Le lundi 21 mars 2011 Ã 23:39 +0100, Eric Dumazet a Ãcrit :
> Le lundi 21 mars 2011 Ã 23:25 +0100, Florian Westphal a Ãcrit :
> > ipv6 fib lookup can set RT6_LOOKUP_F_IFACE flag to restrict search
> > to an interface, but this flag cannot be set via struct flowi.
> >
> > Also, it cannot be set via ip6_route_output: this function uses the
> > passed sock struct to determine if this flag is required
> > (by testing for nonzero sk_bound_dev_if).
> >
> > Work around this by passing in an artificial struct sk in case
> > 'strict' argument is true.
> >
> > This is required to replace the rt6_lookup call in xt_addrtype.c with
> > nf_afinfo->route().
> >
> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> > ---
> > Patrick,
> >
> > the change in nf_ip6_route() is very ugly, but I found no
> > other way to set RT6_LOOKUP_F_IFACE.
> >
> > rt6_lookup() can't be used instead of ip6_route_output
> > since it does not take a flowi argument...
> >
> > include/linux/netfilter.h | 2 +-
> > net/ipv4/netfilter.c | 2 +-
> > net/ipv6/netfilter.c | 14 ++++++++++++--
> > net/netfilter/nf_conntrack_h323_main.c | 8 ++++----
> > net/netfilter/xt_TCPMSS.c | 2 +-
> > 5 files changed, 19 insertions(+), 9 deletions(-)
> >
> > diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
> > index 20ed452..7fa95df 100644
> > --- a/include/linux/netfilter.h
> > +++ b/include/linux/netfilter.h
> > @@ -271,7 +271,7 @@ struct nf_afinfo {
> > unsigned int len,
> > u_int8_t protocol);
> > int (*route)(struct net *net, struct dst_entry **dst,
> > - struct flowi *fl);
> > + struct flowi *fl, bool strict);
> > void (*saveroute)(const struct sk_buff *skb,
> > struct nf_queue_entry *entry);
> > int (*reroute)(struct sk_buff *skb,
> > diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
> > index 138e106..87f20e8 100644
> > --- a/net/ipv4/netfilter.c
> > +++ b/net/ipv4/netfilter.c
> > @@ -218,7 +218,7 @@ static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
> > }
> >
> > static int nf_ip_route(struct net *net, struct dst_entry **dst,
> > - struct flowi *fl)
> > + struct flowi *fl, bool strict __always_unused)
> > {
> > return ip_route_output_key(net, (struct rtable **)dst, fl);
> > }
> > diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
> > index 9e1b3e4..f237d58 100644
> > --- a/net/ipv6/netfilter.c
> > +++ b/net/ipv6/netfilter.c
> > @@ -90,9 +90,19 @@ static int nf_ip6_reroute(struct sk_buff *skb,
> > }
> >
> > static int nf_ip6_route(struct net *net, struct dst_entry **dst,
> > - struct flowi *fl)
> > + struct flowi *fl, bool strict)
> > {
> > - *dst = ip6_route_output(net, NULL, fl);
> > + static const struct ipv6_pinfo fake_pinfo;
> > + static const struct inet_sock fake_sk = {
> > + /* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
> > + .sk.sk_bound_dev_if = 1,
> > + .pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
> > + };
> > + struct sock *sk = NULL;
> > +
> > + if (strict)
> > + sk = (struct sock *) &fake_sk;
> > + *dst = ip6_route_output(net, sk, fl);
> > return (*dst)->error;
> > }
> >
>
> Wow... I can tell you David will not accept this...
>
> This is about 800 bytes on stack, initted, so quite a huge cost for this
> function.
>
Ah sorry, I missed the "static const". Maybe I should just sleep now ;)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
