Hi Joachim and All, -----Original Message----- From: Joachim Wieland [mailto:joe@mcknight.de]On Behalf Of Joachim Wieland Subject: Re: FW: problem with ip_route_output_key > I'm sorry, I don't know much (i.e. nothing) about kernel hacking. I did > the patch with the posting you found, it didn't work, my computer > crashed (the first versions - not the last... :-) and nobody from the > list wanted to help me or tell me why it doesn't work. So I didn't > continue digging further into the netfilter code. Same problem which looking for help. At last I wrote personal mail to concern netfilter developers too, but here again all peoples went in deep sleep. But I don't wana let it go, I'm excited bacouse of a little requirement at our end, even though alternative solution is exist. > From include/asm-i386/errno.h you get that 22 is EINVAL, so check if > your packets match any condition that would return EINVAL or "goto > e_inval" > I think it has still set the source-address ? > The first check is > if (oldkey->src) { > err = -EINVAL; > Could that be the problem? > (I'm looking at 2.4.10 right now) Ya even though I thought the same and verified that with setting source-add to 0 and that returns successfully. Surprisngly, if its so then why standred netfilter module ipt_MIRROR is still not patched/changed? Anyways this is not question to you(Joachim) :-). I spent my whole day digging into a near functional module ipt_REJECT and get my things working. But I've a question here, if we query for route and if source specified then why returns error, how about source based routing decision? > *shrug* Did you try adding printk()s into ip_route_output_slow() to know > where it bails out? Maybe you should add checks on the source or > destination of the packets so you don't get debug for EVERY packet that > is routed... Insteed of more printk() in route.c and compiling kernel everytine, I decided to first look more into ipt_REJECT, and adds-up following code, in ipt_MIRROR, before calling ip_route_output_key ... ... struct iphdr *iph = skb->nh.iph; struct rtable *rt = (struct rtable*)skb->dst; int err; struct rt_key key ; ... ... if (!rt) { printk("DUPSEND: rt is NULL\n"); return 0; } /* No replies to physical multicast/broadcast */ if (skb->pkt_type!=PACKET_HOST) { printk("DUPSEND: Packet Type non considerable %d\n", skb->pkt_type); return 0; } /* Now check at the protocol level */ if (rt->rt_flags&(RTCF_BROADCAST|RTCF_MULTICAST)) { printk("DUPSEND: Prorocol Type non considerable %s\n", rt->rt_flags&(RTCF_BROADCAST) ? "BROADCAST" : "MULTICAST"); return 0; } if (!(rt->rt_flags & RTCF_LOCAL)) { printk("DUPSEND: setting packet source to 0.0.0.0 \n"); key.src = 0; } if( (err = ip_route_output_key(&rt, &key)) != 0) { DEBUGP("DUPSEND: ip_route_output_key failed error %d\n", err); return 0; } ... ... Chesrs, No error returned by ip_route_output_key. This code, can't be said trivial :-)))), was totally non-understandable by me, but made ipt_MIRROR works. It would be nice if someone points me to explaination on above stuffs. Anyways finally my concern work was to create a new IP packet in kernel and send it to some destination as well as leaveing original intact. I found one of Rusty Russell reply to start with (http://lists.samba.org/pipermail/netfilter/2000-May/004053.html ). A new problem now :(, I'm able to send new as well as original packet but call to "kfree_skb(newskb)" create kernel-panic and dump. I would appritiate again for any help in finding error from following code. static void ip_direct_send(struct sk_buff *skb) { struct dst_entry *dst = skb->dst; struct hh_cache *hh = dst->hh; if (hh) { read_lock_bh(&hh->hh_lock); memcpy(skb->data - 16, hh->hh_data, 16); read_unlock_bh(&hh->hh_lock); skb_push(skb, hh->hh_len); hh->hh_output(skb); } else if (dst->neighbour) dst->neighbour->output(skb); else { printk(KERN_DEBUG "khm in DUPSEND\n"); /* We r freeing it anyway from caller routine */ /*kfree_skb(skb);*/ } } tatic unsigned int ipt_target(struct sk_buff **pskb, unsigned int hooknum, const struct net_device *in, const struct net_device *out, const void *targinfo, void *userinfo) { ... ... struct sk_buff *newskb = skb_copy(*pskb, GFP_ATOMIC); if (newskb) { iph = newskb->nh.iph; newskb->nfcache |= NFC_ALTERED; iph->daddr = dupsendinfo->dup_ip; iph->check = 0; iph->check = ip_compute_csum((unsigned char *)iph, sizeof(*iph)); // Here is function call for which do my previously explained problem with // ip_route_output_key ip_direct_send(newskb); /* I couldn't understand this okfn here, It was on the link or Rusty's reply */ /* Is this root of problem */ /* okfn(newskb); */ printk("DUPSEND: freeing new packet memory\n"); kfree_skb(newskb); } ... ... } Moreover, If I register hook for PREROUTING then how it can be done, as at PREROUTING I get skb->dst == NULL, and there is lots to do with skb->dst in the LOC above. > I really wish you the best, please tell me if you succeed. Sorry, I > don't know more about that stuff. I wish I would... :-) Finally my special thanks to Joachim for his replies which leads to a solution. But its not finished yet :( -- Sumit - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
