[PATCH] ipt_ROUTE for kernel 2.6.21.5

[PATCH] ipt_ROUTE for kernel 2.6.21.5

[Ludovic]

[-- Attachment #1: Type: text/plain, Size: 355 bytes --]

Hi guys,

sorry if there is already some patches about this but i've searched
one week how to make the ROUTE target work well.

Here are two patches (one for ipv4 and one for ipv6) which change
ipt_register and ipt_unregister to xt_register and xt_unregister and
which add .family = AF_INET in the xt_target structure declaration.

Best regards.
Ludovic.

[-- Attachment #2: patch_ip6t_ROUTE --]
[-- Type: application/octet-stream, Size: 992 bytes --]

--- linux-2.6.21.5/net/ipv6/netfilter/ip6t_ROUTE.c.orig	2007-07-30 16:13:07.000000000 +0200
+++ linux-2.6.21.5/net/ipv6/netfilter/ip6t_ROUTE.c	2007-07-30 16:14:26.000000000 +0200
@@ -299,8 +299,9 @@ ip6t_route_checkentry(const char *tablen
 }
 
 
-static struct ip6t_target ip6t_route_reg = {
+static struct xt_target ip6t_route_reg = {
 	.name       = "ROUTE",
+	.family	    = AF_INET,
 	.target     = ip6t_route_target,
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
 	.targetsize = sizeof(struct ip6t_route_target_info),
@@ -313,7 +314,7 @@ static struct ip6t_target ip6t_route_reg
 static int __init init(void)
 {
 	printk(KERN_DEBUG "registering ipv6 ROUTE target\n");
-	if (ip6t_register_target(&ip6t_route_reg))
+	if (xt_register_target(&ip6t_route_reg))
 		return -EINVAL;
 
 	return 0;
@@ -322,7 +323,7 @@ static int __init init(void)
 
 static void __exit fini(void)
 {
-	ip6t_unregister_target(&ip6t_route_reg);
+	xt_unregister_target(&ip6t_route_reg);
 }
 
 module_init(init);

[-- Attachment #3: patch_ipt_ROUTE --]
[-- Type: application/octet-stream, Size: 1080 bytes --]

--- linux-2.6.21.5/net/ipv4/netfilter/ipt_ROUTE.c.orig	2007-07-30 15:26:16.000000000 +0200
+++ linux-2.6.21.5/net/ipv4/netfilter/ipt_ROUTE.c	2007-07-30 15:50:10.000000000 +0200
@@ -450,8 +450,9 @@ static int ipt_route_checkentry(const ch
 }
 
 
-static struct ipt_target ipt_route_reg = { 
+static struct xt_target ipt_route_reg = { 
 	.name = "ROUTE",
+	.family = AF_INET,
 	.target = ipt_route_target,
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
 	.targetsize = sizeof(struct ipt_route_target_info),
@@ -460,6 +461,7 @@ static struct ipt_target ipt_route_reg =
 	.me = THIS_MODULE,
 };
 
+
 static int __init init(void)
 {
 	/* Set up fake conntrack (stolen from raw.patch):
@@ -470,13 +472,13 @@ static int __init init(void)
 	/* Initialize fake conntrack so that NAT will skip it */
 	route_tee_track.status |= IPS_NAT_DONE_MASK;
 
-	return ipt_register_target(&ipt_route_reg);
+	return xt_register_target(&ipt_route_reg);
 }
 
 
 static void __exit fini(void)
 {
-	ipt_unregister_target(&ipt_route_reg);
+	xt_unregister_target(&ipt_route_reg);
 }
 
 module_init(init);

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Jan Engelhardt]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 537 bytes --]


On Jul 30 2007 16:42, Ludovic wrote:
>Hi guys,
>
>sorry if there is already some patches about this but i've searched
>one week how to make the ROUTE target work well.
>
>Here are two patches (one for ipv4 and one for ipv6) which change
>ipt_register and ipt_unregister to xt_register and xt_unregister and
>which add .family = AF_INET in the xt_target structure declaration.

Somehow this feels like déjà-vu. ipt_ROUTE is, well, a hack
and the proper solution to it is policy routing; e.g. based on fwmark.


	Jan
-- 

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jul 30 2007 16:42, Ludovic wrote:
> 
>>sorry if there is already some patches about this but i've searched
>>one week how to make the ROUTE target work well.
>>
>>Here are two patches (one for ipv4 and one for ipv6) which change
>>ipt_register and ipt_unregister to xt_register and xt_unregister and
>>which add .family = AF_INET in the xt_target structure declaration.
> 
> 
> Somehow this feels like déjà-vu. ipt_ROUTE is, well, a hack
> and the proper solution to it is policy routing; e.g. based on fwmark.


Fully agreed (well, I made that argument for ages), I think we
should simply remove it from pomng to avoid misleading users
into thinking it would be the proper way to do things.

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Jan Engelhardt]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 842 bytes --]


On Jul 30 2007 16:47, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> On Jul 30 2007 16:42, Ludovic wrote:
>> 
>>>sorry if there is already some patches about this but i've searched
>>>one week how to make the ROUTE target work well.
>>>
>>>Here are two patches (one for ipv4 and one for ipv6) which change
>>>ipt_register and ipt_unregister to xt_register and xt_unregister and
>>>which add .family = AF_INET in the xt_target structure declaration.
>> 
>> 
>> Somehow this feels like déjà-vu. ipt_ROUTE is, well, a hack
>> and the proper solution to it is policy routing; e.g. based on fwmark.
>
>
>Fully agreed (well, I made that argument for ages), I think we
>should simply remove it from pomng to avoid misleading users
>into thinking it would be the proper way to do things.
>
I second that idea.


	Jan
-- 

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jul 30 2007 16:47, Patrick McHardy wrote:
> 
>>Fully agreed (well, I made that argument for ages), I think we
>>should simply remove it from pomng to avoid misleading users
>>into thinking it would be the proper way to do things.
>>
> 
> I second that idea.


Its gone now ..

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 721 bytes --]



On Mon, 30 Jul 2007, Patrick McHardy wrote:

> Jan Engelhardt wrote:
>> On Jul 30 2007 16:47, Patrick McHardy wrote:
>>
>>> Fully agreed (well, I made that argument for ages), I think we
>>> should simply remove it from pomng to avoid misleading users
>>> into thinking it would be the proper way to do things.
>>>
>>
>> I second that idea.
>
>
> Its gone now ..

1. ROUTE has a very usefull option --tee. AFAIK it is not possible to do 
it other way.
2. Policy routing based on fwmark is not always an option if you use 
marks for other purposes.

So, if it is going to be removed from pom-ng I would like to keep it in my 
external pomng-repository.

Best regards,


 				Krzysztof Olędzki

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Patrick McHardy]

Krzysztof Oledzki wrote:
> 1. ROUTE has a very usefull option --tee. AFAIK it is not possible to do
> it other way.


Thats true. Not sure in what practical situation it is used though.

> 2. Policy routing based on fwmark is not always an option if you use
> marks for other purposes.


Maybe (trying to avoid getting into discussion about too small mark
values again :)).

> So, if it is going to be removed from pom-ng I would like to keep it in
> my external pomng-repository.


Please go ahead.

Just FYI: One more reason for removing it is that its broken wrt.
IPsec handling and the duplicated functions from ip_output are out
of sync (and I think there were a few smaller problems as well).
If there really is a need for something like the tee functionality
I'm not opposed to considering merging a clean patch without these
problems for that.

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Patrick Schaaf]

> > 1. ROUTE has a very usefull option --tee. AFAIK it is not possible to do
> > it other way.
> 
> Thats true. Not sure in what practical situation it is used though.

iptables -A INPUT -p tcp --dport 25 -j ROUTE --tee --gw lawful.inspection.box

In other words: network traffic taps.

If the feature is removed from POM, I'll probably be forced by
colleagues to maintain it in some other form. Sigh.

best regards
  Patrick

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Patrick McHardy]

Patrick Schaaf wrote:
>>>1. ROUTE has a very usefull option --tee. AFAIK it is not possible to do
>>>it other way.
>>
>>Thats true. Not sure in what practical situation it is used though.
> 
> 
> iptables -A INPUT -p tcp --dport 25 -j ROUTE --tee --gw lawful.inspection.box
> 
> In other words: network traffic taps.


Yeah, I was already thinking of that, but bonding allows to do
that on a per-device base. Not sure if that helps ..

> If the feature is removed from POM, I'll probably be forced by
> colleagues to maintain it in some other form. Sigh.

Krzysztof expressed interest in maintaining it ..

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1282 bytes --]



On Mon, 30 Jul 2007, Patrick McHardy wrote:

> Krzysztof Oledzki wrote:
>> 1. ROUTE has a very usefull option --tee. AFAIK it is not possible to do
>> it other way.
>
>
> Thats true. Not sure in what practical situation it is used though.
>
>> 2. Policy routing based on fwmark is not always an option if you use
>> marks for other purposes.
>
>
> Maybe (trying to avoid getting into discussion about too small mark
> values again :)).
>
>> So, if it is going to be removed from pom-ng I would like to keep it in
>> my external pomng-repository.
>
>
> Please go ahead.

So I added it to my pom-ng repository for now, with fixes for 
2.6.21/2.6.22.

> Just FYI: One more reason for removing it is that its broken wrt.
> IPsec handling

Could you explain it a bit? What is wrong and maybe some clue how it 
should be fixed?

> and the duplicated functions from ip_output are out
> of sync

OK, found it. This is a easy part to fix. :)

> (and I think there were a few smaller problems as well).

For example?

> If there really is a need for something like the tee functionality
> I'm not opposed to considering merging a clean patch without these
> problems for that.

OK. I'll do my best. :)

Best regards,

 				Krzysztof Olędzki

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Jan Engelhardt]

On Aug 29 2007 13:23, Krzysztof Oledzki wrote:
>
>> Just FYI: One more reason for removing it is that its broken wrt.
>> IPsec handling
>
> Could you explain it a bit? What is wrong and maybe some clue how it should be
> fixed?

ip_direct_send does not do IPSEC IIRC.


	Jan
-- 

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1012 bytes --]



On Wed, 29 Aug 2007, Jan Engelhardt wrote:

>
> On Aug 29 2007 13:23, Krzysztof Oledzki wrote:
>>
>>> Just FYI: One more reason for removing it is that its broken wrt.
>>> IPsec handling
>>
>> Could you explain it a bit? What is wrong and maybe some clue how it should be
>> fixed?
>
> ip_direct_send does not do IPSEC IIRC.

Neither ip_finish_output2 which is a place from this code comes from. 
Anyway, I found that indeed ip_finish_output, which calls 
ip_finish_output2, contains xfrm code:

#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
         /* Policy lookup after SNAT yielded a new policy */
         if (skb->dst->xfrm != NULL) {
                 IPCB(skb)->flags |= IPSKB_REROUTED;
                 return dst_output(skb);
         }
#endif

Is that all?

So, how it should work with ROUTE? I assume that teed packets shouldn't 
go via xfrm, neither directly (--gw, --oif) routed packets if there is no 
tee, right?

Best regards,

 				Krzysztof Olędzki

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Patrick McHardy]

Krzysztof Oledzki wrote:
> On Wed, 29 Aug 2007, Jan Engelhardt wrote:
> 
>>
>> On Aug 29 2007 13:23, Krzysztof Oledzki wrote:
>>>
>>>> Just FYI: One more reason for removing it is that its broken wrt.
>>>> IPsec handling
>>>
>>> Could you explain it a bit? What is wrong and maybe some clue how it 
>>> should be
>>> fixed?
>>
>> [...]
> 
> Is that all?


Can you point me to the latest source please?

Re: [PATCH] ipt_ROUTE for kernel 2.6.21.5

[Jan Engelhardt]

On Aug 30 2007 08:46, Patrick McHardy wrote:
>> > > > Just FYI: One more reason for removing it is that its broken wrt.
>> > > > IPsec handling
>> > >
>> > > Could you explain it a bit? What is wrong and maybe some clue how it
>> > > should be
>> > > fixed?
>> >
>> > [...]
>> 
>> Is that all?
>
> Can you point me to the latest source please?
>
See the xt_TEE thread; the mail with the plain files I sent.



	Jan
--