After day after the day of trials and errors I finally get working solution - I use code from act_connmark and it's working pretty well.
#define CTTUPLE(skb, member) \
({ \
enum ip_conntrack_info ctinfo; \
struct nf_conntrack_tuple tuple; \
struct nf_conntrack_zone zone; \
const struct nf_conntrack_tuple_hash *thash; \
int proto; \
const struct nf_conn *ct = nf_ct_get(skb, &ctinfo); \
if (ct == NULL){ \
switch (tc_skb_protocol(skb)) { \
case htons(ETH_P_IP): \
proto = NFPROTO_IPV4; \
break; \
case htons(ETH_P_IPV6): \
proto = NFPROTO_IPV6; \
break; \
default: goto fallback; \
} \
if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, &tuple)) \
goto fallback; \
zone.id = NF_CT_DEFAULT_ZONE_ID; \
zone.dir = NF_CT_DEFAULT_ZONE_DIR; \
\
thash = nf_conntrack_find_get(dev_net(skb->dev), &zone, &tuple);\
if (!thash) goto fallback; \
ct = nf_ct_tuplehash_to_ctrack(thash);} \
ct->tuplehash[CTINFO2DIR(ctinfo)].tuple.member; \
})
I can get info about original src/dst on ingress. But there is a little problem in function ct->tuplehash[CTINFO2DIR(ctinfo)].tuple.member;
I can't get valid direction, because I don't get ctinfo. Is any solustion for my situation?
03.12.2015, 12:51, "Andy Furniss" <adf.lists@xxxxxxxxx>:
> Гаврилов Игорь wrote:
>> So this problem not related to my setup. Seems that it occurs for a
>> long time. Is there any possibility to fix this, and what is the
>> reason of such behavior.
>
> As Florian says on ingress tc gets the packet before conntrack.
>
> I was slightly hopeful that I was wrong (in thinking this never worked)
> when I saw "nf_ct_get" in the code, but it just looks at the skb which
> on ingress won't have the fields filled in.
>
> /* Return conntrack_info and tuple hash for given skb. */
> static inline struct nf_conn *
> nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
> {
> *ctinfo = skb->nfctinfo;
> return (struct nf_conn *)skb->nfct;
> }
>
> Historically at least people used imq to get at traffic after netfilter.
> It seems it's still alive -
>
> www.linuximq.net
>
> but you need to patch kernel/iptables.
>
> When ifb first appeared it was mentioned that an action could be made to
> get netfilter state and Florian mentions act_connmark.c so I guess some
> progress was made.
>
> Not really much use for your example I suppose.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
