On Sat, Jun 01, 2019 at 10:27:06PM -0400, Stephen Suryaputra wrote:
> On Mon, Jun 03, 2019 at 02:30:06PM +0200, Pablo Neira Ayuso wrote:
> > > I developed this patchset to suit my employer needs and there is no plan
> > > for a follow up patchset, however I think non-zero offset might be useful
> > > in the future for tunneled packets.
> >
> > For tunneled traffic, we can store the network offset in the
> > nft_pktinfo object. Then, add a new extension to update this network
> > offset to point to the network offset inside the tunnel header, and
> > use this pkt->network_offset everywhere.
>
> OK. I'm changing so that offset isn't being used as input. But, it's
> still being passed as reference for output. See further response
> below...
>
> > I think this new IPv4 options extension should use priv->offset to
> > match fields inside the IPv4 option specifically, just like in the
> > IPv6 extensions and TCP options do. If you look on how the
> > priv->offset is used in the existing code, this offset points to
> > values that the specific option field conveys.
>
> I believe that's what I have coded:
>
> err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type, NULL, NULL);
> if (priv->flags & NFT_EXTHDR_F_PRESENT) {
> *dest = (err >= 0);
> return;
> } else if (err < 0) {
> goto err;
> }
> offset += priv->offset;
>
> offset is returned as the offset where it matches the sought priv->type
> then priv->offset is added to get to the right field between the offset.
I see, thanks for explaining.
I got me confused when I read this:
+ * Note that *offset is used as input/output parameter, and if it is not zero,
+ * then it must be a valid offset to an inner IPv4 header. This can be used
+ * to explore inner IPv4 header, eg. ICMP error messages.
I thought this is how the new extension for nftables is working. Not
the function.
And then, this chunk:
+ if (!offset)
+ return -EINVAL;
This never happens, right? offset is always set.
+ if (!*offset)
+ *offset = skb_network_offset(skb);
So this is not needed either.
I would remove those, you can add more code to ipv4_find_option()
later on as you get more clients in the networking tree. I'd suggest,
better remove code that is not used yet, then introduce it once
needed.
> If this is satisfactory, I can submit v2 of the kernel patch.
Please do so, so you get more feedback (if needed) and we move on :-)
Thanks!
