From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 02/30] ipvs: Add hdr_flags to iphdr
Date: Tue, 22 Sep 2015 11:13:52 +0200 [thread overview]
Message-ID: <1442913260-3925-3-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1442913260-3925-1-git-send-email-pablo@netfilter.org>
From: Alex Gartrell <agartrell@fb.com>
These flags contain information like whether or not the addresses are
inverted or from icmp. The first will allow us to drop an inverse param
all over the place, and the second will later be useful in scheduling icmp.
Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
include/net/ip_vs.h | 43 ++++++++++++++++++++++++++++++++++---
net/netfilter/ipvs/ip_vs_core.c | 20 ++++++++---------
net/netfilter/ipvs/ip_vs_pe_sip.c | 2 +-
net/netfilter/xt_ipvs.c | 2 +-
4 files changed, 52 insertions(+), 15 deletions(-)
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 0c8309f..ac336a7 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -29,6 +29,9 @@
#endif
#include <net/net_namespace.h> /* Netw namespace */
+#define IP_VS_HDR_INVERSE 1
+#define IP_VS_HDR_ICMP 2
+
/* Generic access of ipvs struct */
static inline struct netns_ipvs *net_ipvs(struct net* net)
{
@@ -104,6 +107,7 @@ static inline struct net *seq_file_single_net(struct seq_file *seq)
extern int ip_vs_conn_tab_size;
struct ip_vs_iphdr {
+ int hdr_flags; /* ipvs flags */
__u32 off; /* Where IP or IPv4 header starts */
__u32 len; /* IPv4 simply where L4 starts
* IPv6 where L4 Transport Header starts */
@@ -127,9 +131,11 @@ static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,
*/
static inline int
ip_vs_fill_iph_skb_off(int af, const struct sk_buff *skb, int offset,
- struct ip_vs_iphdr *iphdr)
+ int hdr_flags, struct ip_vs_iphdr *iphdr)
{
+ iphdr->hdr_flags = hdr_flags;
iphdr->off = offset;
+
#ifdef CONFIG_IP_VS_IPV6
if (af == AF_INET6) {
struct ipv6hdr _iph;
@@ -168,9 +174,40 @@ ip_vs_fill_iph_skb_off(int af, const struct sk_buff *skb, int offset,
}
static inline int
-ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, struct ip_vs_iphdr *iphdr)
+ip_vs_fill_iph_skb_icmp(int af, const struct sk_buff *skb, int offset,
+ bool inverse, struct ip_vs_iphdr *iphdr)
+{
+ int hdr_flags = IP_VS_HDR_ICMP;
+
+ if (inverse)
+ hdr_flags |= IP_VS_HDR_INVERSE;
+
+ return ip_vs_fill_iph_skb_off(af, skb, offset, hdr_flags, iphdr);
+}
+
+static inline int
+ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, bool inverse,
+ struct ip_vs_iphdr *iphdr)
+{
+ int hdr_flags = 0;
+
+ if (inverse)
+ hdr_flags |= IP_VS_HDR_INVERSE;
+
+ return ip_vs_fill_iph_skb_off(af, skb, skb_network_offset(skb),
+ hdr_flags, iphdr);
+}
+
+static inline bool
+ip_vs_iph_inverse(const struct ip_vs_iphdr *iph)
+{
+ return !!(iph->hdr_flags & IP_VS_HDR_INVERSE);
+}
+
+static inline bool
+ip_vs_iph_icmp(const struct ip_vs_iphdr *iph)
{
- return ip_vs_fill_iph_skb_off(af, skb, skb_network_offset(skb), iphdr);
+ return !!(iph->hdr_flags & IP_VS_HDR_ICMP);
}
static inline void ip_vs_addr_copy(int af, union nf_inet_addr *dst,
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index b831fe8..4f5d3d1 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -934,7 +934,7 @@ static int ip_vs_out_icmp(struct sk_buff *skb, int *related,
IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset,
"Checking outgoing ICMP for");
- ip_vs_fill_iph_skb_off(AF_INET, skb, offset, &ciph);
+ ip_vs_fill_iph_skb_icmp(AF_INET, skb, offset, true, &ciph);
/* The embedded headers contain source and dest in reverse order */
cp = pp->conn_out_get(AF_INET, skb, &ciph, 1);
@@ -983,8 +983,8 @@ static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related,
ic->icmp6_type, ntohs(icmpv6_id(ic)),
&ipvsh->saddr, &ipvsh->daddr);
- if (!ip_vs_fill_iph_skb_off(AF_INET6, skb, ipvsh->len + sizeof(_icmph),
- &ciph))
+ if (!ip_vs_fill_iph_skb_icmp(AF_INET6, skb, ipvsh->len + sizeof(_icmph),
+ true, &ciph))
return NF_ACCEPT; /* The packet looks wrong, ignore */
pp = ip_vs_proto_get(ciph.protocol);
@@ -1177,7 +1177,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
if (!net_ipvs(net)->enable)
return NF_ACCEPT;
- ip_vs_fill_iph_skb(af, skb, &iph);
+ ip_vs_fill_iph_skb(af, skb, false, &iph);
#ifdef CONFIG_IP_VS_IPV6
if (af == AF_INET6) {
if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
@@ -1212,7 +1212,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
ip_vs_defrag_user(hooknum)))
return NF_STOLEN;
- ip_vs_fill_iph_skb(AF_INET, skb, &iph);
+ ip_vs_fill_iph_skb(AF_INET, skb, false, &iph);
}
/*
@@ -1407,7 +1407,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
"Checking incoming ICMP for");
offset2 = offset;
- ip_vs_fill_iph_skb_off(AF_INET, skb, offset, &ciph);
+ ip_vs_fill_iph_skb_icmp(AF_INET, skb, offset, !ipip, &ciph);
offset = ciph.len;
/* The embedded headers contain source and dest in reverse order.
@@ -1537,7 +1537,7 @@ static int ip_vs_in_icmp_v6(struct sk_buff *skb, int *related,
&iph->saddr, &iph->daddr);
offset = iph->len + sizeof(_icmph);
- if (!ip_vs_fill_iph_skb_off(AF_INET6, skb, offset, &ciph))
+ if (!ip_vs_fill_iph_skb_icmp(AF_INET6, skb, offset, true, &ciph))
return NF_ACCEPT;
net = skb_net(skb);
@@ -1614,7 +1614,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
if (unlikely((skb->pkt_type != PACKET_HOST &&
hooknum != NF_INET_LOCAL_OUT) ||
!skb_dst(skb))) {
- ip_vs_fill_iph_skb(af, skb, &iph);
+ ip_vs_fill_iph_skb(af, skb, false, &iph);
IP_VS_DBG_BUF(12, "packet type=%d proto=%d daddr=%s"
" ignored in hook %u\n",
skb->pkt_type, iph.protocol,
@@ -1627,7 +1627,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
return NF_ACCEPT;
- ip_vs_fill_iph_skb(af, skb, &iph);
+ ip_vs_fill_iph_skb(af, skb, false, &iph);
/* Bad... Do not break raw sockets */
if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT &&
@@ -1841,7 +1841,7 @@ ip_vs_forward_icmp_v6(const struct nf_hook_ops *ops, struct sk_buff *skb,
struct netns_ipvs *ipvs;
struct ip_vs_iphdr iphdr;
- ip_vs_fill_iph_skb(AF_INET6, skb, &iphdr);
+ ip_vs_fill_iph_skb(AF_INET6, skb, false, &iphdr);
if (iphdr.protocol != IPPROTO_ICMPV6)
return NF_ACCEPT;
diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c
index bed5f70..1b8d594 100644
--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
@@ -70,7 +70,7 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb)
const char *dptr;
int retc;
- ip_vs_fill_iph_skb(p->af, skb, &iph);
+ ip_vs_fill_iph_skb(p->af, skb, false, &iph);
/* Only useful with UDP */
if (iph.protocol != IPPROTO_UDP)
diff --git a/net/netfilter/xt_ipvs.c b/net/netfilter/xt_ipvs.c
index 8d47c37..3704625 100644
--- a/net/netfilter/xt_ipvs.c
+++ b/net/netfilter/xt_ipvs.c
@@ -67,7 +67,7 @@ ipvs_mt(const struct sk_buff *skb, struct xt_action_param *par)
goto out;
}
- ip_vs_fill_iph_skb(family, skb, &iph);
+ ip_vs_fill_iph_skb(family, skb, true, &iph);
if (data->bitmask & XT_IPVS_PROTO)
if ((iph.protocol == data->l4proto) ^
--
1.7.10.4
next prev parent reply other threads:[~2015-09-22 9:07 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-22 9:13 [PATCH 00/30] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 01/30] ipvs: replace ip_vs_fill_ip4hdr with ip_vs_fill_iph_skb_off Pablo Neira Ayuso
2015-09-22 9:13 ` Pablo Neira Ayuso [this message]
2015-09-22 9:13 ` [PATCH 03/30] ipvs: Handle inverse and icmp headers in ip_vs_leave Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 04/30] ipvs: pull out ip_vs_try_to_schedule function Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 05/30] ipvs: drop inverse argument to conn_{in,out}_get Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 06/30] ipvs: Make ip_vs_schedule aware of inverse iph'es Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 07/30] ipvs: add schedule_icmp sysctl Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 08/30] ipvs: Use outer header in ip_vs_bypass_xmit_v6 Pablo Neira Ayuso
2015-09-22 9:13 ` [PATCH 09/30] ipvs: sh: support scheduling icmp/inverse packets consistently Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 10/30] ipvs: attempt to schedule icmp packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 11/30] ipvs: ensure that ICMP cannot be sent in reply to ICMP Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 12/30] ipvs: support scheduling inverse and icmp TCP packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 13/30] ipvs: support scheduling inverse and icmp UDP packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 14/30] ipvs: support scheduling inverse and icmp SCTP packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 15/30] ipvs: add sysctl to ignore tunneled packets Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 16/30] netfilter: ebtables: Simplify the arguments to ebt_do_table Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 17/30] inet netfilter: Remove hook from ip6t_do_table, arp_do_table, ipt_do_table Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 18/30] inet netfilter: Prefer state->hook to ops->hooknum Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 19/30] netfilter: nf_tables: kill nft_pktinfo.ops Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 20/30] netfilter: x_tables: Pass struct net in xt_action_param Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 21/30] netfilter: x_tables: Use par->net instead of computing from the passed net devices Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 22/30] netfilter: nf_tables: Pass struct net in nft_pktinfo Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 23/30] netfilter: nf_tables: Use pkt->net instead of computing net from the passed net_devices Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 24/30] netfilter: Pass net to nf_dup_ipv4 and nf_dup_ipv6 Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 25/30] act_connmark: Remember the struct net instead of guessing it Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 26/30] netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 27/30] ipvs: Read hooknum from state rather than ops->hooknum Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 28/30] netfilter: Pass priv instead of nf_hook_ops to netfilter hooks Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 29/30] netfilter: Pass net into nf_xfrm_me_harder Pablo Neira Ayuso
2015-09-22 9:14 ` [PATCH 30/30] netfilter: Use nf_ct_net instead of dev_net(out) in nf_nat_masquerade_ipv6 Pablo Neira Ayuso
2015-09-22 20:12 ` [PATCH 00/30] Netfilter/IPVS updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1442913260-3925-3-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).