From patchwork Wed Mar 31 10:38:53 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Engelhardt X-Patchwork-Id: 49126 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id B77CAB7BEE for ; Wed, 31 Mar 2010 21:39:25 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752003Ab0CaKjR (ORCPT ); Wed, 31 Mar 2010 06:39:17 -0400 Received: from borg.medozas.de ([188.40.89.202]:55971 "EHLO borg.medozas.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933240Ab0CaKjF (ORCPT ); Wed, 31 Mar 2010 06:39:05 -0400 Received: by borg.medozas.de (Postfix, from userid 25121) id 75044F0C26FC5; Wed, 31 Mar 2010 12:39:04 +0200 (CEST) From: Jan Engelhardt To: kaber@trash.net Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH 5/5] netfilter: xt_TEE: have cloned packet travel through Xtables too Date: Wed, 31 Mar 2010 12:38:53 +0200 Message-Id: <1270031934-15940-6-git-send-email-jengelh@medozas.de> X-Mailer: git-send-email 1.7.0.2 In-Reply-To: <1270031934-15940-1-git-send-email-jengelh@medozas.de> References: <1270031934-15940-1-git-send-email-jengelh@medozas.de> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Since Xtables is now reentrant/nestable, the cloned packet can also go through Xtables and be subject to rules itself. Signed-off-by: Jan Engelhardt --- net/ipv4/ip_output.c | 1 - net/ipv6/ip6_output.c | 1 - net/netfilter/xt_TEE.c | 18 ++---------------- 3 files changed, 2 insertions(+), 18 deletions(-) diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 0abfdde..f09135e 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -309,7 +309,6 @@ int ip_output(struct sk_buff *skb) ip_finish_output, !(IPCB(skb)->flags & IPSKB_REROUTED)); } -EXPORT_SYMBOL_GPL(ip_output); int ip_queue_xmit(struct sk_buff *skb, int ipfragok) { diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 307d8bf..7e10f62 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -176,7 +176,6 @@ int ip6_output(struct sk_buff *skb) ip6_finish_output, !(IP6CB(skb)->flags & IPSKB_REROUTED)); } -EXPORT_SYMBOL_GPL(ip6_output); /* * xmit an sk_buff (used by TCP) diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c index 96dd746..70078f1 100644 --- a/net/netfilter/xt_TEE.c +++ b/net/netfilter/xt_TEE.c @@ -130,21 +130,8 @@ tee_tg4(struct sk_buff *skb, const struct xt_target_param *par) skb->nfctinfo = IP_CT_NEW; nf_conntrack_get(skb->nfct); #endif - /* - * Xtables is not reentrant currently, so a choice has to be made: - * 1. return absolute verdict for the original and let the cloned - * packet travel through the chains - * 2. let the original continue travelling and not pass the clone - * to Xtables. - * #2 is chosen. Normally, we would use ip_local_out for the clone. - * Because iph->check is already correct and we don't pass it to - * Xtables anyway, a shortcut to dst_output [forwards to ip_output] can - * be taken. %IPSKB_REROUTED needs to be set so that ip_output does not - * invoke POSTROUTING on the cloned packet. - */ - IPCB(skb)->flags |= IPSKB_REROUTED; if (tee_tg_route4(skb, info)) - ip_output(skb); + ip_local_out(skb); return XT_CONTINUE; } @@ -199,9 +186,8 @@ tee_tg6(struct sk_buff *skb, const struct xt_target_param *par) struct ipv6hdr *iph = ipv6_hdr(skb); --iph->hop_limit; } - IP6CB(skb)->flags |= IPSKB_REROUTED; if (tee_tg_route6(skb, info)) - ip6_output(skb); + ip6_local_out(skb); return XT_CONTINUE; }