{"id":809420,"url":"http://patchwork.ozlabs.org/api/1.2/patches/809420/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/1504478435-13160-8-git-send-email-pablo@netfilter.org/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.2/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<1504478435-13160-8-git-send-email-pablo@netfilter.org>","list_archive_url":null,"date":"2017-09-03T22:40:18","name":"[30/47] netfilter: rt: add support to fetch path mss","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"527c38f0d422a0c6508c8e64c9a7b16281f55dca","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/1.2/people/1315/?format=json","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"delegate":{"id":6139,"url":"http://patchwork.ozlabs.org/api/1.2/users/6139/?format=json","username":"pablo","first_name":"Pablo","last_name":"Neira","email":"pablo@netfilter.org"},"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/1504478435-13160-8-git-send-email-pablo@netfilter.org/mbox/","series":[{"id":1282,"url":"http://patchwork.ozlabs.org/api/1.2/series/1282/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=1282","date":"2017-09-03T22:40:11","name":null,"version":1,"mbox":"http://patchwork.ozlabs.org/series/1282/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/809420/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/809420/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netfilter-devel-owner@vger.kernel.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xlny62R9Pz9s8J\n\tfor <incoming@patchwork.ozlabs.org>;\n\tMon,  4 Sep 2017 08:41:02 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1753318AbdICWlA (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);\n\tSun, 3 Sep 2017 18:41:00 -0400","from mail.us.es ([193.147.175.20]:52722 \"EHLO mail.us.es\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1753265AbdICWk5 (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);\n\tSun, 3 Sep 2017 18:40:57 -0400","from antivirus1-rhel7.int (unknown [192.168.2.11])\n\tby mail.us.es (Postfix) with ESMTP id 846B2190F62\n\tfor <netfilter-devel@vger.kernel.org>;\n\tMon,  4 Sep 2017 00:40:30 +0200 (CEST)","from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id 753D72DC87\n\tfor <netfilter-devel@vger.kernel.org>;\n\tMon,  4 Sep 2017 00:40:30 +0200 (CEST)","by antivirus1-rhel7.int (Postfix, from userid 99)\n\tid 6ADEFA8271; Mon,  4 Sep 2017 00:40:30 +0200 (CEST)","from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id 5342FDA2AF;\n\tMon,  4 Sep 2017 00:40:28 +0200 (CEST)","from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int\n\t(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); \n\tMon, 04 Sep 2017 00:40:28 +0200 (CEST)","from salvia.here (unknown [31.4.193.113])\n\t(Authenticated sender: 1984lsi)\n\tby entrada.int (Postfix) with ESMTPA id F3BBD4265A20;\n\tMon,  4 Sep 2017 00:40:27 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.1 (2015-04-28) on\n\tantivirus1-rhel7.int","X-Spam-Level":"","X-Spam-Status":"No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50,\n\tSMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1","X-Virus-Status":"clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int)","X-SMTPAUTHUS":"auth mail.us.es","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"netfilter-devel@vger.kernel.org","Cc":"davem@davemloft.net, netdev@vger.kernel.org","Subject":"[PATCH 30/47] netfilter: rt: add support to fetch path mss","Date":"Mon,  4 Sep 2017 00:40:18 +0200","Message-Id":"<1504478435-13160-8-git-send-email-pablo@netfilter.org>","X-Mailer":"git-send-email 2.1.4","In-Reply-To":"<1504478435-13160-1-git-send-email-pablo@netfilter.org>","References":"<1504478435-13160-1-git-send-email-pablo@netfilter.org>","X-Virus-Scanned":"ClamAV using ClamSMTP","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netfilter-devel.vger.kernel.org>","X-Mailing-List":"netfilter-devel@vger.kernel.org"},"content":"From: Florian Westphal <fw@strlen.de>\n\nto be used in combination with tcp option set support to mimic\niptables TCPMSS --clamp-mss-to-pmtu.\n\nv2: Eric Dumazet points out dst must be initialized.\n\nSigned-off-by: Florian Westphal <fw@strlen.de>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n include/uapi/linux/netfilter/nf_tables.h |  2 +\n net/netfilter/nft_rt.c                   | 66 ++++++++++++++++++++++++++++++++\n 2 files changed, 68 insertions(+)","diff":"diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h\nindex 40fd199f7531..b49da72efa68 100644\n--- a/include/uapi/linux/netfilter/nf_tables.h\n+++ b/include/uapi/linux/netfilter/nf_tables.h\n@@ -811,11 +811,13 @@ enum nft_meta_keys {\n  * @NFT_RT_CLASSID: realm value of packet's route (skb->dst->tclassid)\n  * @NFT_RT_NEXTHOP4: routing nexthop for IPv4\n  * @NFT_RT_NEXTHOP6: routing nexthop for IPv6\n+ * @NFT_RT_TCPMSS: fetch current path tcp mss\n  */\n enum nft_rt_keys {\n \tNFT_RT_CLASSID,\n \tNFT_RT_NEXTHOP4,\n \tNFT_RT_NEXTHOP6,\n+\tNFT_RT_TCPMSS,\n };\n \n /**\ndiff --git a/net/netfilter/nft_rt.c b/net/netfilter/nft_rt.c\nindex c7383d8f88d0..e142e65d3176 100644\n--- a/net/netfilter/nft_rt.c\n+++ b/net/netfilter/nft_rt.c\n@@ -23,6 +23,42 @@ struct nft_rt {\n \tenum nft_registers\tdreg:8;\n };\n \n+static u16 get_tcpmss(const struct nft_pktinfo *pkt, const struct dst_entry *skbdst)\n+{\n+\tu32 minlen = sizeof(struct ipv6hdr), mtu = dst_mtu(skbdst);\n+\tconst struct sk_buff *skb = pkt->skb;\n+\tconst struct nf_afinfo *ai;\n+\tstruct flowi fl;\n+\n+\tmemset(&fl, 0, sizeof(fl));\n+\n+\tswitch (nft_pf(pkt)) {\n+\tcase NFPROTO_IPV4:\n+\t\tfl.u.ip4.daddr = ip_hdr(skb)->saddr;\n+\t\tminlen = sizeof(struct iphdr);\n+\t\tbreak;\n+\tcase NFPROTO_IPV6:\n+\t\tfl.u.ip6.daddr = ipv6_hdr(skb)->saddr;\n+\t\tbreak;\n+\t}\n+\n+\tai = nf_get_afinfo(nft_pf(pkt));\n+\tif (ai) {\n+\t\tstruct dst_entry *dst = NULL;\n+\n+\t\tai->route(nft_net(pkt), &dst, &fl, false);\n+\t\tif (dst) {\n+\t\t\tmtu = min(mtu, dst_mtu(dst));\n+\t\t\tdst_release(dst);\n+\t\t}\n+\t}\n+\n+\tif (mtu <= minlen || mtu > 0xffff)\n+\t\treturn TCP_MSS_DEFAULT;\n+\n+\treturn mtu - minlen;\n+}\n+\n static void nft_rt_get_eval(const struct nft_expr *expr,\n \t\t\t    struct nft_regs *regs,\n \t\t\t    const struct nft_pktinfo *pkt)\n@@ -57,6 +93,9 @@ static void nft_rt_get_eval(const struct nft_expr *expr,\n \t\t\t\t\t &ipv6_hdr(skb)->daddr),\n \t\t       sizeof(struct in6_addr));\n \t\tbreak;\n+\tcase NFT_RT_TCPMSS:\n+\t\tnft_reg_store16(dest, get_tcpmss(pkt, dst));\n+\t\tbreak;\n \tdefault:\n \t\tWARN_ON(1);\n \t\tgoto err;\n@@ -94,6 +133,9 @@ static int nft_rt_get_init(const struct nft_ctx *ctx,\n \tcase NFT_RT_NEXTHOP6:\n \t\tlen = sizeof(struct in6_addr);\n \t\tbreak;\n+\tcase NFT_RT_TCPMSS:\n+\t\tlen = sizeof(u16);\n+\t\tbreak;\n \tdefault:\n \t\treturn -EOPNOTSUPP;\n \t}\n@@ -118,6 +160,29 @@ static int nft_rt_get_dump(struct sk_buff *skb,\n \treturn -1;\n }\n \n+static int nft_rt_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,\n+\t\t\t   const struct nft_data **data)\n+{\n+\tconst struct nft_rt *priv = nft_expr_priv(expr);\n+\tunsigned int hooks;\n+\n+\tswitch (priv->key) {\n+\tcase NFT_RT_NEXTHOP4:\n+\tcase NFT_RT_NEXTHOP6:\n+\tcase NFT_RT_CLASSID:\n+\t\treturn 0;\n+\tcase NFT_RT_TCPMSS:\n+\t\thooks = (1 << NF_INET_FORWARD) |\n+\t\t\t(1 << NF_INET_LOCAL_OUT) |\n+\t\t\t(1 << NF_INET_POST_ROUTING);\n+\t\tbreak;\n+\tdefault:\n+\t\treturn -EINVAL;\n+\t}\n+\n+\treturn nft_chain_validate_hooks(ctx->chain, hooks);\n+}\n+\n static struct nft_expr_type nft_rt_type;\n static const struct nft_expr_ops nft_rt_get_ops = {\n \t.type\t\t= &nft_rt_type,\n@@ -125,6 +190,7 @@ static const struct nft_expr_ops nft_rt_get_ops = {\n \t.eval\t\t= nft_rt_get_eval,\n \t.init\t\t= nft_rt_get_init,\n \t.dump\t\t= nft_rt_get_dump,\n+\t.validate\t= nft_rt_validate,\n };\n \n static struct nft_expr_type nft_rt_type __read_mostly = {\n","prefixes":["30/47"]}