Re: [PATCH 06/13]: [IPV4/6]: Netfilter IPsec input hooks

Mon, 21 Nov 2005 00:51:48 -0800 

Hello.

In article <[EMAIL PROTECTED]> (at Mon, 21 Nov 2005 17:31:41 +0900), Kazunori 
Miyazawa <[EMAIL PROTECTED]> says:

> Your ip_xfrm_transport_hook is a good idea, I think.
> 
> We could call ip6_rcv_finish if the netfilter changed the addresses
> or otherwise we can continue the loop to avoid the cost in a similar
> way because we can know the change with checking skb->dst.

Well, I agree.

In article <[EMAIL PROTECTED]> (at Sun, 20 Nov 2005 17:31:36 +0100), Patrick 
McHardy <[EMAIL PROTECTED]> says:

> diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
> index b93e7cd..3c39296 100644
> --- a/net/ipv4/netfilter.c
> +++ b/net/ipv4/netfilter.c
> @@ -105,6 +105,26 @@ int ip_dst_output(struct sk_buff *skb)
>       return dst_output(skb);
>  }
>  EXPORT_SYMBOL(ip_dst_output);
> +
> +/*
> + * okfn for transport mode xfrm_input.c hook. Basically a copy of
> + * ip_rcv_finish without statistics and option parsing.
> + */
> +int ip_xfrm_transport_hook(struct sk_buff *skb)
> +{
> +     struct iphdr *iph = skb->nh.iph;
> +
> +     if (likely(skb->dst == NULL)) {
> +             int err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
> +                                      skb->dev);
> +             if (unlikely(err))
> +                     goto drop;
> +     }
> +     return dst_input(skb);
> +drop:
> +     kfree_skb(skb);
> +     return NET_RX_DROP;
> +}
>  #endif /* CONFIG_XFRM */
>  
:
> @@ -129,7 +133,16 @@ int xfrm6_rcv_spi(struct sk_buff **pskb,
>               netif_rx(skb);
>               return -1;
>       } else {
> +#ifdef CONFIG_NETFILTER
> +             skb->nh.ipv6h->payload_len = htons(skb->len);
> +             __skb_push(skb, skb->data - skb->nh.raw);
> +
> +             NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL,
> +                     ip6_rcv_finish);
> +             return -1;
> +#else
>               return 1;
> +#endif
>       }
>  

Probably, we can do similarly for ipv6; e.g.:

int ip6_xfrm_transport_hook(struct sk_buff *skb)
{
#if 0 /* We NEVER support NAT. :-) */
     if (likely(skb->dst == NULL)) {
            int err = ip6_route_input()
            if (unlikely(err))
                     goto drop;
     }
#endif
     __skb_pull(skb, skb->h.raw - skb->nh.raw);
     return NET_RX_SUCCESS;
drop:
     kfree_skb(skb);
     return NET_RX_DROP;
}

:

      } else {
#ifdef CONFIG_NETFILTER
             skb->nh.ipv6h->payload_len = htons(skb->len);
             skb->h.raw = skb->data;
             __skb_push(skb, skb->data - skb->nh.raw);

             if (NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL,
                         ip6_xfrm_transport_hook) == NET_RX_DROP)
                 return -1;
#endif
             return 1;
      }

Then, we can continue parsing extension headers, I think.

-- 
YOSHIFUJI Hideaki @ USAGI Project  <[EMAIL PROTECTED]>
GPG-FP  : 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to