From patchwork Tue Nov 14 01:37:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Subash Abhinov Kasiviswanathan X-Patchwork-Id: 837648 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=codeaurora.org header.i=@codeaurora.org header.b="cPILvXaS"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="cPILvXaS"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3ybVWK5FK4z9s7F for ; Tue, 14 Nov 2017 12:37:49 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750847AbdKNBhs (ORCPT ); Mon, 13 Nov 2017 20:37:48 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:48650 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750779AbdKNBhs (ORCPT ); Mon, 13 Nov 2017 20:37:48 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id AA9906081B; Tue, 14 Nov 2017 01:37:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1510623467; bh=q0rRR5D+gvOSzqRa98evXDGrLGiXp7EoCT4helcIfCQ=; h=From:To:Cc:Subject:Date:From; b=cPILvXaSZgXBLPX5TBS6yqQYrdyY9nCghEOCMwC5GKNXfVjS1feh5elXTlbxs3dlY 1/5sfe1UNP0DExzaKURW22/kx/LCZn7NHJXqzO6ElltcpKC3VJ11oZHgbV8LJUIAnC MafuVsJ/CxIuQv/pUw9c2kmGMmjziFezbUSAnGeo= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED, T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0 Received: from subashab-lnx.qualcomm.com (unknown [129.46.15.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: subashab@codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id BBB5860714; Tue, 14 Nov 2017 01:37:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1510623467; bh=q0rRR5D+gvOSzqRa98evXDGrLGiXp7EoCT4helcIfCQ=; h=From:To:Cc:Subject:Date:From; b=cPILvXaSZgXBLPX5TBS6yqQYrdyY9nCghEOCMwC5GKNXfVjS1feh5elXTlbxs3dlY 1/5sfe1UNP0DExzaKURW22/kx/LCZn7NHJXqzO6ElltcpKC3VJ11oZHgbV8LJUIAnC MafuVsJ/CxIuQv/pUw9c2kmGMmjziFezbUSAnGeo= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org BBB5860714 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=subashab@codeaurora.org From: Subash Abhinov Kasiviswanathan To: netfilter-devel@vger.kernel.org, pablo@netfilter.org, fw@strlen.de Cc: Subash Abhinov Kasiviswanathan Subject: [PATCH nf-next] netfilter: nf_defrag_ipv4: Skip defrag if NOTRACK is set Date: Mon, 13 Nov 2017 18:37:26 -0700 Message-Id: <1510623446-9115-1-git-send-email-subashab@codeaurora.org> X-Mailer: git-send-email 1.9.1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org conntrack defrag is needed only if some module like CONNTRACK or NAT explicitly requests it. For plain forwarding scenarios, defrag is not needed and can be skipped if NOTRACK is set in a rule. Since conntrack defrag is currently higher priority than raw table, setting NOTRACK is not sufficient. We need to introduce a lower priority rule and deprecate the existing rule. Signed-off-by: Subash Abhinov Kasiviswanathan --- include/uapi/linux/netfilter_ipv4.h | 3 ++- net/ipv4/netfilter/nf_defrag_ipv4.c | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/uapi/linux/netfilter_ipv4.h b/include/uapi/linux/netfilter_ipv4.h index e6b1a84..cedf7b4 100644 --- a/include/uapi/linux/netfilter_ipv4.h +++ b/include/uapi/linux/netfilter_ipv4.h @@ -57,9 +57,10 @@ enum nf_ip_hook_priorities { NF_IP_PRI_FIRST = INT_MIN, - NF_IP_PRI_CONNTRACK_DEFRAG = -400, + NF_IP_PRI_CONNTRACK_DEFRAG = -400, /* deprecated */ NF_IP_PRI_RAW = -300, NF_IP_PRI_SELINUX_FIRST = -225, + NF_IP_PRI_CONNTRACK_DEFRAG_V1 = -210, NF_IP_PRI_CONNTRACK = -200, NF_IP_PRI_MANGLE = -150, NF_IP_PRI_NAT_DST = -100, diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c index 37fe1616..6496890 100644 --- a/net/ipv4/netfilter/nf_defrag_ipv4.c +++ b/net/ipv4/netfilter/nf_defrag_ipv4.c @@ -80,7 +80,7 @@ static unsigned int ipv4_conntrack_defrag(void *priv, #endif #endif /* Gather fragments. */ - if (ip_is_fragment(ip_hdr(skb))) { + if (skb->_nfct != IP_CT_UNTRACKED && ip_is_fragment(ip_hdr(skb))) { enum ip_defrag_users user = nf_ct_defrag_user(state->hook, skb); @@ -95,13 +95,13 @@ static unsigned int ipv4_conntrack_defrag(void *priv, .hook = ipv4_conntrack_defrag, .pf = NFPROTO_IPV4, .hooknum = NF_INET_PRE_ROUTING, - .priority = NF_IP_PRI_CONNTRACK_DEFRAG, + .priority = NF_IP_PRI_CONNTRACK_DEFRAG_V1, }, { .hook = ipv4_conntrack_defrag, .pf = NFPROTO_IPV4, .hooknum = NF_INET_LOCAL_OUT, - .priority = NF_IP_PRI_CONNTRACK_DEFRAG, + .priority = NF_IP_PRI_CONNTRACK_DEFRAG_V1, }, };