From patchwork Tue Dec 19 21:42:19 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Subash Abhinov Kasiviswanathan
 <subashab@codeaurora.org>
X-Patchwork-Id: 851070
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=codeaurora.org header.i=@codeaurora.org
	header.b="QEaaMU05";
	dkim=fail reason="signature verification failed" (1024-bit key)
	header.d=codeaurora.org header.i=@codeaurora.org
	header.b="QEaaMU05"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3z1Wgk3CjSz9s1h
	for <incoming@patchwork.ozlabs.org>;
	Wed, 20 Dec 2017 08:46:26 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752681AbdLSVqY (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Tue, 19 Dec 2017 16:46:24 -0500
Received: from smtp.codeaurora.org ([198.145.29.96]:53786 "EHLO
	smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752547AbdLSVqU (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Tue, 19 Dec 2017 16:46:20 -0500
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
	id B3279601D9; Tue, 19 Dec 2017 21:46:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1513719979;
	bh=aIzRdls9c4OF0LW2CSr6P0dJWLtWlW1JfYHJ/EmbFL4=;
	h=From:To:Cc:Subject:Date:From;
	b=QEaaMU051SLrlWApsruhkVsZ4vGm95/70WJWqL7aq4vTeMwdhd9/MHjL2Oe5poHnb
	6ME9sbQS/msjGQg9dDcJeli9lNWhStb6rCaay3xZ6kEWif8cKVQql5L+0HeOUAc+FQ
	2nEdIt0RrAagQbTwN4dZnO/zbMADtKfbBYS/rz7o=
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	pdx-caf-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00,
	DKIM_SIGNED,
	T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0
Received: from subashab-lnx.qualcomm.com (unknown [129.46.15.92])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: subashab@codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id A5AEC601D9;
	Tue, 19 Dec 2017 21:46:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1513719979;
	bh=aIzRdls9c4OF0LW2CSr6P0dJWLtWlW1JfYHJ/EmbFL4=;
	h=From:To:Cc:Subject:Date:From;
	b=QEaaMU051SLrlWApsruhkVsZ4vGm95/70WJWqL7aq4vTeMwdhd9/MHjL2Oe5poHnb
	6ME9sbQS/msjGQg9dDcJeli9lNWhStb6rCaay3xZ6kEWif8cKVQql5L+0HeOUAc+FQ
	2nEdIt0RrAagQbTwN4dZnO/zbMADtKfbBYS/rz7o=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org A5AEC601D9
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	dmarc=none (p=none dis=none)
	header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	spf=none smtp.mailfrom=subashab@codeaurora.org
From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
To: netfilter-devel@vger.kernel.org, pablo@netfilter.org, fw@strlen.de,
	kadlec@blackhole.kfki.hu
Cc: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Subject: [PATCH nf-next v2] netfilter: nf_defrag_ipv4: Skip defrag if
	NOTRACK is set
Date: Tue, 19 Dec 2017 14:42:19 -0700
Message-Id: <1513719739-1095-1-git-send-email-subashab@codeaurora.org>
X-Mailer: git-send-email 1.9.1
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

conntrack defrag is needed only if some module like CONNTRACK or NAT
explicitly requests it. For plain forwarding scenarios, defrag is
not needed and can be skipped if NOTRACK is set in a rule.

Since conntrack defrag is currently higher priority than raw table,
setting NOTRACK is not sufficient. We need to move raw to a higher
priority for iptables only.

This is achieved by introducing a module parameter which allows to
modify the priority. By default, the priority is NF_IP_PRI_RAW to
support legacy behavior.

v1->v2: Instead of modifying NF_IP_PRI_RAW itself, use a module
parameter to pass in the priority during module load as suggested
by Pablo. Also update commit text.

Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
---
 net/ipv4/netfilter/iptable_raw.c    | 14 +++++++++++++-
 net/ipv4/netfilter/nf_defrag_ipv4.c |  2 +-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 2642ecd..607392b 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -12,7 +12,11 @@
 
 static int __net_init iptable_raw_table_init(struct net *net);
 
-static const struct xt_table packet_raw = {
+static int priority __read_mostly = NF_IP_PRI_RAW;
+MODULE_PARM_DESC(priority, "Priority of IPv4 raw table (NF_IP_PRI_RAW)");
+module_param(priority, int, 0000);
+
+static struct xt_table packet_raw = {
 	.name = "raw",
 	.valid_hooks =  RAW_VALID_HOOKS,
 	.me = THIS_MODULE,
@@ -70,6 +74,14 @@ static int __init iptable_raw_init(void)
 {
 	int ret;
 
+	if (priority < NF_IP_PRI_CONNTRACK_DEFRAG &&
+	    priority > NF_IP_PRI_FIRST) {
+		packet_raw.priority = priority;
+
+		pr_info("iptable_raw: Using custom rule priority=%d\n",
+			packet_raw.priority);
+	}
+
 	rawtable_ops = xt_hook_ops_alloc(&packet_raw, iptable_raw_hook);
 	if (IS_ERR(rawtable_ops))
 		return PTR_ERR(rawtable_ops);
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index 37fe1616..cbd987f 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -80,7 +80,7 @@ static unsigned int ipv4_conntrack_defrag(void *priv,
 #endif
 #endif
 	/* Gather fragments. */
-	if (ip_is_fragment(ip_hdr(skb))) {
+	if (skb->_nfct != IP_CT_UNTRACKED && ip_is_fragment(ip_hdr(skb))) {
 		enum ip_defrag_users user =
 			nf_ct_defrag_user(state->hook, skb);