pmr = (struct mld2_report *)skb->h.raw;
 	int payload_len, mldlen;
 	struct inet6_dev *idev = in6_dev_get(skb->dev);
+	int err;
 
 	payload_len = skb->tail - (unsigned char *)skb->nh.ipv6h -
 		sizeof(struct ipv6hdr);
@@ -1273,8 +1277,10 @@
 
 	pmr->csum = csum_ipv6_magic(&pip6->saddr, &pip6->daddr, mldlen,
 		IPPROTO_ICMPV6, csum_partial(skb->h.raw, mldlen, 0));
-	dev_queue_xmit(skb);
-	ICMP6_INC_STATS(idev,Icmp6OutMsgs);
+	err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev,
+		dev_queue_xmit);
+	if (!err)
+		ICMP6_INC_STATS(idev,Icmp6OutMsgs);
 	if (likely(idev != NULL))
 		in6_dev_put(idev);
 }
@@ -1603,12 +1609,15 @@
 
 	idev = in6_dev_get(skb->dev);
 
-	dev_queue_xmit(skb);
-	if (type == ICMPV6_MGM_REDUCTION)
-		ICMP6_INC_STATS(idev, Icmp6OutGroupMembReductions);
-	else
-		ICMP6_INC_STATS(idev, Icmp6OutGroupMembResponses);
-	ICMP6_INC_STATS(idev, Icmp6OutMsgs);
+	err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dev,
+		dev_queue_xmit);
+	if (!err) {
+		if (type == ICMPV6_MGM_REDUCTION)
+			ICMP6_INC_STATS(idev, Icmp6OutGroupMembReductions);
+		else
+			ICMP6_INC_STATS(idev, Icmp6OutGroupMembResponses);
+		ICMP6_INC_STATS(idev, Icmp6OutMsgs);
+	}
 
 	if (likely(idev != NULL))
 		in6_dev_put(idev);

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks
  2003-11-23 11:13 IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks David Stevens
@ 2003-11-24  6:44 ` David S. Miller
  2003-11-24 10:24   ` Harald Welte
  0 siblings, 1 reply; 5+ messages in thread
From: David S. Miller @ 2003-11-24  6:44 UTC (permalink / raw)
  To: David Stevens; +Cc: laforge, netdev, netfilter-devel

On Sun, 23 Nov 2003 04:13:39 -0700
David Stevens <dlstevens@us.ibm.com> wrote:

> Here's a patch to add netfilter hooks for MLD v1 & v2. Can you take
> quick look at it, Harald?

Whoa, David beat me to it, on a weekend no less :)))

It looks good to me.  Applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks
  2003-11-24  6:44 ` David S. Miller
@ 2003-11-24 10:24   ` Harald Welte
  0 siblings, 0 replies; 5+ messages in thread
From: Harald Welte @ 2003-11-24 10:24 UTC (permalink / raw)
  To: David S. Miller; +Cc: David Stevens, netdev, netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 761 bytes --]

On Sun, Nov 23, 2003 at 10:44:14PM -0800, David S. Miller wrote:

> David Stevens <dlstevens@us.ibm.com> wrote:
> 
> > Here's a patch to add netfilter hooks for MLD v1 & v2. Can you take
> > quick look at it, Harald?
> 
> Whoa, David beat me to it, on a weekend no less :)))

Thanks, David & David :)

> It looks good to me.  Applied, thanks.

obviously fine with mee, too.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks
@ 2003-11-22  9:03 Harald Welte
  2003-11-23 23:43 ` David S. Miller
  0 siblings, 1 reply; 5+ messages in thread
From: Harald Welte @ 2003-11-22  9:03 UTC (permalink / raw)
  To: netdev; +Cc: Netfilter Development Mailinglist

[-- Attachment #1: Type: text/plain, Size: 901 bytes --]

Hi!

At least to me it was not known (until very recently) that the IPv6
multicast code in net/ipv6/mcast.c bypasses the netfilter hooks - but it
does.

I don't have the time to work on this right now, just wanted to drop a
note to netdev that people are aware of this issue.

This basically means that you cannot do packet filtering with ip6tables
on outgoing MLD packets.

If anyone wants to write a patch before I get the time:  Feel free to do
so.

Dave: I think this would be post 2.6.0 stuff, wouldn't it?

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks
  2003-11-22  9:03 Harald Welte
@ 2003-11-23 23:43 ` David S. Miller
  0 siblings, 0 replies; 5+ messages in thread
From: David S. Miller @ 2003-11-23 23:43 UTC (permalink / raw)
  To: Harald Welte; +Cc: netdev, netfilter-devel

On Sat, 22 Nov 2003 10:03:30 +0100
Harald Welte <laforge@netfilter.org> wrote:

> At least to me it was not known (until very recently) that the IPv6
> multicast code in net/ipv6/mcast.c bypasses the netfilter hooks - but it
> does.
 ...
> Dave: I think this would be post 2.6.0 stuff, wouldn't it?

If the fix is simple enough (1 or 2 one-liner changes) and easy
to verify, I would consider it for 2.6.0

I may even look into this myself.

Thanks Harald.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2003-11-24 10:24 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-23 11:13 IPv6 multicast (MLD,IGMP) code bypasses netfilter hooks David Stevens
2003-11-24  6:44 ` David S. Miller
2003-11-24 10:24   ` Harald Welte
  -- strict thread matches above, loose matches on Subject: below --
2003-11-22  9:03 Harald Welte
2003-11-23 23:43 ` David S. Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).