Re: NF [PATCH 2/4] xt_TEE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Nov 26 2007 08:24, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> Netfilter: Import xt_TEE
>> 
>> Originally from Sebastian Classen.
>> xt_TEE is the logical successor to ipt_ROUTE; routing based on
>> packet charactersitics is done using xt_MARK/iproute2/fwmark
>> nowadays, so what remains of ipt_ROUTE is the --tee option, which
>> xt_TEE implements.
>
> This still has the same problems I've been mentioning every time
> this or ROUTE has come up, which is missing IPsec support,
> duplication of the IP output path and lots of unnecessary cruft.
>
>> +struct xt_tee_target_info {
>> +	union {
>> +		/* Address of gateway */
>> +		u_int32_t gateway_v4;
>> +		u_int32_t gateway_v6[4];
>
> These should be __be32 or simply use in_addr/in6_addr. At some
> point it would be good to have a nf_inet_addr type (or something
> net/-wide) so we don't have to introduce more and more of these.
>
In include/net/netfilter/nf_conntrack_tuple.h there is
nf_conntrack_address, which would be perfectly suited for the task.
But I am not sure if I can use that, since it would have to be
exported to userspacce (would probably need to move the union to
include/linux/netfilter/ too). Thoughts?


>> +	/* Trying to route the packet using the standard routing table. */
>> +	err = ip_route_output_key(&rt, &fl);
>> +	if (err != 0) {
>> +		if (net_ratelimit())
>> +			pr_debug(KBUILD_MODNAME
>> +			         ": could not route packet (%d)", err);
>
> No need to log this IMO. Not being able to route a packet is a
> quite normal condition.
>
It is a pr_debug(), which is compiled out by default. But I'll
happily rip it.


>> +/*
>> + * Stolen from ip_finish_output2
>> + * PRE : skb->dev is set to the device we are leaving by
>> + *       skb->dst is not NULL
>> + * POST: the packet is sent with the link layer header pushed
>> + *       the packet is destroyed
>> + */
>> +static void tee_ip_direct_send(struct sk_buff *skb)
>> +{
>
> Why is this function needed? dst_output should do fine.
>
Could IPsec xfrmation perhaps recurse? Thinking of something like

	(iptables -F OUTPUT)
	iptables -A OUTPUT -j TEE --gw overthere

Now, if overthere leads to an xfrm tunnel, the kernel will create an ESP
packet, and also send it through OUTPUT, would not it? Then there be a
recursion if using ipsec-aware dst_output.
How valid is this thought?


>> +static void __exit tee_tg_exit(void)
>> +{
>> +	xt_unregister_target(&tee_tg_reg);
>> +	/* [SC]: shoud not we cleanup tee_track here? */
>
> No, but you need to wait until all references to it
> are gone.
>
What's the _put() function I need for it?



thanks,
Jan
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux