Le mercredi 14 avril 2010 à 01:21 +0200, Jan Engelhardt a écrit : > xt_TEE can be used to clone and reroute a packet. This can for > example be used to copy traffic at a router for logging purposes > to another dedicated machine. > > References: http://www.gossamer-threads.com/lists/iptables/devel/68781 > Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx> > --- Lovely :) > + > +static const union nf_inet_addr tee_zero_address; > + > +static struct net *pick_net(struct sk_buff *skb) > +{ #ifdef CONFIG_NET_NS > + const struct net_device *dev; > + const struct dst_entry *dst; > + > + if (skb->dev != NULL) > + return dev_net(skb->dev); > + dst = skb_dst(skb); > + if (dst != NULL && dst->dev != NULL) > + return dev_net(dst->dev); #endif /* CONFIG_NET_NS */ > + return &init_net; > +} > + > + > +static unsigned int > +tee_tg4(struct sk_buff *skb, const struct xt_target_param *par) > +{ > + const struct xt_tee_tginfo *info = par->targinfo; > + struct iphdr *iph; > + > + /* > + * Copy the skb, and route the copy. Will later return %XT_CONTINUE for > + * the original skb, which should continue on its way as if nothing has > + * happened. The copy should be independently delivered to the TEE > + * --gateway. > + */ > + skb = skb_copy(skb, GFP_ATOMIC); > + if (skb == NULL) > + return XT_CONTINUE; > + > +#ifdef WITH_CONNTRACK > + /* Avoid counting cloned packets towards the original connection. */ > + nf_conntrack_put(skb->nfct); > + skb->nfct = &nf_conntrack_untracked.ct_general; > + skb->nfctinfo = IP_CT_NEW; > + nf_conntrack_get(skb->nfct); This atomic increment on a global variable worries me... Would it be possible to avoid it (and the associated decrement and test if null) I would like to use this TEE facility but with xxx kpps for instance ;) > +#endif -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
