From: Patrick McHardy <kaber@trash.net>
To: Hans Schillstrom <hans@schillstrom.com>
Cc: pablo@netfilter.org, jengelh@medozas.de,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
hans.schillstrom@ericsson.com
Subject: Re: [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark
Date: Thu, 01 Dec 2011 11:05:13 +0100 [thread overview]
Message-ID: <4ED75159.5000604@trash.net> (raw)
In-Reply-To: <201112010125.29627.hans@schillstrom.com>
On 12/01/2011 01:25 AM, Hans Schillstrom wrote:
> On Wednesday, November 30, 2011 16:51:35 Patrick McHardy wrote:
>> On 11/25/2011 10:36 AM, Hans Schillstrom wrote:
>>> +
>>> +hdr_new:
>>> + /* Get header info */
>>> + ip6 = (struct ipv6hdr *) (skb->data + nhoff);
>>> + nexthdr = ip6->nexthdr;
>>> + hdrlen = sizeof(struct ipv6hdr);
>>> + hp = skb_header_pointer(skb, nhoff + hdrlen, sizeof(_hdr),&_hdr);
>>> +
>>> + while (nexthdr) {
>>> + switch (nexthdr) {
>>> + case IPPROTO_ICMPV6:
>>> + /* ICMP Error then move ptr to inner header */
>>> + if (get_inner6_hdr(skb,&nhoff, hdrlen)) {
>> This doesn't look right. You assume the ICMPv6 header is following
>> the IPv6 header with any other headers in between. If there are
>> other headers, hdrlen will contain the length of the last header.
>
> RFC-4443 "Every ICMPv6 message is preceded by an IPv6 header and zero or more IPv6 extension headers."
> hdrlen is actually previous header length in bytes, to be correct.
> nhoff is the sum of processed headers.
> So in case of an icmp the nhoff will be updated, and hdrlen preset to ipv6hdr size
Right, I missed that you're using nhoff + hdrlen in
get_inner6_hdr().
>>> + ip6hdrlvl++;
>>> + if (!pskb_may_pull(skb, sizeof(_hdr) + nhoff))
>>> + return XT_CONTINUE;
>>> + goto hdr_new;
>>> + }
>>> + nhoff += hdrlen;
>>> + goto hdr_rdy;
>>> +
>>> + case NEXTHDR_FRAGMENT:
>>> + if (!ip6hdrlvl) /* Do not use ports if fragmented */
>>> + frag = 1;
>> Shouldn't you also check for fragment offset == 0 here?
> According to the RFC "Initialized to zero for transmission; ignored on reception"
No, what I meant is that for the first fragment, you do
have the upper layer header available. But as we already
discussed for a stable identifier you want to ignore it
anyways.
>>> + case NEXTHDR_TCP:
>>> + case NEXTHDR_UDP:
>>> + case NEXTHDR_ESP:
>>> + case NEXTHDR_AUTH:
>> Don't you want to use the port numbers if only authentication
>> without encryption is used?
> with esp or ah the SPI will be used instead of ports.
> Useful or not I don't know since they are asymmetric in terms of a flow.
Yes, but with AH you could either use the ESP SPI or if no ESP
is used the port numbers of the upper layer protocol.
>> And final question, why not simply use ipv6_skip_exthdr()?
> problems with fragments...
So the probem is that it will return the transport layer protocol
header for fragments with frag_off == 0? We also have ipv6_find_hdr()
which we could modify to indicate this in the frag_off pointer.
next prev parent reply other threads:[~2011-12-01 10:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-25 9:36 [v4 PATCH 0/2] NETFILTER new target module, HMARK Hans Schillstrom
2011-11-25 9:36 ` [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark Hans Schillstrom
2011-11-25 14:19 ` David Laight
2011-11-25 14:36 ` Eric Dumazet
2011-11-25 14:43 ` Eric Dumazet
2011-11-25 17:36 ` Pablo Neira Ayuso
2011-11-25 18:31 ` Jan Engelhardt
2011-11-30 15:51 ` Patrick McHardy
2011-12-01 0:25 ` Hans Schillstrom
2011-12-01 10:05 ` Patrick McHardy [this message]
2011-11-25 9:36 ` [v4 PATCH 2/2] NETFILTER userspace part for target HMARK Hans Schillstrom
2011-11-25 13:20 ` Jan Engelhardt
2011-11-25 14:04 ` Hans Schillström
2011-11-25 15:44 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2011-11-28 9:36 Re[2]: [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark Hans Schillstrom
2011-11-30 15:27 ` Patrick McHardy
2011-11-30 18:28 ` Pablo Neira Ayuso
2011-12-01 0:52 ` Hans Schillstrom
2011-12-01 11:05 Re[2]: " Hans Schillstrom
2011-12-01 11:24 ` Patrick McHardy
2011-12-01 11:39 Re[2]: " Hans Schillstrom
2011-12-01 11:46 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ED75159.5000604@trash.net \
--to=kaber@trash.net \
--cc=hans.schillstrom@ericsson.com \
--cc=hans@schillstrom.com \
--cc=jengelh@medozas.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).