* [PATCH] ipv6: do xfrm transform after nat if necessary
@ 2014-11-03 4:53 Duan Jiong
2014-11-03 19:42 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: Duan Jiong @ 2014-11-03 4:53 UTC (permalink / raw)
To: David Miller; +Cc: netdev
In function nf_nat_ipv6_out, after nat is done, nf_xfrm_me_harder()
will be called to look up xfrm dst.
Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
---
net/ipv6/ip6_output.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 8e950c2..742a845 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -124,6 +124,14 @@ static int ip6_finish_output2(struct sk_buff *skb)
static int ip6_finish_output(struct sk_buff *skb)
{
+#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
+ /* Just like ipv4, policy lookup after nat yielded a new policy */
+ if (skb_dst(skb)->xfrm != NULL) {
+ IP6CB(skb)->flags |= IP6SKB_REROUTED;
+ return dst_output(skb);
+ }
+#endif
+
if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
dst_allfrag(skb_dst(skb)) ||
(IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] ipv6: do xfrm transform after nat if necessary
2014-11-03 4:53 [PATCH] ipv6: do xfrm transform after nat if necessary Duan Jiong
@ 2014-11-03 19:42 ` David Miller
2014-11-04 1:14 ` Duan Jiong
0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2014-11-03 19:42 UTC (permalink / raw)
To: duanj.fnst; +Cc: netdev
From: Duan Jiong <duanj.fnst@cn.fujitsu.com>
Date: Mon, 3 Nov 2014 12:53:03 +0800
>
>
> In function nf_nat_ipv6_out, after nat is done, nf_xfrm_me_harder()
> will be called to look up xfrm dst.
>
> Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
This is far from sufficient of a commit log message for a change that
is as serious and has as many implications as this one.
You haven't answered many questions, first of which in my mind is
why we are bypassing all of the fragmentation checks?
We're also bypassing ip6_finish_output2() which does multicast and
hooks up the neighbour.
IPV4 doesn't do this, why doesn't it have the same supposed problem
you are trying to solve?
It is not even clear to me what the problem is, because your commit
message is way too terse.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ipv6: do xfrm transform after nat if necessary
2014-11-03 19:42 ` David Miller
@ 2014-11-04 1:14 ` Duan Jiong
0 siblings, 0 replies; 3+ messages in thread
From: Duan Jiong @ 2014-11-04 1:14 UTC (permalink / raw)
To: David Miller; +Cc: netdev
On 11/04/2014 03:42 AM, David Miller wrote:
> From: Duan Jiong <duanj.fnst@cn.fujitsu.com>
> Date: Mon, 3 Nov 2014 12:53:03 +0800
>
>>
>>
>> In function nf_nat_ipv6_out, after nat is done, nf_xfrm_me_harder()
>> will be called to look up xfrm dst.
>>
>> Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
>
> This is far from sufficient of a commit log message for a change that
> is as serious and has as many implications as this one.
>
> You haven't answered many questions, first of which in my mind is
> why we are bypassing all of the fragmentation checks?
>
> We're also bypassing ip6_finish_output2() which does multicast and
> hooks up the neighbour.
>
> IPV4 doesn't do this, why doesn't it have the same supposed problem
> you are trying to solve?
>
> It is not even clear to me what the problem is, because your commit
> message is way too terse.
>
Thank you for your advice, I would consider a more comprehensive
of the problem.
Thanks,
Duan
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-11-04 1:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-03 4:53 [PATCH] ipv6: do xfrm transform after nat if necessary Duan Jiong
2014-11-03 19:42 ` David Miller
2014-11-04 1:14 ` Duan Jiong
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).