From patchwork Mon Jun 7 14:55:58 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiri Olsa X-Patchwork-Id: 54864 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3039AB7D20 for ; Tue, 8 Jun 2010 00:56:14 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751896Ab0FGO4G (ORCPT ); Mon, 7 Jun 2010 10:56:06 -0400 Received: from mx1.redhat.com ([209.132.183.28]:65116 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751858Ab0FGO4D (ORCPT ); Mon, 7 Jun 2010 10:56:03 -0400 Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o57Eu0LD012361 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 7 Jun 2010 10:56:01 -0400 Received: from jolsa.lab.eng.brq.redhat.com (dhcp-31-162.brq.redhat.com [10.34.31.162]) by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with SMTP id o57EtwE0005931; Mon, 7 Jun 2010 10:55:59 -0400 Date: Mon, 7 Jun 2010 16:55:58 +0200 From: Jiri Olsa To: Patrick McHardy Cc: netdev@vger.kernel.org Subject: Re: no reassembly for outgoing packets on RAW socket Message-ID: <20100607145558.GA1939@jolsa.lab.eng.brq.redhat.com> References: <20100604112708.GA1958@jolsa.lab.eng.brq.redhat.com> <4C08EB85.3050900@trash.net> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <4C08EB85.3050900@trash.net> User-Agent: Mutt/1.5.20 (2009-12-10) X-Scanned-By: MIMEDefang 2.67 on 10.5.11.21 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Fri, Jun 04, 2010 at 02:03:17PM +0200, Patrick McHardy wrote: > Jiri Olsa wrote: > > hi, > > > > I'd like to be able to sendout a single IP packet with MF flag set. > > > > When using RAW sockets the packet will get stuck in the > > netfilter (NF_INET_LOCAL_OUT nf_defrag_ipv4 reassembly unit) > > and wont ever make it out.. > > > > I made a change which bypass the outgoing reassembly for > > RAW sockets, but I'm not sure wether it's too invasive.. > > That would break reassembly (and thus connection tracking) for cases > where its really intended. > > > Is there any standard for RAW sockets behaviour? > > Or another way around? :) > > You could use the NOTRACK target to bypass connection tracking. ok, I tried the NOTRACK target, but the packet is still going throught reassembly, because the RAW filter has lower priority then the connection track defragmentation.. I was able to get it bypassed by attached patch and following command: iptables -v -t raw -A OUTPUT -p icmp -j NOTRACK again, not sure if this is too invasive ;) If this is not the way, I'd appreciatte any hint.. my goal is to put malformed packet on the wire (more frags bit set for a non fragmented packet) thanks for help, jirka --- -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h index 29c7727..d249b6a 100644 --- a/include/linux/netfilter_ipv4.h +++ b/include/linux/netfilter_ipv4.h @@ -53,8 +53,8 @@ enum nf_ip_hook_priorities { NF_IP_PRI_FIRST = INT_MIN, - NF_IP_PRI_CONNTRACK_DEFRAG = -400, - NF_IP_PRI_RAW = -300, + NF_IP_PRI_RAW = -400, + NF_IP_PRI_CONNTRACK_DEFRAG = -300, NF_IP_PRI_SELINUX_FIRST = -225, NF_IP_PRI_CONNTRACK = -200, NF_IP_PRI_MANGLE = -150, diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c index cb763ae..cb865d1 100644 --- a/net/ipv4/netfilter/nf_defrag_ipv4.c +++ b/net/ipv4/netfilter/nf_defrag_ipv4.c @@ -74,6 +74,9 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum, return NF_ACCEPT; #endif #endif + if (nf_ct_is_untracked(skb)) + return NF_ACCEPT; + /* Gather fragments. */ if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) { enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);