提交 e45f5066 编写于 作者: E Eric W. Biederman 提交者: Pablo Neira Ayuso

ipv4: Pass struct net into ip_route_me_harder

Don't make ip_route_me_harder guess which network namespace
it is routing in, pass the network namespace in.
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
上级 6a1d689d
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
#include <uapi/linux/netfilter_ipv4.h> #include <uapi/linux/netfilter_ipv4.h>
int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type); int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
__sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol); unsigned int dataoff, u_int8_t protocol);
#endif /*__LINUX_IP_NETFILTER_H*/ #endif /*__LINUX_IP_NETFILTER_H*/
...@@ -17,9 +17,8 @@ ...@@ -17,9 +17,8 @@
#include <net/netfilter/nf_queue.h> #include <net/netfilter/nf_queue.h>
/* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */ /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
int ip_route_me_harder(struct sk_buff *skb, unsigned int addr_type) int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_type)
{ {
struct net *net = dev_net(skb_dst(skb)->dev);
const struct iphdr *iph = ip_hdr(skb); const struct iphdr *iph = ip_hdr(skb);
struct rtable *rt; struct rtable *rt;
struct flowi4 fl4 = {}; struct flowi4 fl4 = {};
...@@ -116,7 +115,7 @@ static int nf_ip_reroute(struct net *net, struct sk_buff *skb, ...@@ -116,7 +115,7 @@ static int nf_ip_reroute(struct net *net, struct sk_buff *skb,
skb->mark == rt_info->mark && skb->mark == rt_info->mark &&
iph->daddr == rt_info->daddr && iph->daddr == rt_info->daddr &&
iph->saddr == rt_info->saddr)) iph->saddr == rt_info->saddr))
return ip_route_me_harder(skb, RTN_UNSPEC); return ip_route_me_harder(net, skb, RTN_UNSPEC);
} }
return 0; return 0;
} }
......
...@@ -45,6 +45,8 @@ synproxy_send_tcp(const struct synproxy_net *snet, ...@@ -45,6 +45,8 @@ synproxy_send_tcp(const struct synproxy_net *snet,
struct iphdr *niph, struct tcphdr *nth, struct iphdr *niph, struct tcphdr *nth,
unsigned int tcp_hdr_size) unsigned int tcp_hdr_size)
{ {
struct net *net = nf_ct_net(snet->tmpl);
nth->check = ~tcp_v4_check(tcp_hdr_size, niph->saddr, niph->daddr, 0); nth->check = ~tcp_v4_check(tcp_hdr_size, niph->saddr, niph->daddr, 0);
nskb->ip_summed = CHECKSUM_PARTIAL; nskb->ip_summed = CHECKSUM_PARTIAL;
nskb->csum_start = (unsigned char *)nth - nskb->head; nskb->csum_start = (unsigned char *)nth - nskb->head;
...@@ -52,7 +54,7 @@ synproxy_send_tcp(const struct synproxy_net *snet, ...@@ -52,7 +54,7 @@ synproxy_send_tcp(const struct synproxy_net *snet,
skb_dst_set_noref(nskb, skb_dst(skb)); skb_dst_set_noref(nskb, skb_dst(skb));
nskb->protocol = htons(ETH_P_IP); nskb->protocol = htons(ETH_P_IP);
if (ip_route_me_harder(nskb, RTN_UNSPEC)) if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
goto free_nskb; goto free_nskb;
if (nfct) { if (nfct) {
......
...@@ -67,7 +67,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state) ...@@ -67,7 +67,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state)
iph->daddr != daddr || iph->daddr != daddr ||
skb->mark != mark || skb->mark != mark ||
iph->tos != tos) { iph->tos != tos) {
err = ip_route_me_harder(skb, RTN_UNSPEC); err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
if (err < 0) if (err < 0)
ret = NF_DROP_ERR(err); ret = NF_DROP_ERR(err);
} }
......
...@@ -431,7 +431,7 @@ nf_nat_ipv4_local_fn(void *priv, struct sk_buff *skb, ...@@ -431,7 +431,7 @@ nf_nat_ipv4_local_fn(void *priv, struct sk_buff *skb,
if (ct->tuplehash[dir].tuple.dst.u3.ip != if (ct->tuplehash[dir].tuple.dst.u3.ip !=
ct->tuplehash[!dir].tuple.src.u3.ip) { ct->tuplehash[!dir].tuple.src.u3.ip) {
err = ip_route_me_harder(skb, RTN_UNSPEC); err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
if (err < 0) if (err < 0)
ret = NF_DROP_ERR(err); ret = NF_DROP_ERR(err);
} }
......
...@@ -129,7 +129,7 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook) ...@@ -129,7 +129,7 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
ip4_dst_hoplimit(skb_dst(nskb))); ip4_dst_hoplimit(skb_dst(nskb)));
nf_reject_ip_tcphdr_put(nskb, oldskb, oth); nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
if (ip_route_me_harder(nskb, RTN_UNSPEC)) if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
goto free_nskb; goto free_nskb;
/* "Never happens" */ /* "Never happens" */
......
...@@ -53,7 +53,7 @@ static unsigned int nf_route_table_hook(void *priv, ...@@ -53,7 +53,7 @@ static unsigned int nf_route_table_hook(void *priv,
iph->daddr != daddr || iph->daddr != daddr ||
skb->mark != mark || skb->mark != mark ||
iph->tos != tos) iph->tos != tos)
if (ip_route_me_harder(skb, RTN_UNSPEC)) if (ip_route_me_harder(state->net, skb, RTN_UNSPEC))
ret = NF_DROP; ret = NF_DROP;
} }
return ret; return ret;
......
...@@ -720,7 +720,7 @@ static int ip_vs_route_me_harder(struct netns_ipvs *ipvs, int af, ...@@ -720,7 +720,7 @@ static int ip_vs_route_me_harder(struct netns_ipvs *ipvs, int af,
} else } else
#endif #endif
if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) && if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
ip_route_me_harder(skb, RTN_LOCAL) != 0) ip_route_me_harder(ipvs->net, skb, RTN_LOCAL) != 0)
return 1; return 1;
return 0; return 0;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册