[PATCH 2/2] [IPSEC]: Reinject v6 packet on input instead of calling netfilter

[PATCH 2/2] [IPSEC]: Reinject v6 packet on input instead of calling netfilter

[jamal]

[-- Attachment #1: Type: text/plain, Size: 23 bytes --]

2 of 2

cheers,
jamal


[-- Attachment #2: 0002-IPSEC-Reinject-v6-packet-on-input-instead-of-calling-netfilter.txt --]
[-- Type: application/mbox, Size: 1701 bytes --]

Re: [PATCH 2/2] [IPSEC]: Reinject v6 packet on input instead of calling netfilter

[Patrick McHardy]

jamal wrote:

[ can't quote because non-inline attachment ]

I think Yoshifuji had some objections to this because extension
headers will be processed twice.

Re: [PATCH 2/2] [IPSEC]: Reinject v6 packet on input instead of calling netfilter

[jamal]

On Thu, 2007-29-11 at 21:55 +0100, Patrick McHardy wrote:
> jamal wrote:
> 
> [ can't quote because non-inline attachment ]

Evolution seems to have whitespace issues everytime i inlined the
attachment; and Dave has been able to tolerate me doing this so far.
I have just read it in

> I think Yoshifuji had some objections to this because extension
> headers will be processed twice.

ah, i missed that part. Could you point to a specific portion?
I wouldnt mind just ipv4 going in - but that would be lacking
consistency. Is there anything that can be done to get the extension
headers to be processed only once?

cheers,
jamal
>From 83d91d3c6f5df027a446b575af8dd4a3fdf90148 Mon Sep 17 00:00:00 2001
From: Jamal Hadi Salim <hadi@cyberus.ca>
Date: Thu, 29 Nov 2007 15:41:21 -0500
Subject: [PATCH 2/2] [IPSEC]: Reinject v6 packet on input instead of
calling netfilter

This is the ipv6 version.
Derived from an earlier down-trodden patch from Herbert.
We re-inject a decrypted ipsec back and let it bubble up the
network stack. This improves packet debugability (since sniffers like
tcpdump can see the packet) and ingress tc filters can act on it.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
---
 net/ipv6/xfrm6_input.c |   23 ++++++++++++++---------
 1 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index e2c3efd..c741fba 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -33,19 +33,24 @@ int xfrm6_transport_finish(struct sk_buff *skb, int
async)
 	skb_network_header(skb)[IP6CB(skb)->nhoff] =
 		XFRM_MODE_SKB_CB(skb)->protocol;
 
-#ifdef CONFIG_NETFILTER
+	if (async)
+		return ip6_rcv_finish(skb);
+
 	ipv6_hdr(skb)->payload_len = htons(skb->len);
 	__skb_push(skb, skb->data - skb_network_header(skb));
 
-	NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
-		ip6_rcv_finish);
-	return -1;
-#else
-	if (async)
-		return ip6_rcv_finish(skb);
+	dst_release(skb->dst);
+	skb->dst = NULL;
+	{
+		/* make some packet-sock user (eg tcpdump) happy */
+		const unsigned char *old_mac;
+		old_mac = skb_mac_header(skb);
+		skb_set_mac_header(skb, -skb->mac_len);
+		memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+	}
 
-	return 1;
-#endif
+	netif_rx(skb);
+	return 0;
 }
 
 int xfrm6_rcv(struct sk_buff *skb)
-- 
1.4.4.1.gaed4

Re: [PATCH 2/2] [IPSEC]: Reinject v6 packet on input instead of calling netfilter

[Patrick McHardy]

jamal wrote:
> On Thu, 2007-29-11 at 21:55 +0100, Patrick McHardy wrote:
>   
>> jamal wrote:
>>
>> [ can't quote because non-inline attachment ]
>>     
>
> Evolution seems to have whitespace issues everytime i inlined the
> attachment; and Dave has been able to tolerate me doing this so far.
> I have just read it in
>   

I used to work fine for me as well, the Debian switch to icedove
broke it. Never mind, I'm sure its going to get fixed some day :)

>   
>> I think Yoshifuji had some objections to this because extension
>> headers will be processed twice.
>>     
>
> ah, i missed that part. Could you point to a specific portion?
>   

http://lists.openwall.net/netdev/2007/10/16/88
> I wouldnt mind just ipv4 going in - but that would be lacking
> consistency. Is there anything that can be done to get the extension
> headers to be processed only once?
>   

I would prefer to keep things consistent between IPv4 and IPv6. Not
sure if anything could be done, perhaps we could keep the necessary
parts of the IP6CB and skip parsing up to the ESP nexthdr.

Re: [PATCH 2/2] [IPSEC]: Reinject v6 packet on input instead of calling netfilter

[jamal]

On Thu, 2007-29-11 at 22:21 +0100, Patrick McHardy wrote:

> 
> http://lists.openwall.net/netdev/2007/10/16/88
> > I wouldnt mind just ipv4 going in - but that would be lacking
> > consistency. Is there anything that can be done to get the extension
> > headers to be processed only once?
> >   
> 
> I would prefer to keep things consistent between IPv4 and IPv6. 

Makes sense.

> Not sure if anything could be done, perhaps we could keep the necessary
> parts of the IP6CB and skip parsing up to the ESP nexthdr.

I will compute in the background and talk to Yoshfuji (hopefully will
bump into him next week;->). Herbert, if you have any clever ideas
please shoot.

cheers,
jamal