search for: nf_hook

On Fri, 07 Jan 2005 17:05:59 +0000 David Woodhouse <dwmw2@infradead.org> wrote: > On Sat, 2004-12-18 at 08:50 +0100, Andi Kleen wrote: > > It's not really an oops, just a warning that stack space got quiet > > tight. > > > > The problem seems to be that the br netfilter code is nesting far too > > deeply and recursing several times. Looks like a design

Hi, This is a second try to fix the long chain call lengths in netfilter. The difference with the previous patch is that I got rid of the extra argument. I somehow didn't see it could be done without using the 'int *ret2' argument. A comment on the number of arguments to nf_hook_slow: I don't think the number of arguments should be decreased. For the bridge-nf code, f.e., the indev argument does not equal (*pskb)->dev (this is an answer to a question of Rusty in the old thread). A comment on the argument change of nf_hook_slow (sk_buff * to sk_buff **) and the bad...

...voke2() gets a tail-call > > >whereas invoke() does not. Hmmm... > > > > Apparently support for indirect tail-calls was added to gcc 3.4. > > Good data point. > > I've been trying to figure out ways to decrease the number of > args that get sent to nf_hook_slow but this would require > some API changes unfortunately. > > One idea goes like this, we create little descriptors of the form: > > struct nf_hook_desc { > int (*okfn)(struct sk_buff *); > int pf; > int hook; > }; > > Then NF_HOOK*() callsites...

...y, the functions are traversed in this order (from most deeply nested first): fib_validate_source() ip_route_input_slow() ip_route_input() ip_rcv_finish() ip_rcv() It seems that ip_rcv() (in ip_input.c) calls the following, and I simply do not understand what this means: return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, ip_rcv_finish); I''m guessing that NF_IP_PRE_ROUTING (the PREROUTING hooks) are called before ip_rcv_finish is called, which means that the rp_filter action doesn''t occur until after the PREROUTING hooks. Is this ac...

...-434,7 +450,8 @@ unsigned length, struct ipcm_cookie *ipc, struct rtable *rt, - int flags) + int flags, + struct nf_ct_info *nfct) { unsigned int fraglen, maxfraglen, fragheaderlen; int err; @@ -599,6 +616,7 @@ =20 nfrags++; =20 + nfct_attach(skb, nfct); err =3D NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,=20 skb->dst->dev, output_maybe_reroute); if (err) { @@ -633,7 +651,8 @@ unsigned length, struct ipcm_cookie *ipc, struct rtable *rt, - int flags) + int flags, + struct nf_ct_info *nfct) { int err; struct sk_buff *s...

...tos, @@ -186,6 +204,11 @@ bridged_dnat: nf_bridge->mask |= BRNF_BRIDGED_DNAT; skb->dev = nf_bridge->physindev; clear_cb(skb); + if (skb->protocol == + __constant_htons(ETH_P_8021Q)) { + skb_push(skb, VLAN_HLEN); + skb->nh.raw -= VLAN_HLEN; + } NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, br_nf_pre_routing_finish_bridge, @@ -202,6 +225,10 @@ bridged_dnat: clear_cb(skb); skb->dev = nf_bridge->physindev; + if (skb->protocol == __constant_htons(ETH_P_8021Q)) { + skb_push(skb, VLAN_HLE...

...auses an oops. diff -Nru a/net/bridge/br_forward.c b/net/bridge/br_forward.c --- a/net/bridge/br_forward.c Mon Sep 8 09:29:44 2003 +++ b/net/bridge/br_forward.c Mon Sep 8 09:29:44 2003 @@ -59,6 +59,7 @@ indev = skb->dev; skb->dev = to->dev; + skb->ip_summed = CHECKSUM_NONE; NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev, __br_forward_finish);

...s are changed. diff -Nru a/net/bridge/br_forward.c b/net/bridge/br_forward.c --- a/net/bridge/br_forward.c Mon Sep 8 09:31:19 2003 +++ b/net/bridge/br_forward.c Mon Sep 8 09:31:19 2003 @@ -69,6 +69,7 @@ indev = skb->dev; skb->dev = to->dev; + skb->ip_summed = CHECKSUM_NONE; NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev, br_forward_finish);

...ng is that my application simply sets all of the outgoing data to a single priority. And it is not set to the default :-) I have tracked it down as far as the ip_queue_xmit function in net/ipv4/ip_output.c. There the skb->priority and the skb->sk field are correct however we go through the NF_HOOK, which is where I got lost. There is no reason I can think of that a socket should lose any of it''s options between these two points in the code. Could someone who understands the intermediate code let me know if this is a problem with the code or with the way I am setting the option on...

br_nf_forward_ip() { parent = bridge_parent(out); NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent, br_nf_forward_finish); } here, let us suppose pf = NFPROTO_IPV4, i think the return value of brnf_get_logical_dev(skb, in) equals parent ? its comment 'This is the 'purely bridged' case. For IP, we pass the packet to * n...

br_nf_forward_ip() { parent = bridge_parent(out); NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent, br_nf_forward_finish); } here, let us suppose pf = NFPROTO_IPV4, i think the return value of brnf_get_logical_dev(skb, in) equals parent ? its comment 'This is the 'purely bridged' case. For IP, we pass the packet to * n...

br_nf_forward_ip() { parent = bridge_parent(out); NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent, br_nf_forward_finish); } here, let us suppose pf = NFPROTO_IPV4, i think the return value of brnf_get_logical_dev(skb, in) equals parent ? its comment 'This is the 'purely bridged' case. For IP, we pass the packet to * n...

Probably, I''m not the first one who needs solve problem with p2p. Because, large part of my traffic is eaten by p2p software like KazAA, e-mule, Direct Connect etc, I''m looking for the way of detection of such traffic and marking it. However simple way with for instance 1214 port for KazAA doesn''t work because this software uses floating port technology. This traffic can

Hi, I have 2 servers which are connected to a gateway machine. The gateway and one server are running Linux 2.6.16.2, while the third machine is running 2.6.16.5. The two ethernet ports on the gateway which are connected to the servers are combined into a single ethernet bridge device. Ever since 2.6.16, I have noticed that I can no longer cross-mount the two servers' /home directories via

...ndev; + if (br_vlan_filter(skb, &br->vlan)) { + kfree_skb(skb); + return; + } + br->statistics.rx_packets++; br->statistics.rx_bytes += skb->len; indev = skb->dev; skb->dev = br->dev; + if (br_vlan_output_frame(&skb, br->vlan.untagged)) + return; + NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL, netif_receive_skb); } @@ -136,6 +144,10 @@ int br_handle_frame(struct net_bridge_po } if (p->state == BR_STATE_FORWARDING || p->state == BR_STATE_LEARNING) { + if (br_vlan_input_frame(skb, &p->vlan)) { + return 1; + } + if (...