Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Mon, Feb 16, 2015 at 06:54:04PM +0100, Florian Westphal wrote:
> > diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
> > index d05b364..68e0bb4 100644
> > --- a/net/ipv6/netfilter/nf_reject_ipv6.c
> > +++ b/net/ipv6/netfilter/nf_reject_ipv6.c
> > @@ -208,4 +208,39 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
> > }
> > EXPORT_SYMBOL_GPL(nf_send_reset6);
> >
> > +static bool reject6_csum_ok(struct sk_buff *skb, int hook)
> > +{
> > + const struct ipv6hdr *ip6h = ipv6_hdr(skb);
> > + int thoff;
> > + __be16 fo;
> > + u8 proto;
> > +
> > + if (skb->csum_bad)
> > + return false;
> > +
> > + if (skb_csum_unnecessary(skb))
> > + return true;
> > +
> > + proto = ip6h->nexthdr;
> > + thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo);
> > +
> > + if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0)
> > + return false;
>
> I think you can use thoff and fragoff from struct xt_action_param, so
> we can save some cycles here.
No, I don't think so. Seems its onl set for rules that use "-p" option,
see f.e.
net/ipv6/netfilter/ip6_tables.c which fill this only in case we have
/* look for the desired protocol header */
if((ip6info->flags & IP6T_F_PROTO)) {
in ip6_packet_match().
> I can take over these patches and make this changes if you like, let
> me know. Thanks.
I have no objections if you can find a way to avoid ipv6_skip_exthdr() call.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
