From: Nikolay Aleksandrov <nikolay@redhat.com>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: [RFC PATCH] netfilter: nf_tables: extend payload to support writing data
Date: Wed, 19 Feb 2014 17:22:45 +0100 [thread overview]
Message-ID: <5304DA55.90409@redhat.com> (raw)
In-Reply-To: <20140219162542.GA9882@macbook.localnet>
On 02/19/2014 05:25 PM, Patrick McHardy wrote:
> On Wed, Feb 19, 2014 at 05:12:13PM +0100, Nikolay Aleksandrov wrote:
>> On 02/17/2014 07:46 PM, Patrick McHardy wrote:
>>>>>
>>>>> We need to take care of checksumming. Shouldn't be too hard to get *most*
>>>>> cases right using the existing checksum helpers.
>>>>>
>>>> Yes, but would you like to do that in here or have a separate op which
>>>> is configurable i.e. you can set what to calculate and where to put it,
>>>> or would you prefer to make it automatic based on what we're changing here ?
>>>
>>> Something here is a lot cheaper since we can use incremental checksumming.
>>> That won't be possible somewhere else, additionally we'd have to check
>>> the checksum before recalculating it to make sure we don't fix up bad
>>> packets. So yes, I think it should be done here.
>>>
>> Okay, I've been working on this today and have gotten to a point where it works :)
>> But I have a few questions, currently I've made it so the header that you modify
>> is the only one that gets its checksum updated (with the exception of pseudo
>> header if the address gets written to), I recompute the changed bytes one at a
>> time because of the freedom of offset and length. Now this works fine and I can
>> mangle the ip/ip6 headers or the transport headers (tcp/udp, I'll look into
>> adding sctp as well), but there's a problem with the cross-header writing i.e.
>> if a write spills from the network header to the transport header, currently I
>> only update the network header part (correctly, only up to the bytes that were
>> changed inside) and leave the transport header broken.
>> This also applies to the LL header, if a write spills into the network header
>> then we'll have a broken packet.
>>
>> Would you like me to add additional logic to support the cross-header writes or
>> leave it as it is ?
>
> I think that should be fine.
>
> Regarding the one byte at a time - update, how about rounding down to the
> next multiple of four, adjusting the replacement data accordingly and using
> csum_replace4() instead?
>
I was hoping you wouldn't say that :-) (joking)
Yep, I know, I'll do it.
Thanks again
next prev parent reply other threads:[~2014-02-19 16:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-17 18:12 [RFC PATCH] netfilter: nf_tables: extend payload to support writing data Nikolay Aleksandrov
2014-02-17 18:37 ` Patrick McHardy
2014-02-17 18:43 ` Nikolay Aleksandrov
2014-02-17 18:46 ` Patrick McHardy
2014-02-19 16:12 ` Nikolay Aleksandrov
2014-02-19 16:25 ` Patrick McHardy
2014-02-19 16:22 ` Nikolay Aleksandrov [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-02-23 17:32 Nikolay Aleksandrov
2014-02-23 18:09 ` Patrick McHardy
2014-02-23 18:34 ` Nikolay Aleksandrov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5304DA55.90409@redhat.com \
--to=nikolay@redhat.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).