Hi,
while looking into making xt_TARPIT ready for inclusion into mainline, I
was at the same time looking at REJECT to see if any new constructs to
packet crafting and sending have been introduced lately. There I notice
a big difference between the ipv4 and ipv6 paths:
The
memset(&fl6, 0, sizeof(fl6));
fl6.flowi6_proto = IPPROTO_TCP;
fl6.saddr = oip6h->daddr;
fl6.daddr = oip6h->saddr;
fl6.fl6_sport = otcph.dest;
fl6.fl6_dport = otcph.source;
security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6));
dst = ip6_route_output(net, NULL, &fl6);
[...]
segment is completely absent in ipv4, and there is not really a comment
about it why IPv6 would need it -- other than to please the LSM with
flow information, and to see that output routing yields non-NULL.
The xfrm lookup is also absent from ipt_REJECT.
Furthermore, ip6t_REJECT has this squiggly allocation logic:
hh_len = (dst->dev->hard_header_len + 15)&~15;
nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)
+ sizeof(struct tcphdr) + dst->trailer_len,
GFP_ATOMIC);
while ipt_REJECT keeps it simple:
nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
LL_MAX_HEADER, GFP_ATOMIC);
What could be the reason? Is the v6 code mostly superfluous now?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
