On Wednesday 2010-03-17 14:35, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> +static void tee_tg_send(struct sk_buff *skb)
>> +{
>> + const struct dst_entry *dst = skb_dst(skb);
>> + const struct net_device *dev = dst->dev;
>> + unsigned int hh_len = LL_RESERVED_SPACE(dev);
>> +
>> + /* Be paranoid, rather than too clever. */
...
>
>Remind me again why we need this duplicated output function?
:
>> + /*
>> + * Normally, we would just use ip_local_out. Because iph->check is
>> + * already correct, we could take a shortcut and call dst_output
>> + * [forwards to ip_output] directly. ip_output however will invoke
>> + * Netfilter hooks
[ok we can skip these with IPSKB_REROUTED]
>> and cause reentrancy. So we skip that too and go
>> + * directly to ip_finish_output.
And since we don't want fragmentation, we would need to call
ip_finish_output2. That function is not exported, so it is copied. I
am not even sure what the IPv4 layer does when it has to fragment a
fragment (because fragments don't seem to carry IP_DF).
Setting IP_DF on the cloned skb could possibly lead to a Packet Too
Big being sent back to the original sender - which should probably be
avoided too.
So removing the copied code does not look that easy.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
