On 2018-02-20 16:01, Pablo Neira Ayuso wrote:
> On Tue, Feb 20, 2018 at 03:49:50PM +0100, Felix Fietkau wrote:
>> -unsigned int
>> -nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
>> - const struct nf_hook_state *state)
>> -{
>> - struct flow_offload_tuple_rhash *tuplehash;
>> - struct nf_flowtable *flow_table = priv;
>> - struct flow_offload_tuple tuple = {};
>> - enum flow_offload_tuple_dir dir;
>> - struct flow_offload *flow;
>> - struct net_device *outdev;
>> - struct in6_addr *nexthop;
>> - struct ipv6hdr *ip6h;
>> - struct rt6_info *rt;
>> -
>> - if (skb->protocol != htons(ETH_P_IPV6))
>> - return NF_ACCEPT;
>> -
>> - if (nf_flow_tuple_ipv6(skb, state->in, &tuple) < 0)
>> - return NF_ACCEPT;
>> -
>> - tuplehash = flow_offload_lookup(flow_table, &tuple);
>> - if (tuplehash == NULL)
>> - return NF_ACCEPT;
>> -
>> - outdev = dev_get_by_index_rcu(state->net, tuplehash->tuple.oifidx);
>> - if (!outdev)
>> - return NF_ACCEPT;
>> -
>> - dir = tuplehash->tuple.dir;
>> - flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
>> - rt = (struct rt6_info *)flow->tuplehash[dir].tuple.dst_cache;
>> -
>> - if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))
>> - return NF_ACCEPT;
>> -
>> - if (skb_try_make_writable(skb, sizeof(*ip6h)))
>> - return NF_DROP;
>> -
>> - if (flow->flags & (FLOW_OFFLOAD_SNAT | FLOW_OFFLOAD_DNAT) &&
>> - nf_flow_nat_ipv6(flow, skb, dir) < 0)
>> - return NF_DROP;
>> -
>> - flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
>> - ip6h = ipv6_hdr(skb);
>> - ip6h->hop_limit--;
>> -
>> - skb->dev = outdev;
>> - nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
>> - neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
>> -
>> - return NF_STOLEN;
>> -}
>> -EXPORT_SYMBOL_GPL(nf_flow_offload_ipv6_hook);
>
> Why do you need to move the hook function to this new core file?
For backporting flow table support to xtables I need to move this to a
source file that doesn't depend on nftables or ipv6 directly.
- Felix
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
