On Mon, Mar 02, 2015 at 12:33:47PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Mon, Feb 16, 2015 at 06:54:04PM +0100, Florian Westphal wrote:
> > > diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
> > > index d05b364..68e0bb4 100644
> > > --- a/net/ipv6/netfilter/nf_reject_ipv6.c
> > > +++ b/net/ipv6/netfilter/nf_reject_ipv6.c
> > > @@ -208,4 +208,39 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
> > > }
> > > EXPORT_SYMBOL_GPL(nf_send_reset6);
> > >
> > > +static bool reject6_csum_ok(struct sk_buff *skb, int hook)
> > > +{
> > > + const struct ipv6hdr *ip6h = ipv6_hdr(skb);
> > > + int thoff;
> > > + __be16 fo;
> > > + u8 proto;
> > > +
> > > + if (skb->csum_bad)
> > > + return false;
> > > +
> > > + if (skb_csum_unnecessary(skb))
> > > + return true;
> > > +
> > > + proto = ip6h->nexthdr;
> > > + thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo);
> > > +
> > > + if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0)
> > > + return false;
> >
> > I think you can use thoff and fragoff from struct xt_action_param, so
> > we can save some cycles here.
>
> No, I don't think so. Seems its onl set for rules that use "-p" option,
> see f.e.
>
> net/ipv6/netfilter/ip6_tables.c which fill this only in case we have
>
> /* look for the desired protocol header */
> if((ip6info->flags & IP6T_F_PROTO)) {
>
> in ip6_packet_match().
Right, I'll enqueue this for the next pull request, sorry.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
