Commit 3560d357 authored by Julian Anastasov's avatar Julian Anastasov Committed by David S. Miller

[IPVS]: Do not use skb_checksum_help(), create and use nf_reset_debug()

	Appended is a 2nd version that uses nf_reset_debug.

- do not use skb_checksum_help in input path as ipvs can handle
incoming CHECKSUM_HW packets

- do not use skb_checksum_help in forwarding path

- claim that checksum is valid (CHECKSUM_NONE) when entering output
path for out->in packets

- do not reset/destroy the nfct in IP_VS_XMIT, the intention is to
reset the debugging field just to avoid log floods from nf_debug_ip_*
functions, it is known that the ipvs packets traverse other
hooks, eg. LOCAL_IN->LOCAL_OUT. Use nf_reset_debug instead of nf_reset.
Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ef9a2917
...@@ -1159,6 +1159,12 @@ static inline void nf_reset(struct sk_buff *skb) ...@@ -1159,6 +1159,12 @@ static inline void nf_reset(struct sk_buff *skb)
skb->nf_debug = 0; skb->nf_debug = 0;
#endif #endif
} }
static inline void nf_reset_debug(struct sk_buff *skb)
{
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
}
#ifdef CONFIG_BRIDGE_NETFILTER #ifdef CONFIG_BRIDGE_NETFILTER
static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge) static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge)
......
...@@ -743,13 +743,6 @@ ip_vs_out(unsigned int hooknum, struct sk_buff **pskb, ...@@ -743,13 +743,6 @@ ip_vs_out(unsigned int hooknum, struct sk_buff **pskb,
if (skb->nfcache & NFC_IPVS_PROPERTY) if (skb->nfcache & NFC_IPVS_PROPERTY)
return NF_ACCEPT; return NF_ACCEPT;
if (skb->ip_summed == CHECKSUM_HW) {
if (skb_checksum_help(pskb, (out == NULL)))
return NF_DROP;
if (skb != *pskb)
skb = *pskb;
}
iph = skb->nh.iph; iph = skb->nh.iph;
if (unlikely(iph->protocol == IPPROTO_ICMP)) { if (unlikely(iph->protocol == IPPROTO_ICMP)) {
int related, verdict = ip_vs_out_icmp(pskb, &related); int related, verdict = ip_vs_out_icmp(pskb, &related);
...@@ -993,13 +986,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff **pskb, ...@@ -993,13 +986,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff **pskb,
return NF_ACCEPT; return NF_ACCEPT;
} }
if (skb->ip_summed == CHECKSUM_HW) {
if (skb_checksum_help(pskb, (out == NULL)))
return NF_DROP;
if (skb != *pskb)
skb = *pskb;
}
iph = skb->nh.iph; iph = skb->nh.iph;
if (unlikely(iph->protocol == IPPROTO_ICMP)) { if (unlikely(iph->protocol == IPPROTO_ICMP)) {
int related, verdict = ip_vs_in_icmp(pskb, &related); int related, verdict = ip_vs_in_icmp(pskb, &related);
......
...@@ -124,11 +124,11 @@ ip_vs_dst_reset(struct ip_vs_dest *dest) ...@@ -124,11 +124,11 @@ ip_vs_dst_reset(struct ip_vs_dest *dest)
dst_release(old_dst); dst_release(old_dst);
} }
#define IP_VS_XMIT(skb, rt) \ #define IP_VS_XMIT(skb, rt) \
do { \ do { \
nf_reset(skb); \ nf_reset_debug(skb); \
(skb)->nfcache |= NFC_IPVS_PROPERTY; \ (skb)->nfcache |= NFC_IPVS_PROPERTY; \
(skb)->ip_summed = CHECKSUM_NONE; \
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, (skb), NULL, \ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, (skb), NULL, \
(rt)->u.dst.dev, dst_output); \ (rt)->u.dst.dev, dst_output); \
} while (0) } while (0)
...@@ -408,8 +408,6 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, ...@@ -408,8 +408,6 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
ip_select_ident(iph, &rt->u.dst, NULL); ip_select_ident(iph, &rt->u.dst, NULL);
ip_send_check(iph); ip_send_check(iph);
skb->ip_summed = CHECKSUM_NONE;
/* Another hack: avoid icmp_send in ip_fragment */ /* Another hack: avoid icmp_send in ip_fragment */
skb->local_df = 1; skb->local_df = 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment