On Tue, Feb 20, 2018 at 04:06:11PM +0100, Felix Fietkau wrote:
> On 2018-02-20 16:01, Pablo Neira Ayuso wrote:
> > On Tue, Feb 20, 2018 at 03:49:50PM +0100, Felix Fietkau wrote:
> >> -unsigned int
> >> -nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
> >> - const struct nf_hook_state *state)
> >> -{
> >> - struct flow_offload_tuple_rhash *tuplehash;
> >> - struct nf_flowtable *flow_table = priv;
> >> - struct flow_offload_tuple tuple = {};
> >> - enum flow_offload_tuple_dir dir;
> >> - struct flow_offload *flow;
> >> - struct net_device *outdev;
> >> - struct in6_addr *nexthop;
> >> - struct ipv6hdr *ip6h;
> >> - struct rt6_info *rt;
> >> -
> >> - if (skb->protocol != htons(ETH_P_IPV6))
> >> - return NF_ACCEPT;
> >> -
> >> - if (nf_flow_tuple_ipv6(skb, state->in, &tuple) < 0)
> >> - return NF_ACCEPT;
> >> -
> >> - tuplehash = flow_offload_lookup(flow_table, &tuple);
> >> - if (tuplehash == NULL)
> >> - return NF_ACCEPT;
> >> -
> >> - outdev = dev_get_by_index_rcu(state->net, tuplehash->tuple.oifidx);
> >> - if (!outdev)
> >> - return NF_ACCEPT;
> >> -
> >> - dir = tuplehash->tuple.dir;
> >> - flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
> >> - rt = (struct rt6_info *)flow->tuplehash[dir].tuple.dst_cache;
> >> -
> >> - if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))
> >> - return NF_ACCEPT;
> >> -
> >> - if (skb_try_make_writable(skb, sizeof(*ip6h)))
> >> - return NF_DROP;
> >> -
> >> - if (flow->flags & (FLOW_OFFLOAD_SNAT | FLOW_OFFLOAD_DNAT) &&
> >> - nf_flow_nat_ipv6(flow, skb, dir) < 0)
> >> - return NF_DROP;
> >> -
> >> - flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
> >> - ip6h = ipv6_hdr(skb);
> >> - ip6h->hop_limit--;
> >> -
> >> - skb->dev = outdev;
> >> - nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
> >> - neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
> >> -
> >> - return NF_STOLEN;
> >> -}
> >> -EXPORT_SYMBOL_GPL(nf_flow_offload_ipv6_hook);
> >
> > Why do you need to move the hook function to this new core file?
>
> For backporting flow table support to xtables I need to move this to a
> source file that doesn't depend on nftables or ipv6 directly.
I guess this is related to net/netfilter/xt_FLOWOFFLOAD.c.
You probably could add net/ipv4/netfilter/ipt_FLOWOFFLOAD.c and
net/ipv6/netfilter/ip6t_FLOWOFFLOAD.c, so we can skip placing ipv4 and
ipv6 code in the same file.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
