LARTC - Aug 2004 - rp_filter and fib_validate_source sequence in KPTD

Hello all,

My question:
- - - - - - -
Does anybody know when the reverse path filtering occurs as the packet
traverses the kernel?

Does it happen before NF_IP_PRE_ROUTING (PREROUTING) or not?

Does it only happen at route selection time?


What I have tried to do to find the answer:
- - - - - - - - - - - - - - - - - - - - - -

I find a posting (from many years ago) [0], which suggests that this
happens in fib_validate_source() (in fib_frontend.c) which is only called
by route.c.

I tried following the diagram by Mathieu Lafon to see if
fib_validate_source() is called in ip_rcv() (in ip_input.c), but I
don''t
read C very well, so I could well be missing where the rp_filter
validation is occurring.

If I understand the path correctly, the functions are traversed in this
order (from most deeply nested first):

  fib_validate_source()
  ip_route_input_slow()
  ip_route_input()

  ip_rcv_finish()
  ip_rcv()

It seems that ip_rcv() (in ip_input.c) calls the following, and I simply
do not understand what this means:

       return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,
                     ip_rcv_finish);

I''m guessing that NF_IP_PRE_ROUTING (the PREROUTING hooks) are called
before ip_rcv_finish is called, which means that the rp_filter action
doesn''t occur until after the PREROUTING hooks.

Is this accurate?  Can anybody shed some light?  Is my interpretation
accurate?

Thank you very much,

-Martin

 [0] http://www.ussg.iu.edu/hypermail/linux/kernel/0002.1/1522.html
 [1] http://open-source.arkoon.net/kernel/kernel_net.png

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello,

On Mon, 9 Aug 2004, Martin A. Brown wrote:
> Does it happen before NF_IP_PRE_ROUTING (PREROUTING) or not?
	After
> Does it only happen at route selection time?
	Yes, input route only
> If I understand the path correctly, the functions are traversed in this
> order (from most deeply nested first):
>
>   fib_validate_source()
>   ip_route_input_slow()
>   ip_route_input()
>
>   ip_rcv_finish()
>   ip_rcv()
	The above is correct
> It seems that ip_rcv() (in ip_input.c) calls the following, and I simply
> do not understand what this means:
>
>        return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,
>                      ip_rcv_finish);
>
> I''m guessing that NF_IP_PRE_ROUTING (the PREROUTING hooks) are
called
> before ip_rcv_finish is called, which means that the rp_filter action
> doesn''t occur until after the PREROUTING hooks.
	Yes, routing happens after DNAT (prerouting), so rp_filter
works with translated addresses.
> Is this accurate?  Can anybody shed some light?  Is my interpretation
> accurate?
	Yes,
> Thank you very much,
>
> -Martin
>
>  [0] http://www.ussg.iu.edu/hypermail/linux/kernel/0002.1/1522.html
>  [1] http://open-source.arkoon.net/kernel/kernel_net.png
Regards

--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/