[PATCH 00/13] TProxy IPv6 support 2nd round

[PATCH 00/13] TProxy IPv6 support 2nd round

[Balazs Scheidler]

Hi,

This is the 2nd version of TProxy and by this time it is complete with UDP
and ICMP support. For those credits go to Harry Mason from Smoothwall.

Now I consider this patch complete, testers, reviews comments are very
welcome.  

If no blockers show up, please consider this a merge request.

I only know of one issue and I hope it does not block merging at this time:
the socket and TPROXY modules both depend on both IPv4 and IPv6 stacks, thus
pulling in the other even if only one of the stacks are in use.  Of course
if IPv6 is not configured into the kernel no such dependency is present.

I've tested the functionality of this patch-set with an automatic test
program that runs a large number of tests and covers most of the TProxy
functionality.  You can find this program at:

git://git.balabit.hu/bazsi/tproxy-test.git/

I would appreciate if someone with more intimate IPv6 knowledge would review
this code, especially:
  * IPv6 ICMP packet parsing
  * the way the default local IP address is found 
    (especially returning a pointer pointing to &inet6_ifaddr->addr outside RCU section)

This patchset is based on an older tree of Linus, I don't expect any
problems with net-next, but please let me know if I have to rebase/retest. 

The userspace portion of the tproxy functionality comes in a followup
patch-set.

In addition to IPv6 support there are 3 patches in this series:
  1) a fix for properly handling TIME_WAIT connections
  2) a fix for the default value of --on-ip
  3) and an optional change in ipv6_pinfo structure

While the last is completely independent of TProxy and is optional, the 
first two are quite important fixes. Although they are independent of this 
submission, they are the  first and last patches of the series, so they can 
be reviewed independently :)

And again, please apply.

Balazs Scheidler (13):
  TProxy: kick out TIME_WAIT sockets in case a new connection comes in
    with the same tuple
  TProxy: add lookup type checks for UDP in nf_tproxy_get_sock_v4()
  TProxy: move dst_cookie to the first cacheline in ipv6_pinfo
  TProxy: split off ipv6 defragmentation to a separate module
  TProxy: added const specifiers to udp lookup functions
  TProxy: added udp6_lib_lookup function
  TProxy: implement IPv6 "local" routing type
  TProxy: added tproxy sockopt interface in the IPV6 layer
  TProxy: allow non-local binds of IPv6 sockets if IP_TRANSPARENT is
    enabled
  TProxy: added IPv6 socket lookup function to nf_tproxy_core
  TProxy: added IPv6 support to the TPROXY target
  TProxy: added IPv6 support to the socket match
  TProxy: use the interface primary IP address as a default value for
    --on-ip

 include/linux/in6.h                            |    5 +
 include/linux/ipv6.h                           |    7 +-
 include/linux/netfilter/xt_TPROXY.h            |   15 +-
 include/net/netfilter/ipv6/nf_defrag_ipv6.h    |    6 +
 include/net/netfilter/nf_tproxy_core.h         |  192 +++++++++++++++-
 include/net/udp.h                              |    3 +
 net/ipv6/af_inet6.c                            |    2 +-
 net/ipv6/datagram.c                            |   19 ++
 net/ipv6/ipv6_sockglue.c                       |   22 ++
 net/ipv6/netfilter/Makefile                    |    5 +-
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |   58 +-----
 net/ipv6/netfilter/nf_conntrack_reasm.c        |   12 +-
 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c      |  109 +++++++++
 net/ipv6/route.c                               |    6 +-
 net/ipv6/udp.c                                 |   16 +-
 net/netfilter/nf_tproxy_core.c                 |   35 ---
 net/netfilter/xt_TPROXY.c                      |  290 ++++++++++++++++++++++--
 net/netfilter/xt_socket.c                      |  154 ++++++++++++-
 18 files changed, 815 insertions(+), 141 deletions(-)
 create mode 100644 include/net/netfilter/ipv6/nf_defrag_ipv6.h
 create mode 100644 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c

Re: [PATCH 00/13] TProxy IPv6 support 2nd round

[Harald Welte]

Dear Balazs,

as you might have read from other mails (and by the long period of silence),
Patrick McHardy is currently unavailable to perform his usual maintainer
role.

I personally am too much out of touch with recent developments in
netfitler-land to be able to confidently review your patches...  

So unless somebody else from the team (Jozsef?, Pablo?) feels confident in
ACKing your patchset, I will have to ask for your patience until Patrick is
back and can do it by himself.

Regards,
	Harald

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Re: [PATCH 00/13] TProxy IPv6 support 2nd round

[Balazs Scheidler]

On Sun, 2009-10-25 at 11:16 +0100, Harald Welte wrote:
> Dear Balazs,
> 
> as you might have read from other mails (and by the long period of silence),
> Patrick McHardy is currently unavailable to perform his usual maintainer
> role.
> 
> I personally am too much out of touch with recent developments in
> netfitler-land to be able to confidently review your patches...  
> 
> So unless somebody else from the team (Jozsef?, Pablo?) feels confident in
> ACKing your patchset, I will have to ask for your patience until Patrick is
> back and can do it by himself.

Thanks for letting me know, hopefully Patrick gets better soon. I've
planned another round of the TProxy patches as I got some comments at
the previous round I'm yet to address.

So no need to hurry.

-- 
Bazsi

Re: [PATCH 00/13] TProxy IPv6 support 2nd round

[Amos Jeffries]

Balazs Scheidler wrote:
> On Sun, 2009-10-25 at 11:16 +0100, Harald Welte wrote:
>> Dear Balazs,
>>
>> as you might have read from other mails (and by the long period of silence),
>> Patrick McHardy is currently unavailable to perform his usual maintainer
>> role.
>>
>> I personally am too much out of touch with recent developments in
>> netfitler-land to be able to confidently review your patches...  
>>
>> So unless somebody else from the team (Jozsef?, Pablo?) feels confident in
>> ACKing your patchset, I will have to ask for your patience until Patrick is
>> back and can do it by himself.
> 
> Thanks for letting me know, hopefully Patrick gets better soon. I've
> planned another round of the TProxy patches as I got some comments at
> the previous round I'm yet to address.
> 
> So no need to hurry.
> 

Just bumping this topic up again.

What is the current status of these patches?

Our release which might make use of them goes into production sites in a 
few weeks and I'm starting to see a little more interest in them from 
our users.

AYJ
Squid Project

Re: [PATCH 00/13] TProxy IPv6 support 2nd round

[Balazs Scheidler]

On Mon, 2010-03-08 at 22:38 +1300, Amos Jeffries wrote:
> Balazs Scheidler wrote:
> > On Sun, 2009-10-25 at 11:16 +0100, Harald Welte wrote:
> >> Dear Balazs,
> >>
> >> as you might have read from other mails (and by the long period of silence),
> >> Patrick McHardy is currently unavailable to perform his usual maintainer
> >> role.
> >>
> >> I personally am too much out of touch with recent developments in
> >> netfitler-land to be able to confidently review your patches...  
> >>
> >> So unless somebody else from the team (Jozsef?, Pablo?) feels confident in
> >> ACKing your patchset, I will have to ask for your patience until Patrick is
> >> back and can do it by himself.
> > 
> > Thanks for letting me know, hopefully Patrick gets better soon. I've
> > planned another round of the TProxy patches as I got some comments at
> > the previous round I'm yet to address.
> > 
> > So no need to hurry.
> > 
> 
> Just bumping this topic up again.
> 
> What is the current status of these patches?
> 
> Our release which might make use of them goes into production sites in a 
> few weeks and I'm starting to see a little more interest in them from 
> our users.

Well, no news ever since. I was backlogged with other stuff, so didn't
push these too much. All I got was two comments to be fixed:

1) indentation should use tabs instead of spaces

2) the IPv6 address detection should be changed to use a function
instead of relying on the first IPv6 address on the interface.

Hopefully I can give this some care in the coming weeks.

-- 
Bazsi

Re: [PATCH 00/13] TProxy IPv6 support 2nd round

[Amos Jeffries]

Balazs Scheidler wrote:
> On Mon, 2010-03-08 at 22:38 +1300, Amos Jeffries wrote:
>> Balazs Scheidler wrote:
>>> On Sun, 2009-10-25 at 11:16 +0100, Harald Welte wrote:
>>>> Dear Balazs,
>>>>
>>>> as you might have read from other mails (and by the long period of silence),
>>>> Patrick McHardy is currently unavailable to perform his usual maintainer
>>>> role.
>>>>
>>>> I personally am too much out of touch with recent developments in
>>>> netfitler-land to be able to confidently review your patches...  
>>>>
>>>> So unless somebody else from the team (Jozsef?, Pablo?) feels confident in
>>>> ACKing your patchset, I will have to ask for your patience until Patrick is
>>>> back and can do it by himself.
>>> Thanks for letting me know, hopefully Patrick gets better soon. I've
>>> planned another round of the TProxy patches as I got some comments at
>>> the previous round I'm yet to address.
>>>
>>> So no need to hurry.
>>>
>> Just bumping this topic up again.
>>
>> What is the current status of these patches?
>>
>> Our release which might make use of them goes into production sites in a 
>> few weeks and I'm starting to see a little more interest in them from 
>> our users.
> 
> Well, no news ever since. I was backlogged with other stuff, so didn't
> push these too much. All I got was two comments to be fixed:
> 
> 1) indentation should use tabs instead of spaces
> 
> 2) the IPv6 address detection should be changed to use a function
> instead of relying on the first IPv6 address on the interface.
> 
> Hopefully I can give this some care in the coming weeks.
> 

Thank you for that.

AYJ