Hi,
i was in holiday, so i couldn't work on the patch for a while. But here
is the current version which seems to work with current 2.6.22.9.
For the Changelog:
- fixed comment to route()
- removed route_gw()
- removed TTL handling
- make compile without CONFIG_NF_CONNTRACK (no loop-prevention in this
case!)
Greets
Sebastian.
--
Mit freundlichen Grüßen / Yours sincerely
Sebastian Claßen
Postmaster
----------------------------------------------------------------------
Telefon: + 49 (0) 211 53087 522
Telefax: + 49 (0) 211 5381573
E-Mail: sebastian.classen@xxxxxxxxxx
Website: www.freenet.de; www.mobilcom.de
----------------------------------------------------------------------
freenet AG
Willstätterstr. 13
40549 Düsseldorf
----------------------------------------------------------------------
Vorsitzender des Aufsichtsrates: Prof. Dr. Helmut Thoma
Vorstand: Eckhard Spoerr (Vors.), Axel Krieger, Stephan Esch, Eric
Berger
Sitz: Büdelsdorf
Amtsgericht Kiel HRB 7306 KI
/*
* This implements the TEE target.
*
* Copyright (C) 2007 Sebastian.Classen <sebastian.classen@xxxxxxxxxx>
* Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>, 2007
* based on ipt_ROUTE.c from Cédric de Launois <delaunois@xxxxxxxxxxxxxx>
*
* This software is distributed under GNU GPL v2, 1991
*/
#include <linux/ip.h>
#include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/route.h>
#include <linux/skbuff.h>
#include <net/checksum.h>
#include <net/icmp.h>
#include <net/ip.h>
#include <net/route.h>
#include <linux/netfilter/xt_TEE.h>
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#include <net/netfilter/nf_conntrack.h>
static struct nf_conn tee_track;
#endif
/*
* Try to route the packet according to the routing keys specified in
* route_info. Keys are :
* - ifindex :
* 0 if no oif preferred,
* otherwise set to the index of the desired oif
* - route_info->gw :
* 0 if no gateway specified,
* otherwise set to the next host to which the pkt must be routed
* If success, skb->dev is the output device to which the packet must
* be sent and skb->dst is not NULL
*
* RETURN: false - if an error occured
* true - if the packet was succesfully routed to the
* destination desired
*/
static bool route(struct sk_buff *skb,
const struct xt_TEE_info *info)
{
int err;
struct rtable *rt;
struct iphdr *iph = ip_hdr(skb);
struct flowi fl = {
.oif = 0,
.nl_u = {
.ip4_u = {
.daddr = iph->daddr,
.saddr = 0,
.tos = RT_TOS(iph->tos),
.scope = RT_SCOPE_UNIVERSE,
}
}
};
/* The destination address may be overloaded by the target */
if (info->gw != 0)
fl.fl4_dst = info->gw;
/* Trying to route the packet using the standard routing table. */
err = ip_route_output_key(&rt, &fl);
if (err != 0) {
if (net_ratelimit())
pr_debug(KBUILD_MODNAME
"could not route pkt (err: %d)", err);
return false;
}
/* Drop old route. */
dst_release(skb->dst);
skb->dst = NULL;
/* Success if no oif specified or if the oif correspond to the
* one desired */
/* SC: allways the case, because we have no oif. */
skb->dst = &rt->u.dst;
skb->dev = skb->dst->dev;
skb->protocol = htons(ETH_P_IP);
return true;
}
/* Stolen from ip_finish_output2
* PRE : skb->dev is set to the device we are leaving by
* skb->dst is not NULL
* POST: the packet is sent with the link layer header pushed
* the packet is destroyed
*/
static void ip_direct_send(struct sk_buff *skb)
{
const struct dst_entry *dst = skb->dst;
const struct net_device *dev = dst->dev;
unsigned int hh_len = LL_RESERVED_SPACE(dev);
/* Be paranoid, rather than too clever. */
if (unlikely(skb_headroom(skb) < hh_len && dev->hard_header != NULL)) {
struct sk_buff *skb2;
skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
if (skb2 == NULL) {
kfree_skb(skb);
return;
}
if (skb->sk != NULL)
skb_set_owner_w(skb2, skb->sk);
kfree_skb(skb);
skb = skb2;
}
if (dst->hh != NULL) {
neigh_hh_output(dst->hh, skb);
} else if (dst->neighbour != NULL) {
dst->neighbour->output(skb);
} else {
if (net_ratelimit())
pr_debug(KBUILD_MODNAME "no hdr & no neighbour cache!\n");
kfree_skb(skb);
}
}
/*
* To detect and deter routed packet loopback when using the --tee option, we
* take a page out of the raw.patch book: on the copied skb, we set up a fake
* ->nfct entry, pointing to the local &route_tee_track. We skip routing
* packets when we see they already have that ->nfct.
*/
static unsigned int
xt_TEE_target(struct sk_buff **pskb, const struct net_device *in,
const struct net_device *out, unsigned int hooknum,
const struct xt_target *target, const void *targinfo)
{
const struct xt_TEE_info *info = targinfo;
struct sk_buff *skb = *pskb;
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
if (skb->nfct == &tee_track.ct_general) {
/*
* Loopback - a packet we already routed, is to be
* routed another time. Avoid that, now.
*/
if (net_ratelimit())
pr_debug(KBUILD_MODNAME "loopback - DROP!\n");
return NF_DROP;
}
#endif
/*
* If we are in INPUT, the checksum must be recalculated since
* the length could have changed as a result of defragmentation.
*/
if (hooknum == NF_IP_LOCAL_IN) {
struct iphdr *iph = ip_hdr(skb);
iph->check = 0;
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
}
/*
* Copy the *pskb, and route the copy. Will later return %XT_CONTINUE
* for the original skb, which should continue on its way as if nothing
* has happened. The copy should be independantly delivered to the TEE
* --gw.
*/
skb = skb_copy(*pskb, GFP_ATOMIC);
if (skb == NULL) {
if (net_ratelimit())
pr_debug(KBUILD_MODNAME "copy failed!\n");
return XT_CONTINUE;
}
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
/*
* Tell conntrack to forget this packet since it may get confused
* when a packet is leaving with dst address == our address.
* Good idea? Dunno. Need advice.
*
* NEW: mark the skb with our &tee_track, so we avoid looping
* on any already routed packet.
*/
nf_conntrack_put(skb->nfct);
skb->nfct = &tee_track.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
if (info->gw != 0) {
if (route(skb, info))
ip_direct_send(skb);
} else {
if (net_ratelimit())
pr_debug(KBUILD_MODNAME "no parameter!\n");
}
return XT_CONTINUE;
}
static struct xt_target xt_TEE_reg __read_mostly = {
.name = "TEE",
.family = AF_INET,
.table = "mangle",
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) |
(1 << NF_IP_FORWARD) | (1 << NF_IP_LOCAL_OUT) |
(1 << NF_IP_POST_ROUTING),
.target = xt_TEE_target,
.targetsize = sizeof(struct xt_TEE_info),
.me = THIS_MODULE,
};
static int __init xt_TEE_init(void)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
/*
* Set up fake conntrack (stolen from raw.patch):
* - to never be deleted, not in any hashes
*/
atomic_set(&tee_track.ct_general.use, 1);
/* - and look it like as a confirmed connection */
set_bit(IPS_CONFIRMED_BIT, &tee_track.status);
/* Initialize fake conntrack so that NAT will skip it */
tee_track.status |= IPS_NAT_DONE_MASK;
#endif
return xt_register_target(&xt_TEE_reg);
}
static void __exit xt_TEE_exit(void)
{
xt_unregister_target(&xt_TEE_reg);
/* SC: shoud not we cleanup tee_track here? */
}
module_init(xt_TEE_init);
module_exit(xt_TEE_exit);
MODULE_AUTHOR("Sebastian Classen <sebastian.classen@xxxxxxxxxx>, Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>");
MODULE_DESCRIPTION("netfilter TEE target module");
MODULE_LICENSE("GPL");
