From: Krishna Kumar <krkumar2@in.ibm.com>
To: netfilter-devel@vger.kernel.org
Cc: svajipay@in.ibm.com, vivk@us.ibm.com,
Krishna Kumar <krkumar2@in.ibm.com>,
sri@us.ibm.com
Subject: [RFC] [PATCH 3/4] netfilter: Add support for failopen in nf_queue()
Date: Mon, 07 May 2012 11:34:11 +0530 [thread overview]
Message-ID: <20120507060411.19528.45006.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20120507060338.19528.29403.sendpatchset@localhost.localdomain>
Pass FAILOPEN flags, add support for fail-open, add support for
GSO skb. If __nf_queue() returns >0 to indicate fail-open, we
call okfn() immediately and return 0 to caller.
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
---
net/netfilter/core.c | 4 ++
net/netfilter/nf_internals.h | 3 +-
net/netfilter/nf_queue.c | 47 ++++++++++++++++++++++++---------
3 files changed, 40 insertions(+), 14 deletions(-)
diff -ruNp org/net/netfilter/core.c new/net/netfilter/core.c
--- org/net/netfilter/core.c 2012-05-07 09:20:53.828751916 +0530
+++ new/net/netfilter/core.c 2012-05-07 09:20:53.868813999 +0530
@@ -192,7 +192,9 @@ next_hook:
ret = -EPERM;
} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
int err = nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
- verdict >> NF_VERDICT_QBITS);
+ verdict >> NF_VERDICT_QBITS,
+ verdict & NF_VERDICT_FLAG_FAIL_OPEN);
+
if (err < 0) {
if (err == -ECANCELED)
goto next_hook;
diff -ruNp org/net/netfilter/nf_internals.h new/net/netfilter/nf_internals.h
--- org/net/netfilter/nf_internals.h 2012-05-07 09:20:53.827751461 +0530
+++ new/net/netfilter/nf_internals.h 2012-05-07 09:20:53.867814083 +0530
@@ -29,7 +29,8 @@ extern int nf_queue(struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
- unsigned int queuenum);
+ unsigned int queuenum,
+ int flags);
extern int __init netfilter_queue_init(void);
/* nf_log.c */
diff -ruNp org/net/netfilter/nf_queue.c new/net/netfilter/nf_queue.c
--- org/net/netfilter/nf_queue.c 2012-05-07 10:15:51.882590018 +0530
+++ new/net/netfilter/nf_queue.c 2012-05-07 09:20:53.866762950 +0530
@@ -123,7 +123,8 @@ static int __nf_queue(struct sk_buff *sk
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
- unsigned int queuenum)
+ unsigned int queuenum,
+ int flags)
{
int status = -ENOENT;
struct nf_queue_entry *entry = NULL;
@@ -185,11 +186,11 @@ static int __nf_queue(struct sk_buff *sk
#endif
skb_dst_force(skb);
afinfo->saveroute(skb, entry);
- status = qh->outfn(entry, queuenum, 0);
+ status = qh->outfn(entry, queuenum, flags);
rcu_read_unlock();
- if (status < 0) {
+ if (status) {
nf_queue_entry_release_refs(entry);
goto err;
}
@@ -230,15 +231,25 @@ int nf_queue(struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
- unsigned int queuenum)
+ unsigned int queuenum,
+ int flags)
{
struct sk_buff *segs;
int err = -EINVAL;
unsigned int queued;
- if (!skb_is_gso(skb))
- return __nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
- queuenum);
+ if (!skb_is_gso(skb)) {
+ err = __nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
+ queuenum, flags);
+ if (err > 0) {
+ /* Queue failed due to queue-full and handler
+ * returned >0 indicating fail-open - temporarily
+ * accept packets.
+ */
+ err = okfn(skb);
+ }
+ return err;
+ }
switch (pf) {
case NFPROTO_IPV4:
@@ -266,16 +277,28 @@ int nf_queue(struct sk_buff *skb,
if (err == 0) {
nf_bridge_adjust_segmented_data(segs);
err = __nf_queue(segs, elem, pf, hook, indev,
- outdev, okfn, queuenum);
+ outdev, okfn, queuenum, flags);
}
- if (err == 0)
+
+ if (err == 0) {
queued++;
- else
+ } else if (err > 0) {
+ /* Queue failed due to queue-full and handler
+ * returned >0 indicating fail-open - accept
+ * this and remaining segments.
+ */
+ okfn(segs);
+ } else {
+ /* Queue failed due to queue-full and handler
+ * returned <0 - free this and remaining skb
+ * segments.
+ */
kfree_skb(segs);
+ }
segs = nskb;
} while (segs);
- if (queued) {
+ if (queued || err > 0) {
kfree_skb(skb);
return 0;
}
@@ -325,7 +348,7 @@ void nf_reinject(struct nf_queue_entry *
case NF_QUEUE:
err = __nf_queue(skb, elem, entry->pf, entry->hook,
entry->indev, entry->outdev, entry->okfn,
- verdict >> NF_VERDICT_QBITS);
+ verdict >> NF_VERDICT_QBITS, 0);
if (err < 0) {
if (err == -ECANCELED)
goto next_hook;
next prev parent reply other threads:[~2012-05-07 6:04 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-07 6:03 [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Krishna Kumar
2012-05-07 6:03 ` [RFC] [PATCH 1/4] netfilter: Define FAILOPEN flag Krishna Kumar
2012-05-07 6:04 ` [RFC] [PATCH 2/4] netfilter: Add new argument to enqueue handlers Krishna Kumar
2012-05-07 6:04 ` Krishna Kumar [this message]
2012-05-07 6:04 ` [RFC] [PATCH 4/4] netfilter: Enable fail-open Krishna Kumar
2012-05-07 7:56 ` Florian Westphal
2012-05-07 9:04 ` Pablo Neira Ayuso
2012-05-07 8:10 ` [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Florian Westphal
2012-05-07 9:14 ` Pablo Neira Ayuso
2012-05-07 13:51 ` Krishna Kumar2
2012-05-07 14:52 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120507060411.19528.45006.sendpatchset@localhost.localdomain \
--to=krkumar2@in.ibm.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=sri@us.ibm.com \
--cc=svajipay@in.ibm.com \
--cc=vivk@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).