From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Abhishek Singh <abhishek@abhishekonline.info>,
netfilter-devel@vger.kernel.org
Subject: Re: TEE patch [was: ROUTE patch]
Date: Wed, 25 Feb 2009 11:19:18 +0100 [thread overview]
Message-ID: <49A51B26.3050906@trash.net> (raw)
In-Reply-To: <alpine.LSU.2.00.0902251053270.20946@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> On Tuesday 2009-02-24 16:33, Patrick McHardy wrote:
>>> It cannot use dst_output because that would cause reentrancy into iptablse.
>>> Want a patch, though?
>>>
>> I would like to have a look at the current patch, yes. Don't
>> bother fixing anything though, I mainly want to have a look
>> at the routing part.
>>
> netfilter: xtables: import xt_TEE target
>
Thanks. About dst_output and reentrancy - using IPSKB_REROUTED to
skip the netfilter hooks should work I guess.
A few suggestions:
> +#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
> +# define WITH_CONNTRACK 1
> +# include <net/netfilter/nf_conntrack.h>
> +static struct nf_conn tee_track;
> +#endif
> +
> +#include <linux/netfilter/xt_TEE.h>
> +
> +static const union nf_inet_addr tee_zero_address;
>
ipv6_addr_any()?
> +static bool
> +tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
> +{
> + int err;
> + struct rtable *rt;
> + struct flowi fl;
> +
> + memset(&fl, 0, sizeof(fl));
> + fl.nl_u.ip4_u.daddr = info->gw.ip;
> + fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
>
An index is probably useful when you want to mirror packets
somewhere outside of regular routing.
> +
> + /* Trying to route the packet using the standard routing table. */
> + err = ip_route_output_key(&init_net, &rt, &fl);
> + if (err != 0) {
> + if (net_ratelimit())
> + pr_debug(KBUILD_MODNAME
> + ": could not route packet (%d)", err);
> + return false;
> + }
> +
> +static int __init tee_tg_init(void)
> +{
> +#ifdef WITH_CONNTRACK
> + /*
> + * Set up fake conntrack (stolen from raw.patch):
> + * - to never be deleted, not in any hashes
> + */
> + atomic_set(&tee_track.ct_general.use, 1);
> +
> + /* - and look it like as a confirmed connection */
> + set_bit(IPS_CONFIRMED_BIT, &tee_track.status);
> +
> + /* Initialize fake conntrack so that NAT will skip it */
> + tee_track.status |= IPS_NAT_DONE_MASK;
> +#endif
> +
> + return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
> +}
> +
> +static void __exit tee_tg_exit(void)
> +{
> + xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
> + /* [SC]: shoud not we cleanup tee_track here? */
> +}
>
This is not safe without waiting for the tee ct references. Using the
untracked
conntrack would be nicer anyways, but would need a different loop detection
mechanism.
next prev parent reply other threads:[~2009-02-25 10:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-24 8:59 ROUTE patch Abhishek Singh
2009-02-24 9:35 ` Jan Engelhardt
2009-02-24 13:41 ` Patrick McHardy
2009-02-24 15:30 ` Jan Engelhardt
2009-02-24 15:33 ` Patrick McHardy
2009-02-25 3:14 ` Abhishek Singh
2009-02-25 10:00 ` TEE patch [was: ROUTE patch] Jan Engelhardt
2009-02-25 10:19 ` Patrick McHardy [this message]
2009-02-25 10:26 ` Jan Engelhardt
2009-02-25 10:29 ` Patrick McHardy
2009-02-25 14:57 ` Jan Engelhardt
2009-02-26 10:03 ` Patrick McHardy
2009-03-07 0:26 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49A51B26.3050906@trash.net \
--to=kaber@trash.net \
--cc=abhishek@abhishekonline.info \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).