* [PATCH -nf] Revert "netfilter: bridge: query conntrack about skb dnat"
@ 2015-05-20 11:42 Florian Westphal
2015-05-20 11:44 ` Florian Westphal
2015-05-21 11:26 ` Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Florian Westphal @ 2015-05-20 11:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This reverts commit c055d5b03bb4cb69d349d787c9787c0383abd8b2.
There are two issues:
'dnat_took_place' made me think that this is related to
-j DNAT/MASQUERADE.
But thats only one part of the story. This is also relevant for SNAT
when we undo snat translation in reverse/reply direction.
Furthermore, I originally wanted to do this mainly to avoid
storing ipv6 addresses once we make DNAT/REDIRECT work
for ipv6 on bridges.
However, I forgot about SNPT/DNPT which is stateless.
So we can't escape storing address for ipv6 anyway. Might as
well do it for ipv4 too.
Reported-and-tested-by: Bernhard Thaler <bernhard.thaler@wvnet.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/linux/skbuff.h | 1 +
net/bridge/br_netfilter.c | 27 +++++++++------------------
2 files changed, 10 insertions(+), 18 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 66e374d..f15154a 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -176,6 +176,7 @@ struct nf_bridge_info {
struct net_device *physindev;
struct net_device *physoutdev;
char neigh_header[8];
+ __be32 ipv4_daddr;
};
#endif
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index ab55e24..60ddfbe 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -37,10 +37,6 @@
#include <net/route.h>
#include <net/netfilter/br_netfilter.h>
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
-#include <net/netfilter/nf_conntrack.h>
-#endif
-
#include <asm/uaccess.h>
#include "br_private.h"
#ifdef CONFIG_SYSCTL
@@ -350,24 +346,15 @@ free_skb:
return 0;
}
-static bool dnat_took_place(const struct sk_buff *skb)
+static bool daddr_was_changed(const struct sk_buff *skb,
+ const struct nf_bridge_info *nf_bridge)
{
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct;
-
- ct = nf_ct_get(skb, &ctinfo);
- if (!ct || nf_ct_is_untracked(ct))
- return false;
-
- return test_bit(IPS_DST_NAT_BIT, &ct->status);
-#else
- return false;
-#endif
+ return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
}
/* This requires some explaining. If DNAT has taken place,
* we will need to fix up the destination Ethernet address.
+ * This is also true when SNAT takes place (for the reply direction).
*
* There are two cases to consider:
* 1. The packet was DNAT'ed to a device in the same bridge
@@ -421,7 +408,7 @@ static int br_nf_pre_routing_finish(struct sock *sk, struct sk_buff *skb)
nf_bridge->pkt_otherhost = false;
}
nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
- if (dnat_took_place(skb)) {
+ if (daddr_was_changed(skb, nf_bridge)) {
if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
struct in_device *in_dev = __in_dev_get_rcu(dev);
@@ -632,6 +619,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
+ struct nf_bridge_info *nf_bridge;
struct net_bridge_port *p;
struct net_bridge *br;
__u32 len = nf_bridge_encap_header_len(skb);
@@ -669,6 +657,9 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
if (!setup_pre_routing(skb))
return NF_DROP;
+ nf_bridge = nf_bridge_info_get(skb);
+ nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
+
skb->protocol = htons(ETH_P_IP);
NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->sk, skb,
--
2.0.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH -nf] Revert "netfilter: bridge: query conntrack about skb dnat"
2015-05-20 11:42 [PATCH -nf] Revert "netfilter: bridge: query conntrack about skb dnat" Florian Westphal
@ 2015-05-20 11:44 ` Florian Westphal
2015-05-21 11:26 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2015-05-20 11:44 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Florian Westphal <fw@strlen.de> wrote:
> This reverts commit c055d5b03bb4cb69d349d787c9787c0383abd8b2.
>
> There are two issues:
> 'dnat_took_place' made me think that this is related to
> -j DNAT/MASQUERADE.
I meant to write DNAT/REDIRECT :-(
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH -nf] Revert "netfilter: bridge: query conntrack about skb dnat"
2015-05-20 11:42 [PATCH -nf] Revert "netfilter: bridge: query conntrack about skb dnat" Florian Westphal
2015-05-20 11:44 ` Florian Westphal
@ 2015-05-21 11:26 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-21 11:26 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Wed, May 20, 2015 at 01:42:25PM +0200, Florian Westphal wrote:
> This reverts commit c055d5b03bb4cb69d349d787c9787c0383abd8b2.
>
> There are two issues:
> 'dnat_took_place' made me think that this is related to
> -j DNAT/MASQUERADE.
>
> But thats only one part of the story. This is also relevant for SNAT
> when we undo snat translation in reverse/reply direction.
>
> Furthermore, I originally wanted to do this mainly to avoid
> storing ipv6 addresses once we make DNAT/REDIRECT work
> for ipv6 on bridges.
>
> However, I forgot about SNPT/DNPT which is stateless.
>
> So we can't escape storing address for ipv6 anyway. Might as
> well do it for ipv4 too.
Applied this revert to nf, thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-05-21 11:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-20 11:42 [PATCH -nf] Revert "netfilter: bridge: query conntrack about skb dnat" Florian Westphal
2015-05-20 11:44 ` Florian Westphal
2015-05-21 11:26 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).