* [PATCH 0/2] routing via nfmark in OUTPUT NFQUEUE
@ 2008-11-24 20:46 Eric Leblond
2008-11-24 20:46 ` [PATCH 1/2] netfilter: nfmark routing in OUTPUT, mangle, NFQUEUE Eric Leblond
2008-11-24 20:46 ` [PATCH 2/2] netfilter: nfmark IPV6 " Eric Leblond
0 siblings, 2 replies; 5+ messages in thread
From: Eric Leblond @ 2008-11-24 20:46 UTC (permalink / raw)
To: netfilter-devel
Hi,
This small patchset is a resend of a work by Laurent Licour. It
adds a rerouting possibility if the mark has been changed in OUTPUT
via NFQUEUE. First patch is IPv4 version from Laurent Licour, second
patch is a port to IPv6 I've done.
BR,
--
Eric Leblond <eric@inl.fr>
NuFW, Now User Filtering Works : http://www.nufw.org
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] netfilter: nfmark routing in OUTPUT, mangle, NFQUEUE
2008-11-24 20:46 [PATCH 0/2] routing via nfmark in OUTPUT NFQUEUE Eric Leblond
@ 2008-11-24 20:46 ` Eric Leblond
2008-11-25 11:17 ` Patrick McHardy
2008-11-24 20:46 ` [PATCH 2/2] netfilter: nfmark IPV6 " Eric Leblond
1 sibling, 1 reply; 5+ messages in thread
From: Eric Leblond @ 2008-11-24 20:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: Laurent Licour, Eric Leblond
From: Laurent Licour <laurent@licour.com>
This patch let nfmark to be evaluated for routing decision for OUTPUT
packet, in mangle table, when process paquet in NFQUEUE
Until now, only change (in NFQUEUE process) on fields src_addr,
dest_addr and tos could make netfilter to reevalute the routing.
Signed-off-by: Eric Leblond <eric@inl.fr>
---
net/ipv4/netfilter.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 6efdb70..3f2fc81 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -125,6 +125,7 @@ struct ip_rt_info {
__be32 daddr;
__be32 saddr;
u_int8_t tos;
+ __u32 mark;
};
static void nf_ip_saveroute(const struct sk_buff *skb,
@@ -138,6 +139,7 @@ static void nf_ip_saveroute(const struct sk_buff *skb,
rt_info->tos = iph->tos;
rt_info->daddr = iph->daddr;
rt_info->saddr = iph->saddr;
+ rt_info->mark = skb->mark;
}
}
@@ -150,6 +152,7 @@ static int nf_ip_reroute(struct sk_buff *skb,
const struct iphdr *iph = ip_hdr(skb);
if (!(iph->tos == rt_info->tos
+ && skb->mark == rt_info->mark
&& iph->daddr == rt_info->daddr
&& iph->saddr == rt_info->saddr))
return ip_route_me_harder(skb, RTN_UNSPEC);
--
1.5.6.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH 1/2] netfilter: nfmark routing in OUTPUT, mangle, NFQUEUE
2008-11-24 20:46 ` [PATCH 1/2] netfilter: nfmark routing in OUTPUT, mangle, NFQUEUE Eric Leblond
@ 2008-11-25 11:17 ` Patrick McHardy
0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2008-11-25 11:17 UTC (permalink / raw)
To: Eric Leblond; +Cc: netfilter-devel, Laurent Licour
Eric Leblond wrote:
> From: Laurent Licour <laurent@licour.com>
>
> This patch let nfmark to be evaluated for routing decision for OUTPUT
> packet, in mangle table, when process paquet in NFQUEUE
> Until now, only change (in NFQUEUE process) on fields src_addr,
> dest_addr and tos could make netfilter to reevalute the routing.
Applied, thanks.
> diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
> index 6efdb70..3f2fc81 100644
> --- a/net/ipv4/netfilter.c
> +++ b/net/ipv4/netfilter.c
> @@ -125,6 +125,7 @@ struct ip_rt_info {
> __be32 daddr;
> __be32 saddr;
> u_int8_t tos;
> + __u32 mark;
I've changed this to u_int32_t for consistency. The double
underscore types are only needed in headers made available
to userspace or for the endian annotated types.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/2] netfilter: nfmark IPV6 routing in OUTPUT, mangle, NFQUEUE
2008-11-24 20:46 [PATCH 0/2] routing via nfmark in OUTPUT NFQUEUE Eric Leblond
2008-11-24 20:46 ` [PATCH 1/2] netfilter: nfmark routing in OUTPUT, mangle, NFQUEUE Eric Leblond
@ 2008-11-24 20:46 ` Eric Leblond
2008-11-25 11:18 ` Patrick McHardy
1 sibling, 1 reply; 5+ messages in thread
From: Eric Leblond @ 2008-11-24 20:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: Eric Leblond
This patch let nfmark to be evaluated for routing decision for OUTPUT
packet, in mangle table, when process paquet in NFQUEUE. This patch is
an IPv6 port of Laurent Licour IPv4 one.
Signed-off-by: Eric Leblond <eric@inl.fr>
---
net/ipv6/netfilter.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index fd5b3a4..af84a43 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -56,6 +56,7 @@ EXPORT_SYMBOL(ip6_route_me_harder);
struct ip6_rt_info {
struct in6_addr daddr;
struct in6_addr saddr;
+ __u32 mark;
};
static void nf_ip6_saveroute(const struct sk_buff *skb,
@@ -68,6 +69,7 @@ static void nf_ip6_saveroute(const struct sk_buff *skb,
rt_info->daddr = iph->daddr;
rt_info->saddr = iph->saddr;
+ rt_info->mark = skb->mark;
}
}
@@ -79,7 +81,8 @@ static int nf_ip6_reroute(struct sk_buff *skb,
if (entry->hook == NF_INET_LOCAL_OUT) {
struct ipv6hdr *iph = ipv6_hdr(skb);
if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
- !ipv6_addr_equal(&iph->saddr, &rt_info->saddr))
+ !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
+ skb->mark != rt_info->mark)
return ip6_route_me_harder(skb);
}
return 0;
--
1.5.6.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-11-25 11:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-24 20:46 [PATCH 0/2] routing via nfmark in OUTPUT NFQUEUE Eric Leblond
2008-11-24 20:46 ` [PATCH 1/2] netfilter: nfmark routing in OUTPUT, mangle, NFQUEUE Eric Leblond
2008-11-25 11:17 ` Patrick McHardy
2008-11-24 20:46 ` [PATCH 2/2] netfilter: nfmark IPV6 " Eric Leblond
2008-11-25 11:18 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).