On Fri, Jun 22, 2018 at 06:24:51PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > On Thu, Jun 21, 2018 at 04:31:48PM +0200, Florian Westphal wrote:
> > > Máté Eckl wrote:
> > > > > This looks like its subtly broken, inherited from xt_TPROXY.
> > > > > Above skb_header_pointer uses sizeof(u
Máté Eckl wrote:
> On Thu, Jun 21, 2018 at 04:31:48PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > > This looks like its subtly broken, inherited from xt_TPROXY.
> > > > Above skb_header_pointer uses sizeof(udphdr) only, but
> > > > nf_tproxy_get_sock_v4
> > > > assumes it gets tcph
On Thu, Jun 21, 2018 at 04:31:48PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > > This looks like its subtly broken, inherited from xt_TPROXY.
> > > Above skb_header_pointer uses sizeof(udphdr) only, but
> > > nf_tproxy_get_sock_v4
> > > assumes it gets tcphdr (it checks th->doff, and th
On Wed, Jun 20, 2018 at 02:18:25PM +0200, Pablo Neira Ayuso wrote:
> A few comments on top of Florian's.
>
> On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
> [...]
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> > +
Máté Eckl wrote:
> > This looks like its subtly broken, inherited from xt_TPROXY.
> > Above skb_header_pointer uses sizeof(udphdr) only, but nf_tproxy_get_sock_v4
> > assumes it gets tcphdr (it checks th->doff, and that might be garbage).
>
> I thought about why iptables uses udphdr consequently
On Wed, Jun 20, 2018 at 01:36:49PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > There are some changes compared to the iptables implementation:
> > - tproxy statement is not terminal here
> > - no transport protocol criterion is necessary to set target ip address
>
> > + const struct
Hi Máté,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-Add-native-tproxy-support-for-nf_tables/20180620-222749
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
On Wed, Jun 20, 2018 at 02:40:09PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > A few comments on top of Florian's.
> >
> > On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
> > [...]
> > > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > > +static void nft_tproxy_eval_v6(cons
Pablo Neira Ayuso wrote:
> A few comments on top of Florian's.
>
> On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
> [...]
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> > + struct nft_regs *regs,
> >
A few comments on top of Florian's.
On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
[...]
> +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> + struct nft_regs *regs,
> + const struct n
Máté Eckl wrote:
> There are some changes compared to the iptables implementation:
> - tproxy statement is not terminal here
> - no transport protocol criterion is necessary to set target ip address
> + const struct nft_tproxy *priv = nft_expr_priv(expr);
> + struct sk_buff *skb = pkt->
This patch is built on the commit not applied yet with the title:
netfilter: Move nf_tproxy_assign_sock to nf_tproxy.h
-- 8< --
A great portion of the code is taken from xt_TPROXY.c
There are some changes compared to the iptables implementation:
- tproxy statement is not terminal here
-
12 matches
Mail list logo