Patchwork [RFC,2/4] netfilter: Add new argument to enqueue handlers

login
register
mail settings
Submitter Krishna Kumar
Date May 7, 2012, 6:04 a.m.
Message ID <20120507060400.19528.30381.sendpatchset@localhost.localdomain>
Download mbox | patch
Permalink /patch/157224/
State Superseded
Headers show

Comments

Krishna Kumar - May 7, 2012, 6:04 a.m.
Add a new argument to enqueue handlers. Change handlers to return
>0 value to signify "failopen".  This value is not passed up the
stack but intercepted by nf_queue() which calls okfn() and returns
0 to upper layers. This also means ipqueue should return 0 and not
skb->len on success.

Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
---
 include/net/netfilter/nf_queue.h |    3 ++-
 net/ipv4/netfilter/ip_queue.c    |    5 +++--
 net/ipv6/netfilter/ip6_queue.c   |    5 +++--
 net/netfilter/nf_queue.c         |    2 +-
 net/netfilter/nfnetlink_queue.c  |   18 ++++++++++++------
 5 files changed, 21 insertions(+), 12 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff -ruNp org/include/net/netfilter/nf_queue.h new/include/net/netfilter/nf_queue.h
--- org/include/net/netfilter/nf_queue.h	2012-05-07 09:20:53.740752995 +0530
+++ new/include/net/netfilter/nf_queue.h	2012-05-07 09:20:53.818751053 +0530
@@ -20,7 +20,8 @@  struct nf_queue_entry {
 /* Packet queuing */
 struct nf_queue_handler {
 	int			(*outfn)(struct nf_queue_entry *entry,
-					 unsigned int queuenum);
+					 unsigned int queuenum,
+					 int failopen);
 	char			*name;
 };
 
diff -ruNp org/net/ipv4/netfilter/ip_queue.c new/net/ipv4/netfilter/ip_queue.c
--- org/net/ipv4/netfilter/ip_queue.c	2012-05-07 09:20:53.750813313 +0530
+++ new/net/ipv4/netfilter/ip_queue.c	2012-05-07 09:20:53.821751520 +0530
@@ -225,7 +225,8 @@  nlmsg_failure:
 }
 
 static int
-ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
+ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum,
+		   int failopen)
 {
 	int status = -EINVAL;
 	struct sk_buff *nskb;
@@ -262,7 +263,7 @@  ipq_enqueue_packet(struct nf_queue_entry
 	__ipq_enqueue_entry(entry);
 
 	spin_unlock_bh(&queue_lock);
-	return status;
+	return 0;
 
 err_out_free_nskb:
 	kfree_skb(nskb);
diff -ruNp org/net/ipv6/netfilter/ip6_queue.c new/net/ipv6/netfilter/ip6_queue.c
--- org/net/ipv6/netfilter/ip6_queue.c	2012-05-07 09:20:53.749814751 +0530
+++ new/net/ipv6/netfilter/ip6_queue.c	2012-05-07 09:20:53.819751460 +0530
@@ -225,7 +225,8 @@  nlmsg_failure:
 }
 
 static int
-ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
+ipq_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum,
+		   int failopen)
 {
 	int status = -EINVAL;
 	struct sk_buff *nskb;
@@ -262,7 +263,7 @@  ipq_enqueue_packet(struct nf_queue_entry
 	__ipq_enqueue_entry(entry);
 
 	spin_unlock_bh(&queue_lock);
-	return status;
+	return 0;
 
 err_out_free_nskb:
 	kfree_skb(nskb);
diff -ruNp org/net/netfilter/nfnetlink_queue.c new/net/netfilter/nfnetlink_queue.c
--- org/net/netfilter/nfnetlink_queue.c	2012-05-07 09:20:53.757813707 +0530
+++ new/net/netfilter/nfnetlink_queue.c	2012-05-07 09:20:53.830751555 +0530
@@ -401,7 +401,8 @@  nla_put_failure:
 }
 
 static int
-nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
+nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum,
+		     int failopen)
 {
 	struct sk_buff *nskb;
 	struct nfqnl_instance *queue;
@@ -432,11 +433,16 @@  nfqnl_enqueue_packet(struct nf_queue_ent
 		goto err_out_free_nskb;
 	}
 	if (queue->queue_total >= queue->queue_maxlen) {
-		queue->queue_dropped++;
-		if (net_ratelimit())
-			  printk(KERN_WARNING "nf_queue: full at %d entries, "
-				 "dropping packets(s).\n",
-				 queue->queue_total);
+		if (failopen) {
+			/* Accept the packet temporarily skipping rules */
+			err = 1;
+		} else {
+			queue->queue_dropped++;
+			if (net_ratelimit())
+				  printk(KERN_WARNING "nf_queue: full at %d "
+					 "entries, dropping packets(s).\n",
+					 queue->queue_total);
+		}
 		goto err_out_free_nskb;
 	}
 	entry->id = ++queue->id_sequence;
diff -ruNp org/net/netfilter/nf_queue.c new/net/netfilter/nf_queue.c
--- org/net/netfilter/nf_queue.c	2012-05-07 09:20:53.754813853 +0530
+++ new/net/netfilter/nf_queue.c	2012-05-07 10:15:51.882590018 +0530
@@ -185,7 +185,7 @@  static int __nf_queue(struct sk_buff *sk
 #endif
 	skb_dst_force(skb);
 	afinfo->saveroute(skb, entry);
-	status = qh->outfn(entry, queuenum);
+	status = qh->outfn(entry, queuenum, 0);
 
 	rcu_read_unlock();