Hi Subash, One more concern before this gets upstream.
On Wed, Jan 03, 2018 at 09:24:47PM -0700, Subash Abhinov Kasiviswanathan wrote: > conntrack defrag is needed only if some module like CONNTRACK or NAT > explicitly requests it. For plain forwarding scenarios, defrag is > not needed and can be skipped if NOTRACK is set in a rule. > > Since conntrack defrag is currently higher priority than raw table, > setting NOTRACK is not sufficient. We need to move raw to a higher > priority for iptables only. > > This is achieved by introducing a module parameter which allows to > modify the priority. By default, the priority is NF_IP_PRI_RAW to > support legacy behavior. > > v1->v2: Instead of modifying NF_IP_PRI_RAW itself, use a module > parameter to pass in the priority during module load as suggested > by Pablo. Also update commit text. > > v2->v3: Implement similar functionality for IPv6 as well > > Signed-off-by: Subash Abhinov Kasiviswanathan <[email protected]> > --- > net/ipv4/netfilter/iptable_raw.c | 14 +++++++++++++- > net/ipv4/netfilter/nf_defrag_ipv4.c | 2 +- > net/ipv6/netfilter/ip6table_raw.c | 14 +++++++++++++- > net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 3 +++ > 4 files changed, 30 insertions(+), 3 deletions(-) > > diff --git a/net/ipv4/netfilter/iptable_raw.c > b/net/ipv4/netfilter/iptable_raw.c > index 2642ecd..607392b 100644 > --- a/net/ipv4/netfilter/iptable_raw.c > +++ b/net/ipv4/netfilter/iptable_raw.c > @@ -12,7 +12,11 @@ > > static int __net_init iptable_raw_table_init(struct net *net); > > -static const struct xt_table packet_raw = { > +static int priority __read_mostly = NF_IP_PRI_RAW; > +MODULE_PARM_DESC(priority, "Priority of IPv4 raw table (NF_IP_PRI_RAW)"); > +module_param(priority, int, 0000); Do you think we can turn this into an on/off knob instead? I mean, I think it's good if you add a new NF_IP_PRI_RAW_BEFORE_DEFRAG and we place it into uapi. I'm just worried about follow up patches from people asking to making this flexible in all other existing tables, I would like this does not happen :-). > + > +static struct xt_table packet_raw = { > .name = "raw", > .valid_hooks = RAW_VALID_HOOKS, > .me = THIS_MODULE, > @@ -70,6 +74,14 @@ static int __init iptable_raw_init(void) > { > int ret; > > + if (priority < NF_IP_PRI_CONNTRACK_DEFRAG && > + priority > NF_IP_PRI_FIRST) { > + packet_raw.priority = priority; > + > + pr_info("iptable_raw: Using custom rule priority=%d\n", ^^^^^^^^^^^^ Probably better if you add: #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt in this patch while on this. Thanks for your patience, we're almost there. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
