----- Forwarded message from Harald Welte ----- Date: Tue, 5 Feb 2002 16:44:19 +0100 From: Harald Welte To: David Miller Cc: Netfilter Development Mailinglist Subject: [PATCH] netfilter route_me_harder fix Message-ID: <20020205164419.S26676@sunbeam.de.gnumonks.org> Mail-Followup-To: Harald Welte , David Miller , Netfilter Development Mailinglist , linux-kernel Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.17i X-Operating-System: Linux sunbeam.de.gnumonks.org 2.4.17 X-Date: Today is Pungenday, the 28th day of Chaos in the YOLD 3168 Status: RO Content-Length: 8735 Lines: 263 Hi Dave! I'm sorry, but it seems like the route_me_harder issue never takes an end. We've now successfully managed to break compilation of our userspace iptables tool. route_me_harder is now renamed to ip_route_me_harder and moved from the include file into net/core/netfilter.c. As there is no IPv4 specific netfilter source file, this is the best place to move it to. Please apply the following patch (by Rusty & me) for 2.4.18-pre8 and 2.5.x: diff -Nru linux-2.4.18-pre8-plain/include/linux/netfilter_ipv4.h linux-2.4.18-pre8-rmh3/include/linux/netfilter_ipv4.h --- linux-2.4.18-pre8-plain/include/linux/netfilter_ipv4.h Tue Feb 5 15:32:21 2002 +++ linux-2.4.18-pre8-rmh3/include/linux/netfilter_ipv4.h Tue Feb 5 15:45:06 2002 @@ -59,95 +59,20 @@ NF_IP_PRI_LAST = INT_MAX, }; -#ifdef CONFIG_NETFILTER_DEBUG -#ifdef __KERNEL__ -void nf_debug_ip_local_deliver(struct sk_buff *skb); -void nf_debug_ip_loopback_xmit(struct sk_buff *newskb); -void nf_debug_ip_finish_output2(struct sk_buff *skb); -#endif /*__KERNEL__*/ -#endif /*CONFIG_NETFILTER_DEBUG*/ - /* Arguments for setsockopt SOL_IP: */ /* 2.0 firewalling went from 64 through 71 (and +256, +512, etc). */ /* 2.2 firewalling (+ masq) went from 64 through 76 */ /* 2.4 firewalling went 64 through 67. */ #define SO_ORIGINAL_DST 80 +#ifdef __KERNEL__ +#ifdef CONFIG_NETFILTER_DEBUG +void nf_debug_ip_local_deliver(struct sk_buff *skb); +void nf_debug_ip_loopback_xmit(struct sk_buff *newskb); +void nf_debug_ip_finish_output2(struct sk_buff *skb); +#endif /*CONFIG_NETFILTER_DEBUG*/ -/* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue - * - * Ideally this would be ins some netfilter_utility module, but creating this - * module for just one function doesn't make sense. -HW */ - -#include -#include -#include -#include -#include -#include - -static inline int route_me_harder(struct sk_buff **pskb) -{ - struct iphdr *iph = (*pskb)->nh.iph; - struct rtable *rt; - struct rt_key key = { dst:iph->daddr, - src:iph->saddr, - oif:(*pskb)->sk ? (*pskb)->sk->bound_dev_if : 0, - tos:RT_TOS(iph->tos)|RTO_CONN, -#ifdef CONFIG_IP_ROUTE_FWMARK - fwmark:(*pskb)->nfmark -#endif - }; - struct net_device *dev_src = NULL; - int err; - - /* accomodate ip_route_output_slow(), which expects the key src to be - 0 or a local address; however some non-standard hacks like - ipt_REJECT.c:send_reset() can cause packets with foreign - saddr to be appear on the NF_IP_LOCAL_OUT hook -MB */ - if(key.src && !(dev_src = ip_dev_find(key.src))) - key.src = 0; - - if ((err=ip_route_output_key(&rt, &key)) != 0) { - printk("route_me_harder: ip_route_output_key(dst=%u.%u.%u.%u, src=%u.%u.%u.%u, oif=%d, tos=0x%x, fwmark=0x%lx) error %d\n", - NIPQUAD(iph->daddr), NIPQUAD(iph->saddr), - (*pskb)->sk ? (*pskb)->sk->bound_dev_if : 0, - RT_TOS(iph->tos)|RTO_CONN, -#ifdef CONFIG_IP_ROUTE_FWMARK - (*pskb)->nfmark, -#else - 0UL, -#endif - err); - goto out; - } - - /* Drop old route. */ - dst_release((*pskb)->dst); - - (*pskb)->dst = &rt->u.dst; - - /* Change in oif may mean change in hh_len. */ - if (skb_headroom(*pskb) < (*pskb)->dst->dev->hard_header_len) { - struct sk_buff *nskb; - - nskb = skb_realloc_headroom(*pskb, - (*pskb)->dst->dev->hard_header_len); - if (!nskb) { - err = -ENOMEM; - goto out; - } - if ((*pskb)->sk) - skb_set_owner_w(nskb, (*pskb)->sk); - kfree_skb(*pskb); - *pskb = nskb; - } - -out: - if (dev_src) - dev_put(dev_src); - - return err; -} +extern int ip_route_me_harder(struct sk_buff **pskb); +#endif /*__KERNEL__*/ #endif /*__LINUX_IP_NETFILTER_H*/ diff -Nru linux-2.4.18-pre8-plain/net/core/netfilter.c linux-2.4.18-pre8-rmh3/net/core/netfilter.c --- linux-2.4.18-pre8-plain/net/core/netfilter.c Fri Apr 27 23:15:01 2001 +++ linux-2.4.18-pre8-rmh3/net/core/netfilter.c Tue Feb 5 15:36:35 2002 @@ -20,6 +20,10 @@ #include #include #include +#include +#include +#include +#include #define __KERNEL_SYSCALLS__ #include @@ -552,6 +556,73 @@ kfree(info); return; } + +#ifdef CONFIG_INET +/* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */ +int ip_route_me_harder(struct sk_buff **pskb) +{ + struct iphdr *iph = (*pskb)->nh.iph; + struct rtable *rt; + struct rt_key key = { dst:iph->daddr, + src:iph->saddr, + oif:(*pskb)->sk ? (*pskb)->sk->bound_dev_if : 0, + tos:RT_TOS(iph->tos)|RTO_CONN, +#ifdef CONFIG_IP_ROUTE_FWMARK + fwmark:(*pskb)->nfmark +#endif + }; + struct net_device *dev_src = NULL; + int err; + + /* accomodate ip_route_output_slow(), which expects the key src to be + 0 or a local address; however some non-standard hacks like + ipt_REJECT.c:send_reset() can cause packets with foreign + saddr to be appear on the NF_IP_LOCAL_OUT hook -MB */ + if(key.src && !(dev_src = ip_dev_find(key.src))) + key.src = 0; + + if ((err=ip_route_output_key(&rt, &key)) != 0) { + printk("route_me_harder: ip_route_output_key(dst=%u.%u.%u.%u, src=%u.%u.%u.%u, oif=%d, tos=0x%x, fwmark=0x%lx) error %d\n", + NIPQUAD(iph->daddr), NIPQUAD(iph->saddr), + (*pskb)->sk ? (*pskb)->sk->bound_dev_if : 0, + RT_TOS(iph->tos)|RTO_CONN, +#ifdef CONFIG_IP_ROUTE_FWMARK + (*pskb)->nfmark, +#else + 0UL, +#endif + err); + goto out; + } + + /* Drop old route. */ + dst_release((*pskb)->dst); + + (*pskb)->dst = &rt->u.dst; + + /* Change in oif may mean change in hh_len. */ + if (skb_headroom(*pskb) < (*pskb)->dst->dev->hard_header_len) { + struct sk_buff *nskb; + + nskb = skb_realloc_headroom(*pskb, + (*pskb)->dst->dev->hard_header_len); + if (!nskb) { + err = -ENOMEM; + goto out; + } + if ((*pskb)->sk) + skb_set_owner_w(nskb, (*pskb)->sk); + kfree_skb(*pskb); + *pskb = nskb; + } + +out: + if (dev_src) + dev_put(dev_src); + + return err; +} +#endif /*CONFIG_INET*/ /* This does not belong here, but ipt_REJECT needs it if connection tracking in use: without this, connection may not be in hash table, diff -Nru linux-2.4.18-pre8-plain/net/ipv4/netfilter/ip_nat_standalone.c linux-2.4.18-pre8-rmh3/net/ipv4/netfilter/ip_nat_standalone.c --- linux-2.4.18-pre8-plain/net/ipv4/netfilter/ip_nat_standalone.c Tue Feb 5 15:32:21 2002 +++ linux-2.4.18-pre8-rmh3/net/ipv4/netfilter/ip_nat_standalone.c Tue Feb 5 15:36:35 2002 @@ -188,7 +188,7 @@ if (ret != NF_DROP && ret != NF_STOLEN && ((*pskb)->nh.iph->saddr != saddr || (*pskb)->nh.iph->daddr != daddr)) - return route_me_harder(pskb) == 0 ? ret : NF_DROP; + return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP; return ret; } diff -Nru linux-2.4.18-pre8-plain/net/ipv4/netfilter/ip_queue.c linux-2.4.18-pre8-rmh3/net/ipv4/netfilter/ip_queue.c --- linux-2.4.18-pre8-plain/net/ipv4/netfilter/ip_queue.c Tue Feb 5 15:32:21 2002 +++ linux-2.4.18-pre8-rmh3/net/ipv4/netfilter/ip_queue.c Tue Feb 5 15:36:35 2002 @@ -261,7 +261,7 @@ if (!(iph->tos == e->rt_info.tos && iph->daddr == e->rt_info.daddr && iph->saddr == e->rt_info.saddr)) - return route_me_harder(&e->skb); + return ip_route_me_harder(&e->skb); } return 0; } diff -Nru linux-2.4.18-pre8-plain/net/ipv4/netfilter/iptable_mangle.c linux-2.4.18-pre8-rmh3/net/ipv4/netfilter/iptable_mangle.c --- linux-2.4.18-pre8-plain/net/ipv4/netfilter/iptable_mangle.c Tue Feb 5 15:32:21 2002 +++ linux-2.4.18-pre8-rmh3/net/ipv4/netfilter/iptable_mangle.c Tue Feb 5 15:36:35 2002 @@ -162,7 +162,7 @@ || (*pskb)->nh.iph->daddr != daddr || (*pskb)->nfmark != nfmark || (*pskb)->nh.iph->tos != tos)) - return route_me_harder(pskb) == 0 ? ret : NF_DROP; + return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP; return ret; } diff -Nru linux-2.4.18-pre8-plain/net/netsyms.c linux-2.4.18-pre8-rmh3/net/netsyms.c --- linux-2.4.18-pre8-plain/net/netsyms.c Tue Feb 5 15:32:21 2002 +++ linux-2.4.18-pre8-rmh3/net/netsyms.c Tue Feb 5 15:49:26 2002 @@ -577,6 +577,10 @@ EXPORT_SYMBOL(nf_setsockopt); EXPORT_SYMBOL(nf_getsockopt); EXPORT_SYMBOL(ip_ct_attach); +#ifdef CONFIG_INET +#include +EXPORT_SYMBOL(ip_route_me_harder); +#endif #endif EXPORT_SYMBOL(register_gifconf); -- Live long and prosper - Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*) ----- End forwarded message ----- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/