From: Patrick McHardy <kaber@trash.net>
To: "David S. Miller" <davem@redhat.com>
Cc: herbert@gondor.apana.org.au, netdev@oss.sgi.com,
netfilter-devel@lists.netfilter.org
Subject: [RFC, PATCH 2/5]: netfilter+ipsec - output hooks
Date: Thu, 18 Mar 2004 17:31:40 +0100 [thread overview]
Message-ID: <4059CEEC.7070009@trash.net> (raw)
In-Reply-To: <20040308115858.75cdddca.davem@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 295 bytes --]
This patch adds new output-hooks. Packets with dst->xfrm != NULL
traverse the POST_ROUTING hook before dst_output is called. The
transformers mark the packets in the control buffer with a new flag
IPSKB_XFRM_TRANSFORMED, these packets then traverse the LOCAL_OUT
hook when they hit ip_output.
[-- Attachment #2: 02-output-hooks.diff --]
[-- Type: text/x-patch, Size: 7045 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/03/18 14:59:24+01:00 kaber@trash.net
# [NETFILTER}: Pass packets to POST_ROUTING hook before encryption and LOCAL_OUT afterwards
#
# net/ipv4/xfrm4_tunnel.c
# 2004/03/18 14:59:14+01:00 kaber@trash.net +1 -0
# [NETFILTER}: Pass packets to POST_ROUTING hook before encryption and LOCAL_OUT afterwards
#
# net/ipv4/ipcomp.c
# 2004/03/18 14:59:14+01:00 kaber@trash.net +1 -0
# [NETFILTER}: Pass packets to POST_ROUTING hook before encryption and LOCAL_OUT afterwards
#
# net/ipv4/ip_output.c
# 2004/03/18 14:59:14+01:00 kaber@trash.net +20 -4
# [NETFILTER}: Pass packets to POST_ROUTING hook before encryption and LOCAL_OUT afterwards
#
# net/ipv4/ip_forward.c
# 2004/03/18 14:59:14+01:00 kaber@trash.net +2 -1
# [NETFILTER}: Pass packets to POST_ROUTING hook before encryption and LOCAL_OUT afterwards
#
# net/ipv4/esp4.c
# 2004/03/18 14:59:14+01:00 kaber@trash.net +1 -0
# [NETFILTER}: Pass packets to POST_ROUTING hook before encryption and LOCAL_OUT afterwards
#
# net/ipv4/ah4.c
# 2004/03/18 14:59:14+01:00 kaber@trash.net +1 -0
# [NETFILTER}: Pass packets to POST_ROUTING hook before encryption and LOCAL_OUT afterwards
#
# include/net/ip.h
# 2004/03/18 14:59:14+01:00 kaber@trash.net +1 -0
# [NETFILTER}: Pass packets to POST_ROUTING hook before encryption and LOCAL_OUT afterwards
#
# include/linux/netfilter.h
# 2004/03/18 14:59:14+01:00 kaber@trash.net +9 -4
# [NETFILTER}: Pass packets to POST_ROUTING hook before encryption and LOCAL_OUT afterwards
#
diff -Nru a/include/linux/netfilter.h b/include/linux/netfilter.h
--- a/include/linux/netfilter.h Thu Mar 18 16:45:22 2004
+++ b/include/linux/netfilter.h Thu Mar 18 16:45:22 2004
@@ -119,12 +119,14 @@
/* This is gross, but inline doesn't cut it for avoiding the function
call in fast path: gcc doesn't inline (needs value tracking?). --RR */
#ifdef CONFIG_NETFILTER_DEBUG
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
- nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN)
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
+(!(cond) \
+ ? (okfn)(skb) \
+ : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN))
#define NF_HOOK_THRESH nf_hook_slow
#else
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
-(list_empty(&nf_hooks[(pf)][(hook)]) \
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
+(!(cond) || list_empty(&nf_hooks[(pf)][(hook)]) \
? (okfn)(skb) \
: nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN))
#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
@@ -132,6 +134,8 @@
? (okfn)(skb) \
: nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), (thresh)))
#endif
+#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
+ NF_HOOK_COND((pf), (hook), (skb), (indev), (outdev), (okfn), 1)
int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
@@ -164,6 +168,7 @@
#else /* !CONFIG_NETFILTER */
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
+#define NF_HOOK_COND NF_HOOK
#endif /*CONFIG_NETFILTER*/
#endif /*__KERNEL__*/
diff -Nru a/include/net/ip.h b/include/net/ip.h
--- a/include/net/ip.h Thu Mar 18 16:45:22 2004
+++ b/include/net/ip.h Thu Mar 18 16:45:22 2004
@@ -48,6 +48,7 @@
#define IPSKB_TRANSLATED 2
#define IPSKB_FORWARDED 4
#define IPSKB_XFRM_TUNNEL_SIZE 8
+#define IPSKB_XFRM_TRANSFORMED 16
};
struct ipcm_cookie
diff -Nru a/net/ipv4/ah4.c b/net/ipv4/ah4.c
--- a/net/ipv4/ah4.c Thu Mar 18 16:45:22 2004
+++ b/net/ipv4/ah4.c Thu Mar 18 16:45:22 2004
@@ -145,6 +145,7 @@
err = -EHOSTUNREACH;
goto error_nolock;
}
+ IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
return NET_XMIT_BYPASS;
error:
diff -Nru a/net/ipv4/esp4.c b/net/ipv4/esp4.c
--- a/net/ipv4/esp4.c Thu Mar 18 16:45:22 2004
+++ b/net/ipv4/esp4.c Thu Mar 18 16:45:22 2004
@@ -199,6 +199,7 @@
err = -EHOSTUNREACH;
goto error_nolock;
}
+ IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
return NET_XMIT_BYPASS;
error:
diff -Nru a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
--- a/net/ipv4/ip_forward.c Thu Mar 18 16:45:22 2004
+++ b/net/ipv4/ip_forward.c Thu Mar 18 16:45:22 2004
@@ -51,7 +51,8 @@
if (unlikely(opt->optlen))
ip_forward_options(skb);
- return dst_output(skb);
+ return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL,
+ skb->dst->dev, dst_output, skb->dst->xfrm != NULL);
}
int ip_forward(struct sk_buff *skb)
diff -Nru a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
--- a/net/ipv4/ip_output.c Thu Mar 18 16:45:22 2004
+++ b/net/ipv4/ip_output.c Thu Mar 18 16:45:22 2004
@@ -123,6 +123,12 @@
return ttl;
}
+static inline int ip_dst_output(struct sk_buff *skb)
+{
+ return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL,
+ skb->dst->dev, dst_output, skb->dst->xfrm != NULL);
+}
+
/*
* Add an ip header to a skbuff and send it out.
*
@@ -165,7 +171,7 @@
/* Send it out. */
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
}
static inline int ip_finish_output2(struct sk_buff *skb)
@@ -283,7 +289,7 @@
return ip_finish_output(skb);
}
-int ip_output(struct sk_buff *skb)
+static inline int ip_output2(struct sk_buff *skb)
{
IP_INC_STATS(IpOutRequests);
@@ -294,6 +300,16 @@
return ip_finish_output(skb);
}
+int ip_output(struct sk_buff *skb)
+{
+ int transformed = IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED;
+
+ if (transformed)
+ nf_reset(skb);
+ return NF_HOOK_COND(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
+ skb->dst->dev, ip_output2, transformed);
+}
+
int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
{
struct sock *sk = skb->sk;
@@ -387,7 +403,7 @@
skb->priority = sk->sk_priority;
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
no_route:
IP_INC_STATS(IpOutNoRoutes);
@@ -1177,7 +1193,7 @@
/* Netfilter gets whole the not fragmented skb. */
err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
- skb->dst->dev, dst_output);
+ skb->dst->dev, ip_dst_output);
if (err) {
if (err > 0)
err = inet->recverr ? net_xmit_errno(err) : 0;
diff -Nru a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
--- a/net/ipv4/ipcomp.c Thu Mar 18 16:45:22 2004
+++ b/net/ipv4/ipcomp.c Thu Mar 18 16:45:22 2004
@@ -231,6 +231,7 @@
err = -EHOSTUNREACH;
goto error_nolock;
}
+ IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
err = NET_XMIT_BYPASS;
out_exit:
diff -Nru a/net/ipv4/xfrm4_tunnel.c b/net/ipv4/xfrm4_tunnel.c
--- a/net/ipv4/xfrm4_tunnel.c Thu Mar 18 16:45:22 2004
+++ b/net/ipv4/xfrm4_tunnel.c Thu Mar 18 16:45:22 2004
@@ -76,6 +76,7 @@
err = -EHOSTUNREACH;
goto error_nolock;
}
+ IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
return NET_XMIT_BYPASS;
error_nolock:
next prev parent reply other threads:[~2004-03-18 16:31 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-08 11:03 ip_route_me_harder -> xfrm_lookup Herbert Xu
2004-03-08 14:46 ` Patrick McHardy
2004-03-08 19:58 ` David S. Miller
2004-03-18 16:31 ` Patrick McHardy
2004-03-18 16:31 ` [RFC, PATCH 1/5]: netfilter+ipsec - nf_reset Patrick McHardy
2004-03-19 6:08 ` David S. Miller
2004-03-18 16:31 ` Patrick McHardy [this message]
2004-03-19 6:09 ` [RFC, PATCH 2/5]: netfilter+ipsec - output hooks David S. Miller
2004-03-19 10:59 ` Herbert Xu
2004-03-18 16:32 ` [RFC, PATCH 3/5]: netfilter+ipsec - input hooks Patrick McHardy
2004-03-19 6:15 ` David S. Miller
2004-03-19 11:47 ` Herbert Xu
2004-03-19 16:17 ` Patrick McHardy
2004-03-19 21:05 ` Herbert Xu
2004-03-19 11:07 ` Herbert Xu
2004-03-19 11:46 ` Herbert Xu
2004-03-19 16:29 ` Patrick McHardy
2004-03-18 16:32 ` [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup Patrick McHardy
2004-03-19 6:16 ` David S. Miller
2004-03-19 15:30 ` Patrick McHardy
2004-03-19 11:51 ` Herbert Xu
2004-03-19 16:34 ` Patrick McHardy
2004-03-19 21:05 ` Herbert Xu
2004-03-20 14:01 ` Patrick McHardy
2004-03-21 6:35 ` Herbert Xu
2004-03-21 22:16 ` Herbert Xu
2004-03-21 23:34 ` Patrick McHardy
2004-03-22 2:03 ` Herbert Xu
2004-03-22 2:29 ` Patrick McHardy
2004-03-24 2:15 ` Alexander Samad
2004-03-24 2:39 ` Patrick McHardy
2004-03-24 3:33 ` Alexander Samad
2004-03-18 16:32 ` [RFC, PATCH 5/5]: netfilter+ipsec - policy checks Patrick McHardy
2004-03-19 6:19 ` David S. Miller
2004-03-19 16:24 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4059CEEC.7070009@trash.net \
--to=kaber@trash.net \
--cc=davem@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@oss.sgi.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).