* Re[2]: [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark
@ 2011-12-01 11:05 Hans Schillstrom
2011-12-01 11:24 ` Patrick McHardy
0 siblings, 1 reply; 6+ messages in thread
From: Hans Schillstrom @ 2011-12-01 11:05 UTC (permalink / raw)
To: Patrick McHardy; +Cc: pablo, jengelh, netfilter-devel, netdev, hans.schillstrom
>On 12/01/2011 01:25 AM, Hans Schillstrom wrote:
>> On Wednesday, November 30, 2011 16:51:35 Patrick McHardy wrote:
>>> On 11/25/2011 10:36 AM, Hans Schillstrom wrote:
>>>> +
>>>> +hdr_new:
>>>> + /* Get header info */
>>>> + ip6 = (struct ipv6hdr *) (skb->data + nhoff);
>>>> + nexthdr = ip6->nexthdr;
>>>> + hdrlen = sizeof(struct ipv6hdr);
>>>> + hp = skb_header_pointer(skb, nhoff + hdrlen, sizeof(_hdr),&_hdr);
>>>> +
>>>> + while (nexthdr) {
>>>> + switch (nexthdr) {
>>>> + case IPPROTO_ICMPV6:
>>>> + /* ICMP Error then move ptr to inner header */
>>>> + if (get_inner6_hdr(skb,&nhoff, hdrlen)) {
>>> This doesn't look right. You assume the ICMPv6 header is following
>>> the IPv6 header with any other headers in between. If there are
>>> other headers, hdrlen will contain the length of the last header.
>>
>> RFC-4443 "Every ICMPv6 message is preceded by an IPv6 header and zero or more IPv6 extension headers."
>> hdrlen is actually previous header length in bytes, to be correct.
>> nhoff is the sum of processed headers.
>> So in case of an icmp the nhoff will be updated, and hdrlen preset to ipv6hdr size
>
>Right, I missed that you're using nhoff + hdrlen in
>get_inner6_hdr().
>
>>>> + ip6hdrlvl++;
>>>> + if (!pskb_may_pull(skb, sizeof(_hdr) + nhoff))
>>>> + return XT_CONTINUE;
>>>> + goto hdr_new;
>>>> + }
>>>> + nhoff += hdrlen;
>>>> + goto hdr_rdy;
>>>> +
>>>> + case NEXTHDR_FRAGMENT:
>>>> + if (!ip6hdrlvl) /* Do not use ports if fragmented */
>>>> + frag = 1;
>>> Shouldn't you also check for fragment offset == 0 here?
>> According to the RFC "Initialized to zero for transmission; ignored on reception"
>
>No, what I meant is that for the first fragment, you do
>have the upper layer header available. But as we already
>discussed for a stable identifier you want to ignore it
>anyways.
>
>>>> + case NEXTHDR_TCP:
>>>> + case NEXTHDR_UDP:
>>>> + case NEXTHDR_ESP:
>>>> + case NEXTHDR_AUTH:
>>> Don't you want to use the port numbers if only authentication
>>> without encryption is used?
>> with esp or ah the SPI will be used instead of ports.
>> Useful or not I don't know since they are asymmetric in terms of a flow.
>
>Yes, but with AH you could either use the ESP SPI or if no ESP
>is used the port numbers of the upper layer protocol.
>
The intention was to treat ESP & AH in the same way,
but as you say why not use the upper layer
>>> And final question, why not simply use ipv6_skip_exthdr()?
>> problems with fragments...
>
>So the probem is that it will return the transport layer protocol
>header for fragments with frag_off == 0? We also have ipv6_find_hdr()
>which we could modify to indicate this in the frag_off pointer.
ipv6_find_hdr() will do the trick with a light modification
What about a wrapper like:
int __ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
int target, unsigned short *fragoff, int *fragflg)
{
...
if (nexthdr == NEXTHDR_FRAGMENT) {
unsigned short _frag_off;
__be16 *fp;
if (fragflg)
fragflg = 1;
fp = skb_header_pointer(skb,
start+offsetof(struct frag_hdr,
frag_off),
sizeof(_frag_off),
&_frag_off);
...
}
int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
int target, unsigned short *fragoff)
{
return __ipv6_find_hdr(skb, offset, terget, fragoff, NULL);
}
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark
2011-12-01 11:05 Re[2]: [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark Hans Schillstrom
@ 2011-12-01 11:24 ` Patrick McHardy
2011-12-08 9:12 ` IPv6 defrag question ? Hans Schillstrom
0 siblings, 1 reply; 6+ messages in thread
From: Patrick McHardy @ 2011-12-01 11:24 UTC (permalink / raw)
To: Hans Schillstrom
Cc: pablo, jengelh, netfilter-devel, netdev, hans.schillstrom
On 12/01/2011 12:05 PM, Hans Schillstrom wrote:
>>>> And final question, why not simply use ipv6_skip_exthdr()?
>>> problems with fragments...
>> So the probem is that it will return the transport layer protocol
>> header for fragments with frag_off == 0? We also have ipv6_find_hdr()
>> which we could modify to indicate this in the frag_off pointer.
> ipv6_find_hdr() will do the trick with a light modification
> What about a wrapper like:
>
> int __ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
> int target, unsigned short *fragoff, int *fragflg)
> {
> ...
> if (nexthdr == NEXTHDR_FRAGMENT) {
> unsigned short _frag_off;
> __be16 *fp;
>
> if (fragflg)
> fragflg = 1;
> fp = skb_header_pointer(skb,
> start+offsetof(struct frag_hdr,
> frag_off),
> sizeof(_frag_off),
> &_frag_off);
>
> ...
> }
>
> int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
> int target, unsigned short *fragoff)
> {
> return __ipv6_find_hdr(skb, offset, terget, fragoff, NULL);
> }
Hmm that would require to change all current callers. I was more
thinking of unconditionally setting *frag_off in case of
fragments, then you can initialize it to some impossible value
like 0xffff and determine the presence of a fragment header
based on its value after calling ipv6_find_hdr().
^ permalink raw reply [flat|nested] 6+ messages in thread* IPv6 defrag question ?
2011-12-01 11:24 ` Patrick McHardy
@ 2011-12-08 9:12 ` Hans Schillstrom
2011-12-08 11:10 ` Patrick McHardy
2011-12-08 13:44 ` IPv4/IPv6 nf_defrag on/off ? Hans Schillstrom
0 siblings, 2 replies; 6+ messages in thread
From: Hans Schillstrom @ 2011-12-08 9:12 UTC (permalink / raw)
To: Patrick McHardy
Cc: Hans Schillstrom, pablo@netfilter.org, jengelh@medozas.de,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Hi
While testing HMARK and IPv6 with nf_defrag_ipv6 (and nf_conntrack_ipv6 loaded) I can't see the defrag ?
>From what I can see nf_conntrack_reasm goes into PREROUTING with prio -400
and HMARK in PREROUTING with prio -150
I was expecting that the reasaembled packet whould reach HMARK not the fragments.
(Debug print from hmark)
HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:30 plen:1408 (2008::10 - 1000::1)
HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:0 plen:86 (2008::10 - 1000::1)
IPv4 do reassm. the packets not IPv6...
--
Regards
Hans Schillstrom <hans.schillstrom@ericsson.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IPv6 defrag question ?
2011-12-08 9:12 ` IPv6 defrag question ? Hans Schillstrom
@ 2011-12-08 11:10 ` Patrick McHardy
2011-12-08 13:29 ` Hans Schillstrom
2011-12-08 13:44 ` IPv4/IPv6 nf_defrag on/off ? Hans Schillstrom
1 sibling, 1 reply; 6+ messages in thread
From: Patrick McHardy @ 2011-12-08 11:10 UTC (permalink / raw)
To: Hans Schillstrom
Cc: Hans Schillstrom, pablo@netfilter.org, jengelh@medozas.de,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
On 12/08/2011 10:12 AM, Hans Schillstrom wrote:
> Hi
> While testing HMARK and IPv6 with nf_defrag_ipv6 (and nf_conntrack_ipv6 loaded) I can't see the defrag ?
>
> From what I can see nf_conntrack_reasm goes into PREROUTING with prio -400
> and HMARK in PREROUTING with prio -150
>
> I was expecting that the reasaembled packet whould reach HMARK not the fragments.
>
> (Debug print from hmark)
> HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:30 plen:1408 (2008::10 - 1000::1)
> HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:0 plen:86 (2008::10 - 1000::1)
>
> IPv4 do reassm. the packets not IPv6...
Yeah, IPv6 currently only passes the defragmented packet through conntrack,
then associates the conntrack information with the individual fragments and
passes those on. I'll post patches for IPv6 NAT which will change this
to behave similar to IPv4 soon.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: IPv6 defrag question ?
2011-12-08 11:10 ` Patrick McHardy
@ 2011-12-08 13:29 ` Hans Schillstrom
0 siblings, 0 replies; 6+ messages in thread
From: Hans Schillstrom @ 2011-12-08 13:29 UTC (permalink / raw)
To: Patrick McHardy
Cc: Hans Schillstrom, pablo@netfilter.org, jengelh@medozas.de,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
On Thursday 08 December 2011 12:10:49 Patrick McHardy wrote:
> On 12/08/2011 10:12 AM, Hans Schillstrom wrote:
> > Hi
> > While testing HMARK and IPv6 with nf_defrag_ipv6 (and nf_conntrack_ipv6 loaded) I can't see the defrag ?
> >
> > From what I can see nf_conntrack_reasm goes into PREROUTING with prio -400
> > and HMARK in PREROUTING with prio -150
> >
> > I was expecting that the reasaembled packet whould reach HMARK not the fragments.
> >
> > (Debug print from hmark)
> > HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:30 plen:1408 (2008::10 - 1000::1)
> > HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:0 plen:86 (2008::10 - 1000::1)
> >
> > IPv4 do reassm. the packets not IPv6...
>
> Yeah, IPv6 currently only passes the defragmented packet through conntrack,
> then associates the conntrack information with the individual fragments and
> passes those on. I'll post patches for IPv6 NAT which will change this
> to behave similar to IPv4 soon.
>
OK great, current beaiviour was kind of unexpected.
BTW this piece of code looks like it's broken
or I might have missunderstod this :-)
at least /* queued */ causes some confusion .
static unsigned int ipv6_defrag(unsigned int hooknum,
...
reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb));
/* queued */
if (reasm == NULL)
return NF_STOLEN;
NF_STOLEN will only be returned when nf_ct_frag6_reasm() returns an error.
(called by ct_frag6_gather)
--
Regards
Hans Schillstrom <hans.schillstrom@ericsson.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* IPv4/IPv6 nf_defrag on/off ?
2011-12-08 9:12 ` IPv6 defrag question ? Hans Schillstrom
2011-12-08 11:10 ` Patrick McHardy
@ 2011-12-08 13:44 ` Hans Schillstrom
1 sibling, 0 replies; 6+ messages in thread
From: Hans Schillstrom @ 2011-12-08 13:44 UTC (permalink / raw)
To: Patrick McHardy, pablo@netfilter.org, jengelh@medozas.de
Cc: Hans Schillstrom, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Hello
On Thursday 08 December 2011 10:12:11 Hans Schillstrom wrote:
> Hi
> While testing HMARK and IPv6 with nf_defrag_ipv6 (and nf_conntrack_ipv6 loaded) I can't see the defrag ?
>
> From what I can see nf_conntrack_reasm goes into PREROUTING with prio -400
> and HMARK in PREROUTING with prio -150
>
We are running the external interfaces in LXC containers
i.e. in a netns and depend on that no defragmentation is done in this stage.
Fragments can arrive on any interface on any blade so...
I had an idea of a sysctl to be able to turn off nf_defrag_ipv{4,6} per namespace
Default is of course on so excisting apps will be happy.
Any objections to that idea ?
--
Regards
Hans Schillstrom <hans.schillstrom@ericsson.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-12-08 13:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-01 11:05 Re[2]: [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark Hans Schillstrom
2011-12-01 11:24 ` Patrick McHardy
2011-12-08 9:12 ` IPv6 defrag question ? Hans Schillstrom
2011-12-08 11:10 ` Patrick McHardy
2011-12-08 13:29 ` Hans Schillstrom
2011-12-08 13:44 ` IPv4/IPv6 nf_defrag on/off ? Hans Schillstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).