From b535abce2e9b835c1d96e0fe27bc450b20df6f82 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 15 Apr 2010 21:29:37 +0200 Subject: [PATCH 1/3] xt_TEE: use nf_conntrack_untracked No reason having to use our own nf_conntrack bucket. --- extensions/xt_TEE.c | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/extensions/xt_TEE.c b/extensions/xt_TEE.c index 1bb6970..c4bc42f 100644 --- a/extensions/xt_TEE.c +++ b/extensions/xt_TEE.c @@ -24,7 +24,6 @@ #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) # define WITH_CONNTRACK 1 # include -static struct nf_conn tee_track; #endif #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) # define WITH_IPV6 1 @@ -173,7 +172,7 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par) * connection for the cloned packet. */ nf_conntrack_put(skb->nfct); - skb->nfct = &tee_track.ct_general; + skb->nfct = &nf_conntrack_untracked.ct_general; skb->nfctinfo = IP_CT_NEW; nf_conntrack_get(skb->nfct); #endif @@ -249,7 +248,7 @@ tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par) #ifdef WITH_CONNTRACK nf_conntrack_put(skb->nfct); - skb->nfct = &tee_track.ct_general; + skb->nfct = &nf_conntrack_untracked.ct_general; skb->nfctinfo = IP_CT_NEW; nf_conntrack_get(skb->nfct); #endif @@ -301,26 +300,12 @@ static struct xt_target tee_tg_reg[] __read_mostly = { static int __init tee_tg_init(void) { -#ifdef WITH_CONNTRACK - /* - * Set up fake conntrack - to never be deleted, not in any hashes - */ - atomic_set(&tee_track.ct_general.use, 1); - - /* - and look it like as a confirmed connection */ - set_bit(IPS_CONFIRMED_BIT, &tee_track.status); - - /* Initialize fake conntrack so that NAT will skip it */ - tee_track.status |= IPS_NAT_DONE_MASK; -#endif - return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg)); } static void __exit tee_tg_exit(void) { xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg)); - /* [SC]: shoud not we cleanup tee_track here? */ } module_init(tee_tg_init); From 93f6c1a312e67bb3f3a54e9a6d3bc32d97ad0d74 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 15 Apr 2010 22:49:08 +0200 Subject: [PATCH 2/3] xt_TEE: remove debug printks --- extensions/xt_TEE.c | 35 ++++------------------------------- 1 file changed, 4 insertions(+), 31 deletions(-) diff --git a/extensions/xt_TEE.c b/extensions/xt_TEE.c index c4bc42f..fbd3ece 100644 --- a/extensions/xt_TEE.c +++ b/extensions/xt_TEE.c @@ -35,27 +35,10 @@ static bool tee_active[NR_CPUS]; static const union nf_inet_addr tee_zero_address; -/* - * Try to route the packet according to the routing keys specified in - * route_info. Keys are : - * - ifindex : - * 0 if no oif preferred, - * otherwise set to the index of the desired oif - * - route_info->gateway : - * 0 if no gateway specified, - * otherwise set to the next host to which the pkt must be routed - * If success, skb->dev is the output device to which the packet must - * be sent and skb->dst is not NULL - * - * RETURN: false - if an error occured - * true - if the packet was succesfully routed to the - * destination desired - */ static bool tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info) { const struct iphdr *iph = ip_hdr(skb); - int err; struct rtable *rt; struct flowi fl; @@ -64,12 +47,7 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info) fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE; - /* Trying to route the packet using the standard routing table. */ - err = ip_route_output_key(&init_net, &rt, &fl); - if (err != 0) { - if (net_ratelimit()) - pr_debug(KBUILD_MODNAME - ": could not route packet (%d)", err); + if (ip_route_output_key(&init_net, &rt, &fl) != 0) { kfree_skb(skb); return false; } @@ -118,15 +96,12 @@ static void tee_tg_send(struct sk_buff *skb) skb = skb2; } - if (dst->hh != NULL) { + if (dst->hh != NULL) neigh_hh_output(dst->hh, skb); - } else if (dst->neighbour != NULL) { + else if (dst->neighbour != NULL) dst->neighbour->output(skb); - } else { - if (net_ratelimit()) - pr_debug(KBUILD_MODNAME "no hdr & no neighbour cache!\n"); + else kfree_skb(skb); - } } static unsigned int @@ -220,8 +195,6 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info) dst = ip6_route_output(dev_net(skb->dev), NULL, &fl); #endif if (dst == NULL) { - if (net_ratelimit()) - printk(KERN_ERR "ip6_route_output failed for tee\n"); kfree_skb(skb); return false; } From 8ff64f4ef48a67b10e5a8e3690d7976597bf6c52 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 15 Apr 2010 23:47:07 +0200 Subject: [PATCH 3/3] xt_TEE: move skb cleanup outwards --- extensions/xt_TEE.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/extensions/xt_TEE.c b/extensions/xt_TEE.c index fbd3ece..8be6173 100644 --- a/extensions/xt_TEE.c +++ b/extensions/xt_TEE.c @@ -47,10 +47,8 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info) fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE; - if (ip_route_output_key(&init_net, &rt, &fl) != 0) { - kfree_skb(skb); + if (ip_route_output_key(&init_net, &rt, &fl) != 0) return false; - } dst_release(skb_dst(skb)); skb_dst_set(skb, &rt->u.dst); @@ -172,6 +170,8 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par) tee_active[cpu] = true; tee_tg_send(skb); tee_active[cpu] = false; + } else { + kfree_skb(skb); } return XT_CONTINUE; } @@ -194,10 +194,8 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info) #else dst = ip6_route_output(dev_net(skb->dev), NULL, &fl); #endif - if (dst == NULL) { - kfree_skb(skb); + if (dst == NULL) return false; - } dst_release(skb_dst(skb)); skb_dst_set(skb, dst); @@ -234,6 +232,8 @@ tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par) tee_active[cpu] = true; tee_tg_send(skb); tee_active[cpu] = false; + } else { + kfree_skb(skb); } return XT_CONTINUE; }