[PATCH 1/3] netfilter: af_info: add network namespace parameter to route hook

[PATCH 1/3] netfilter: af_info: add network namespace parameter to route hook

[Florian Westphal]

This is required to eventually replace the rt6_lookup call in xt_addrtype.c
with nf_afinfo->route().

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter.h              |    3 ++-
 net/ipv4/netfilter.c                   |    5 +++--
 net/ipv6/netfilter.c                   |    5 +++--
 net/netfilter/nf_conntrack_h323_main.c |   12 ++++++++----
 net/netfilter/xt_TCPMSS.c              |    2 +-
 5 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index eeec00a..20ed452 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -270,7 +270,8 @@ struct nf_afinfo {
 					    unsigned int dataoff,
 					    unsigned int len,
 					    u_int8_t protocol);
-	int		(*route)(struct dst_entry **dst, struct flowi *fl);
+	int		(*route)(struct net *net, struct dst_entry **dst,
+				 struct flowi *fl);
 	void		(*saveroute)(const struct sk_buff *skb,
 				     struct nf_queue_entry *entry);
 	int		(*reroute)(struct sk_buff *skb,
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 994a1f2..138e106 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -217,9 +217,10 @@ static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
 	return csum;
 }
 
-static int nf_ip_route(struct dst_entry **dst, struct flowi *fl)
+static int nf_ip_route(struct net *net, struct dst_entry **dst,
+		       struct flowi *fl)
 {
-	return ip_route_output_key(&init_net, (struct rtable **)dst, fl);
+	return ip_route_output_key(net, (struct rtable **)dst, fl);
 }
 
 static const struct nf_afinfo nf_ip_afinfo = {
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 35915e8..9e1b3e4 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -89,9 +89,10 @@ static int nf_ip6_reroute(struct sk_buff *skb,
 	return 0;
 }
 
-static int nf_ip6_route(struct dst_entry **dst, struct flowi *fl)
+static int nf_ip6_route(struct net *net, struct dst_entry **dst,
+			struct flowi *fl)
 {
-	*dst = ip6_route_output(&init_net, NULL, fl);
+	*dst = ip6_route_output(net, NULL, fl);
 	return (*dst)->error;
 }
 
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index b969025..31c1430 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -731,8 +731,10 @@ static int callforward_do_filter(const union nf_inet_addr *src,
 
 		fl1.fl4_dst = src->ip;
 		fl2.fl4_dst = dst->ip;
-		if (!afinfo->route((struct dst_entry **)&rt1, &fl1)) {
-			if (!afinfo->route((struct dst_entry **)&rt2, &fl2)) {
+		if (!afinfo->route(&init_net, (struct dst_entry **)&rt1,
+							&fl1)) {
+			if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
+							&fl2)) {
 				if (rt1->rt_gateway == rt2->rt_gateway &&
 				    rt1->dst.dev  == rt2->dst.dev)
 					ret = 1;
@@ -749,8 +751,10 @@ static int callforward_do_filter(const union nf_inet_addr *src,
 
 		memcpy(&fl1.fl6_dst, src, sizeof(fl1.fl6_dst));
 		memcpy(&fl2.fl6_dst, dst, sizeof(fl2.fl6_dst));
-		if (!afinfo->route((struct dst_entry **)&rt1, &fl1)) {
-			if (!afinfo->route((struct dst_entry **)&rt2, &fl2)) {
+		if (!afinfo->route(&init_net, (struct dst_entry **)&rt1,
+							&fl1)) {
+			if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
+							&fl2)) {
 				if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway,
 					    sizeof(rt1->rt6i_gateway)) &&
 				    rt1->dst.dev == rt2->dst.dev)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index eb81c38..285d8bd 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -161,7 +161,7 @@ static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
 	rcu_read_lock();
 	ai = nf_get_afinfo(family);
 	if (ai != NULL)
-		ai->route((struct dst_entry **)&rt, &fl);
+		ai->route(&init_net, (struct dst_entry **)&rt, &fl);
 	rcu_read_unlock();
 
 	if (rt != NULL) {
-- 
1.7.3.4

[PATCH 2/3] netfilter: af_info: add 'strict' parameter to limit lookup to .oif

[Florian Westphal]

ipv6 fib lookup can set RT6_LOOKUP_F_IFACE flag to restrict search
to an interface, but this flag cannot be set via struct flowi.

Also, it cannot be set via ip6_route_output: this function uses the
passed sock struct to determine if this flag is required
(by testing for nonzero sk_bound_dev_if).

Work around this by passing in an artificial struct sk in case
'strict' argument is true.

This is required to replace the rt6_lookup call in xt_addrtype.c with
nf_afinfo->route().

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 Patrick,

 the change in nf_ip6_route() is very ugly, but I found no
 other way to set RT6_LOOKUP_F_IFACE.

 rt6_lookup() can't be used instead of ip6_route_output
 since it does not take a flowi argument...

 include/linux/netfilter.h              |    2 +-
 net/ipv4/netfilter.c                   |    2 +-
 net/ipv6/netfilter.c                   |   14 ++++++++++++--
 net/netfilter/nf_conntrack_h323_main.c |    8 ++++----
 net/netfilter/xt_TCPMSS.c              |    2 +-
 5 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 20ed452..7fa95df 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -271,7 +271,7 @@ struct nf_afinfo {
 					    unsigned int len,
 					    u_int8_t protocol);
 	int		(*route)(struct net *net, struct dst_entry **dst,
-				 struct flowi *fl);
+				 struct flowi *fl, bool strict);
 	void		(*saveroute)(const struct sk_buff *skb,
 				     struct nf_queue_entry *entry);
 	int		(*reroute)(struct sk_buff *skb,
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 138e106..87f20e8 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -218,7 +218,7 @@ static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
 }
 
 static int nf_ip_route(struct net *net, struct dst_entry **dst,
-		       struct flowi *fl)
+		       struct flowi *fl, bool strict __always_unused)
 {
 	return ip_route_output_key(net, (struct rtable **)dst, fl);
 }
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 9e1b3e4..f237d58 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -90,9 +90,19 @@ static int nf_ip6_reroute(struct sk_buff *skb,
 }
 
 static int nf_ip6_route(struct net *net, struct dst_entry **dst,
-			struct flowi *fl)
+			struct flowi *fl, bool strict)
 {
-	*dst = ip6_route_output(net, NULL, fl);
+	static const struct ipv6_pinfo fake_pinfo;
+	static const struct inet_sock fake_sk = {
+		/* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
+		.sk.sk_bound_dev_if = 1,
+		.pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
+	};
+	struct sock *sk = NULL;
+
+	if (strict)
+		sk = (struct sock *) &fake_sk;
+	*dst = ip6_route_output(net, sk, fl);
 	return (*dst)->error;
 }
 
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 31c1430..1ef3ec9 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -732,9 +732,9 @@ static int callforward_do_filter(const union nf_inet_addr *src,
 		fl1.fl4_dst = src->ip;
 		fl2.fl4_dst = dst->ip;
 		if (!afinfo->route(&init_net, (struct dst_entry **)&rt1,
-							&fl1)) {
+							&fl1, false)) {
 			if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
-							&fl2)) {
+							&fl2, false)) {
 				if (rt1->rt_gateway == rt2->rt_gateway &&
 				    rt1->dst.dev  == rt2->dst.dev)
 					ret = 1;
@@ -752,9 +752,9 @@ static int callforward_do_filter(const union nf_inet_addr *src,
 		memcpy(&fl1.fl6_dst, src, sizeof(fl1.fl6_dst));
 		memcpy(&fl2.fl6_dst, dst, sizeof(fl2.fl6_dst));
 		if (!afinfo->route(&init_net, (struct dst_entry **)&rt1,
-							&fl1)) {
+							&fl1, false)) {
 			if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
-							&fl2)) {
+							&fl2, false)) {
 				if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway,
 					    sizeof(rt1->rt6i_gateway)) &&
 				    rt1->dst.dev == rt2->dst.dev)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 285d8bd..1a5d5ff 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -161,7 +161,7 @@ static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
 	rcu_read_lock();
 	ai = nf_get_afinfo(family);
 	if (ai != NULL)
-		ai->route(&init_net, (struct dst_entry **)&rt, &fl);
+		ai->route(&init_net, (struct dst_entry **)&rt, &fl, false);
 	rcu_read_unlock();
 
 	if (rt != NULL) {
-- 
1.7.3.4

[PATCH 3/3] netfilter: xt_addrtype: replace rt6_lookup with nf_afinfo->route

[Florian Westphal]

From: Florian Westphal <fwestphal@astaro.com>

This avoids pulling in the ipv6 module when using (ipv4-only) iptables -m addrtype.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 Only tested very briefly with:
 [0:0] -A INPUT -m addrtype --src-type LOCAL
 [16:1552] -A INPUT -m addrtype --dst-type LOCAL
 [10:928] -A INPUT -m addrtype --dst-type LOCAL --limit-iface-in

 net/netfilter/Kconfig       |    1 -
 net/netfilter/xt_addrtype.c |   42 ++++++++++++++++++++++++++++--------------
 2 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index c3f988a..32bff6d 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -652,7 +652,6 @@ comment "Xtables matches"
 config NETFILTER_XT_MATCH_ADDRTYPE
 	tristate '"addrtype" address type match support'
 	depends on NETFILTER_ADVANCED
-	depends on (IPV6 || IPV6=n)
 	---help---
 	  This option allows you to match what routing thinks of an address,
 	  eg. UNICAST, LOCAL, BROADCAST, ...
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index 2220b85..44832a9 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -32,11 +32,32 @@ MODULE_ALIAS("ipt_addrtype");
 MODULE_ALIAS("ip6t_addrtype");
 
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
-static u32 xt_addrtype_rt6_to_type(const struct rt6_info *rt)
+static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
+			    const struct in6_addr *addr)
 {
+	const struct nf_afinfo *afinfo;
+	struct flowi flow;
+	struct rt6_info *rt;
 	u32 ret;
+	int route_err;
 
-	if (!rt)
+	memset(&flow, 0, sizeof(flow));
+	ipv6_addr_copy(&flow.fl6_dst, addr);
+	if (dev)
+		flow.oif = dev->ifindex;
+
+	rcu_read_lock();
+
+	afinfo = nf_get_afinfo(NFPROTO_IPV6);
+	if (afinfo != NULL)
+		route_err = afinfo->route(net, (struct dst_entry **)&rt,
+							&flow, !!dev);
+	else
+		route_err = 1;
+
+	rcu_read_unlock();
+
+	if (route_err)
 		return XT_ADDRTYPE_UNREACHABLE;
 
 	if (rt->rt6i_flags & RTF_REJECT)
@@ -48,6 +69,9 @@ static u32 xt_addrtype_rt6_to_type(const struct rt6_info *rt)
 		ret |= XT_ADDRTYPE_LOCAL;
 	if (rt->rt6i_flags & RTF_ANYCAST)
 		ret |= XT_ADDRTYPE_ANYCAST;
+
+
+	dst_release(&rt->dst);
 	return ret;
 }
 
@@ -65,18 +89,8 @@ static bool match_type6(struct net *net, const struct net_device *dev,
 		return false;
 
 	if ((XT_ADDRTYPE_LOCAL | XT_ADDRTYPE_ANYCAST |
-	     XT_ADDRTYPE_UNREACHABLE) & mask) {
-		struct rt6_info *rt;
-		u32 type;
-		int ifindex = dev ? dev->ifindex : 0;
-
-		rt = rt6_lookup(net, addr, NULL, ifindex, !!dev);
-
-		type = xt_addrtype_rt6_to_type(rt);
-
-		dst_release(&rt->dst);
-		return !!(mask & type);
-	}
+	     XT_ADDRTYPE_UNREACHABLE) & mask)
+		return !!(mask & match_lookup_rt6(net, dev, addr));
 	return true;
 }
 
-- 
1.7.3.4

Re: [PATCH 2/3] netfilter: af_info: add 'strict' parameter to limit lookup to .oif

[Eric Dumazet]

Le lundi 21 mars 2011 à 23:25 +0100, Florian Westphal a écrit :
> ipv6 fib lookup can set RT6_LOOKUP_F_IFACE flag to restrict search
> to an interface, but this flag cannot be set via struct flowi.
> 
> Also, it cannot be set via ip6_route_output: this function uses the
> passed sock struct to determine if this flag is required
> (by testing for nonzero sk_bound_dev_if).
> 
> Work around this by passing in an artificial struct sk in case
> 'strict' argument is true.
> 
> This is required to replace the rt6_lookup call in xt_addrtype.c with
> nf_afinfo->route().
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  Patrick,
> 
>  the change in nf_ip6_route() is very ugly, but I found no
>  other way to set RT6_LOOKUP_F_IFACE.
> 
>  rt6_lookup() can't be used instead of ip6_route_output
>  since it does not take a flowi argument...
> 
>  include/linux/netfilter.h              |    2 +-
>  net/ipv4/netfilter.c                   |    2 +-
>  net/ipv6/netfilter.c                   |   14 ++++++++++++--
>  net/netfilter/nf_conntrack_h323_main.c |    8 ++++----
>  net/netfilter/xt_TCPMSS.c              |    2 +-
>  5 files changed, 19 insertions(+), 9 deletions(-)
> 
> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
> index 20ed452..7fa95df 100644
> --- a/include/linux/netfilter.h
> +++ b/include/linux/netfilter.h
> @@ -271,7 +271,7 @@ struct nf_afinfo {
>  					    unsigned int len,
>  					    u_int8_t protocol);
>  	int		(*route)(struct net *net, struct dst_entry **dst,
> -				 struct flowi *fl);
> +				 struct flowi *fl, bool strict);
>  	void		(*saveroute)(const struct sk_buff *skb,
>  				     struct nf_queue_entry *entry);
>  	int		(*reroute)(struct sk_buff *skb,
> diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
> index 138e106..87f20e8 100644
> --- a/net/ipv4/netfilter.c
> +++ b/net/ipv4/netfilter.c
> @@ -218,7 +218,7 @@ static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
>  }
>  
>  static int nf_ip_route(struct net *net, struct dst_entry **dst,
> -		       struct flowi *fl)
> +		       struct flowi *fl, bool strict __always_unused)
>  {
>  	return ip_route_output_key(net, (struct rtable **)dst, fl);
>  }
> diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
> index 9e1b3e4..f237d58 100644
> --- a/net/ipv6/netfilter.c
> +++ b/net/ipv6/netfilter.c
> @@ -90,9 +90,19 @@ static int nf_ip6_reroute(struct sk_buff *skb,
>  }
>  
>  static int nf_ip6_route(struct net *net, struct dst_entry **dst,
> -			struct flowi *fl)
> +			struct flowi *fl, bool strict)
>  {
> -	*dst = ip6_route_output(net, NULL, fl);
> +	static const struct ipv6_pinfo fake_pinfo;
> +	static const struct inet_sock fake_sk = {
> +		/* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
> +		.sk.sk_bound_dev_if = 1,
> +		.pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
> +	};
> +	struct sock *sk = NULL;
> +
> +	if (strict)
> +		sk = (struct sock *) &fake_sk;
> +	*dst = ip6_route_output(net, sk, fl);
>  	return (*dst)->error;
>  }
>  

Wow... I can tell you David will not accept this...

This is about 800 bytes on stack, initted, so quite a huge cost for this
function.



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/3] netfilter: af_info: add 'strict' parameter to limit lookup to .oif

[Eric Dumazet]

Le lundi 21 mars 2011 à 23:39 +0100, Eric Dumazet a écrit :
> Le lundi 21 mars 2011 à 23:25 +0100, Florian Westphal a écrit :
> > ipv6 fib lookup can set RT6_LOOKUP_F_IFACE flag to restrict search
> > to an interface, but this flag cannot be set via struct flowi.
> > 
> > Also, it cannot be set via ip6_route_output: this function uses the
> > passed sock struct to determine if this flag is required
> > (by testing for nonzero sk_bound_dev_if).
> > 
> > Work around this by passing in an artificial struct sk in case
> > 'strict' argument is true.
> > 
> > This is required to replace the rt6_lookup call in xt_addrtype.c with
> > nf_afinfo->route().
> > 
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
> >  Patrick,
> > 
> >  the change in nf_ip6_route() is very ugly, but I found no
> >  other way to set RT6_LOOKUP_F_IFACE.
> > 
> >  rt6_lookup() can't be used instead of ip6_route_output
> >  since it does not take a flowi argument...
> > 
> >  include/linux/netfilter.h              |    2 +-
> >  net/ipv4/netfilter.c                   |    2 +-
> >  net/ipv6/netfilter.c                   |   14 ++++++++++++--
> >  net/netfilter/nf_conntrack_h323_main.c |    8 ++++----
> >  net/netfilter/xt_TCPMSS.c              |    2 +-
> >  5 files changed, 19 insertions(+), 9 deletions(-)
> > 
> > diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
> > index 20ed452..7fa95df 100644
> > --- a/include/linux/netfilter.h
> > +++ b/include/linux/netfilter.h
> > @@ -271,7 +271,7 @@ struct nf_afinfo {
> >  					    unsigned int len,
> >  					    u_int8_t protocol);
> >  	int		(*route)(struct net *net, struct dst_entry **dst,
> > -				 struct flowi *fl);
> > +				 struct flowi *fl, bool strict);
> >  	void		(*saveroute)(const struct sk_buff *skb,
> >  				     struct nf_queue_entry *entry);
> >  	int		(*reroute)(struct sk_buff *skb,
> > diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
> > index 138e106..87f20e8 100644
> > --- a/net/ipv4/netfilter.c
> > +++ b/net/ipv4/netfilter.c
> > @@ -218,7 +218,7 @@ static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
> >  }
> >  
> >  static int nf_ip_route(struct net *net, struct dst_entry **dst,
> > -		       struct flowi *fl)
> > +		       struct flowi *fl, bool strict __always_unused)
> >  {
> >  	return ip_route_output_key(net, (struct rtable **)dst, fl);
> >  }
> > diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
> > index 9e1b3e4..f237d58 100644
> > --- a/net/ipv6/netfilter.c
> > +++ b/net/ipv6/netfilter.c
> > @@ -90,9 +90,19 @@ static int nf_ip6_reroute(struct sk_buff *skb,
> >  }
> >  
> >  static int nf_ip6_route(struct net *net, struct dst_entry **dst,
> > -			struct flowi *fl)
> > +			struct flowi *fl, bool strict)
> >  {
> > -	*dst = ip6_route_output(net, NULL, fl);
> > +	static const struct ipv6_pinfo fake_pinfo;
> > +	static const struct inet_sock fake_sk = {
> > +		/* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
> > +		.sk.sk_bound_dev_if = 1,
> > +		.pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
> > +	};
> > +	struct sock *sk = NULL;
> > +
> > +	if (strict)
> > +		sk = (struct sock *) &fake_sk;
> > +	*dst = ip6_route_output(net, sk, fl);
> >  	return (*dst)->error;
> >  }
> >  
> 
> Wow... I can tell you David will not accept this...
> 
> This is about 800 bytes on stack, initted, so quite a huge cost for this
> function.
> 

Ah sorry, I missed the "static const". Maybe I should just sleep now ;)



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/3] netfilter: af_info: add 'strict' parameter to limit lookup to .oif

[David Miller]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Mon, 21 Mar 2011 23:42:59 +0100

> Ah sorry, I missed the "static const". Maybe I should just sleep now ;)

Well, I would really prefer if ip6_route_output() and friends mark
their 'sk' argument as 'const'.

Otherwise someone is going to read this code and be really concerned
that "sk" really might be modified in some way by this code path,
thus making parallel access to this static const 'sk' illegal.

Re: [PATCH 2/3] netfilter: af_info: add 'strict' parameter to limit lookup to .oif

[Florian Westphal]

David Miller <davem@davemloft.net> wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Mon, 21 Mar 2011 23:42:59 +0100
> 
> > Ah sorry, I missed the "static const". Maybe I should just sleep now ;)
> 
> Well, I would really prefer if ip6_route_output() and friends mark
> their 'sk' argument as 'const'.
> 
> Otherwise someone is going to read this code and be really concerned
> that "sk" really might be modified in some way by this code path,
> thus making parallel access to this static const 'sk' illegal.

good point.
Its just a two-line change, so I guess its okay if I make this
change in this patch, too.

If you object and think it should be a new patch, please let me
know.

Re: [PATCH 2/3] netfilter: af_info: add 'strict' parameter to limit lookup to .oif

[David Miller]

From: Florian Westphal <fw@strlen.de>
Date: Tue, 22 Mar 2011 22:26:39 +0100

> David Miller <davem@davemloft.net> wrote:
>> From: Eric Dumazet <eric.dumazet@gmail.com>
>> Date: Mon, 21 Mar 2011 23:42:59 +0100
>> 
>> > Ah sorry, I missed the "static const". Maybe I should just sleep now ;)
>> 
>> Well, I would really prefer if ip6_route_output() and friends mark
>> their 'sk' argument as 'const'.
>> 
>> Otherwise someone is going to read this code and be really concerned
>> that "sk" really might be modified in some way by this code path,
>> thus making parallel access to this static const 'sk' illegal.
> 
> good point.
> Its just a two-line change, so I guess its okay if I make this
> change in this patch, too.
> 
> If you object and think it should be a new patch, please let me
> know.

Please make the ipv6 route interface change seperate, thanks.