From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 48/51] netfilter: implement RFC3168 5.3 (ecn protection) for ipv6 fragmentation handling
Date: Sat, 6 Apr 2013 14:17:47 +0200 [thread overview]
Message-ID: <1365250670-14993-49-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1365250670-14993-1-git-send-email-pablo@netfilter.org>
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
This change brings netfilter reassembly logic on par with
reassembly.c. The corresponding change in net-next is
(eec2e61 ipv6: implement RFC3168 5.3 (ecn protection) for
ipv6 fragmentation handling)
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jesper Dangaard Brouer <jbrouer@redhat.com>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 6700069..dffdc1a 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -41,6 +41,7 @@
#include <net/rawv6.h>
#include <net/ndisc.h>
#include <net/addrconf.h>
+#include <net/inet_ecn.h>
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
#include <linux/sysctl.h>
#include <linux/netfilter.h>
@@ -138,6 +139,11 @@ static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
}
#endif
+static inline u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h)
+{
+ return 1 << (ipv6_get_dsfield(ipv6h) & INET_ECN_MASK);
+}
+
static unsigned int nf_hashfn(struct inet_frag_queue *q)
{
const struct frag_queue *nq;
@@ -166,7 +172,7 @@ static void nf_ct_frag6_expire(unsigned long data)
/* Creation primitives. */
static inline struct frag_queue *fq_find(struct net *net, __be32 id,
u32 user, struct in6_addr *src,
- struct in6_addr *dst)
+ struct in6_addr *dst, u8 ecn)
{
struct inet_frag_queue *q;
struct ip6_create_arg arg;
@@ -176,6 +182,7 @@ static inline struct frag_queue *fq_find(struct net *net, __be32 id,
arg.user = user;
arg.src = src;
arg.dst = dst;
+ arg.ecn = ecn;
read_lock_bh(&nf_frags.lock);
hash = inet6_hash_frag(id, src, dst, nf_frags.rnd);
@@ -196,6 +203,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
struct sk_buff *prev, *next;
unsigned int payload_len;
int offset, end;
+ u8 ecn;
if (fq->q.last_in & INET_FRAG_COMPLETE) {
pr_debug("Already completed\n");
@@ -213,6 +221,8 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
return -1;
}
+ ecn = ip6_frag_ecn(ipv6_hdr(skb));
+
if (skb->ip_summed == CHECKSUM_COMPLETE) {
const unsigned char *nh = skb_network_header(skb);
skb->csum = csum_sub(skb->csum,
@@ -317,6 +327,7 @@ found:
}
fq->q.stamp = skb->tstamp;
fq->q.meat += skb->len;
+ fq->ecn |= ecn;
if (payload_len > fq->q.max_size)
fq->q.max_size = payload_len;
add_frag_mem_limit(&fq->q, skb->truesize);
@@ -352,12 +363,17 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
{
struct sk_buff *fp, *op, *head = fq->q.fragments;
int payload_len;
+ u8 ecn;
inet_frag_kill(&fq->q, &nf_frags);
WARN_ON(head == NULL);
WARN_ON(NFCT_FRAG6_CB(head)->offset != 0);
+ ecn = ip_frag_ecn_table[fq->ecn];
+ if (unlikely(ecn == 0xff))
+ goto out_fail;
+
/* Unfragmented part is taken from the first segment. */
payload_len = ((head->data - skb_network_header(head)) -
sizeof(struct ipv6hdr) + fq->q.len -
@@ -428,6 +444,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
head->dev = dev;
head->tstamp = fq->q.stamp;
ipv6_hdr(head)->payload_len = htons(payload_len);
+ ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn);
IP6CB(head)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size;
/* Yes, and fold redundant checksum back. 8) */
@@ -572,7 +589,8 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
inet_frag_evictor(&net->nf_frag.frags, &nf_frags, false);
local_bh_enable();
- fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr);
+ fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr,
+ ip6_frag_ecn(hdr));
if (fq == NULL) {
pr_debug("Can't find and can't create new queue\n");
goto ret_orig;
--
1.7.10.4
next prev parent reply other threads:[~2013-04-06 12:17 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-06 12:16 [PATCH 00/51] netfilter updates for net-next Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 01/51] ipvs: avoid routing by TOS for real server Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 02/51] ipvs: prefer NETDEV_DOWN event to free cached dsts Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 03/51] ipvs: convert the IP_VS_XMIT macros to functions Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 04/51] ipvs: rename functions related to dst_cache reset Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 05/51] ipvs: no need to reroute anymore on DNAT over loopback Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 06/51] ipvs: do not use skb_share_check Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 07/51] ipvs: consolidate all dst checks on transmit in one place Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 08/51] ipvs: optimize dst usage for real server Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 09/51] ipvs: convert app locks Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 10/51] ipvs: remove rs_lock by using RCU Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 11/51] ipvs: convert locks used in persistence engines Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 12/51] ipvs: convert connection locking Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 13/51] ipvs: reorder keys in connection structure Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 14/51] ipvs: avoid kmem_cache_zalloc in ip_vs_conn_new Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 15/51] ipvs: change ip_vs_sched_lock to mutex Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 16/51] ipvs: preparations for using rcu in schedulers Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 17/51] ipvs: add ip_vs_dest_hold and ip_vs_dest_put Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 18/51] ipvs: convert dh scheduler to rcu Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 19/51] ipvs: convert lblc " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 20/51] ipvs: convert lblcr " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 21/51] ipvs: convert lc " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 22/51] ipvs: convert nq " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 23/51] ipvs: convert rr " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 24/51] ipvs: convert sed " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 25/51] ipvs: convert sh " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 26/51] ipvs: convert wlc " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 27/51] ipvs: convert wrr " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 28/51] ipvs: reorganize dest trash Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 29/51] ipvs: do not expect result from done_service Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 30/51] ipvs: convert sched_lock to spin lock Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 31/51] ipvs: convert dests to rcu Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 32/51] ipvs: convert services " Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 33/51] ipvs: do not disable bh for long time Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 34/51] netfilter: use IS_ENABLE to replace if defined in TRACE target Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 35/51] netfilter: xt_NFQUEUE: introduce CPU fanout Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 36/51] netfilter: xt_NFQUEUE: coalesce IPv4 and IPv6 hashing Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 37/51] netfilter: fix struct ip6t_frag field description Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 38/51] netfilter: make /proc/net/netfilter pernet Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 39/51] netfilter: nf_log: prepare net namespace support for loggers Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 40/51] netfilter: ebt_log: add net namespace support for ebt_log Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 41/51] netfilter: xt_LOG: add net namespace support for xt_LOG Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 42/51] netfilter: ebt_ulog: add net namespace support for ebt_ulog Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 43/51] netfilter: ipt_ULOG: add net namespace support for ipt_ULOG Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 44/51] netfilter: nfnetlink_log: add net namespace support for nfnetlink_log Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 45/51] netfilter: enable per netns support for nf_loggers Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 46/51] netfilter: nfnetlink_queue: add net namespace support for nfnetlink_queue Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 47/51] netfilter: remove unneeded variable proc_net_netfilter Pablo Neira Ayuso
2013-04-06 12:17 ` Pablo Neira Ayuso [this message]
2013-04-06 12:17 ` [PATCH 49/51] netfilter: ipv4: propagate routing errors from ip_route_me_harder() Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 50/51] netfilter: ipv6: propagate routing errors from ip6_route_me_harder() Pablo Neira Ayuso
2013-04-06 12:17 ` [PATCH 51/51] netfilter: nat: propagate errors from xfrm_me_harder() Pablo Neira Ayuso
2013-04-06 13:14 ` [PATCH 00/51] netfilter updates for net-next Julian Anastasov
2013-04-06 13:52 ` Pablo Neira Ayuso
2013-04-07 16:27 ` David Miller
2013-04-08 16:06 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1365250670-14993-49-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).