Appended is a 2nd version that uses nf_reset_debug.
- do not use skb_checksum_help in input path as ipvs can handle
incoming CHECKSUM_HW packets
- do not use skb_checksum_help in forwarding path
- claim that checksum is valid (CHECKSUM_NONE) when entering output
path for out->in packets
- do not reset/destroy the nfct in IP_VS_XMIT, the intention is to
reset the debugging field just to avoid log floods from nf_debug_ip_*
functions, it is known that the ipvs packets traverse other
hooks, eg. LOCAL_IN->LOCAL_OUT. Use nf_reset_debug instead of nf_reset.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
skb->nf_debug = 0;
#endif
}
+static inline void nf_reset_debug(struct sk_buff *skb)
+{
+#ifdef CONFIG_NETFILTER_DEBUG
+ skb->nf_debug = 0;
+#endif
+}
#ifdef CONFIG_BRIDGE_NETFILTER
static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge)
if (skb->nfcache & NFC_IPVS_PROPERTY)
return NF_ACCEPT;
- if (skb->ip_summed == CHECKSUM_HW) {
- if (skb_checksum_help(pskb, (out == NULL)))
- return NF_DROP;
- if (skb != *pskb)
- skb = *pskb;
- }
-
iph = skb->nh.iph;
if (unlikely(iph->protocol == IPPROTO_ICMP)) {
int related, verdict = ip_vs_out_icmp(pskb, &related);
return NF_ACCEPT;
}
- if (skb->ip_summed == CHECKSUM_HW) {
- if (skb_checksum_help(pskb, (out == NULL)))
- return NF_DROP;
- if (skb != *pskb)
- skb = *pskb;
- }
-
iph = skb->nh.iph;
if (unlikely(iph->protocol == IPPROTO_ICMP)) {
int related, verdict = ip_vs_in_icmp(pskb, &related);
dst_release(old_dst);
}
-
#define IP_VS_XMIT(skb, rt) \
do { \
- nf_reset(skb); \
+ nf_reset_debug(skb); \
(skb)->nfcache |= NFC_IPVS_PROPERTY; \
+ (skb)->ip_summed = CHECKSUM_NONE; \
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, (skb), NULL, \
(rt)->u.dst.dev, dst_output); \
} while (0)
ip_select_ident(iph, &rt->u.dst, NULL);
ip_send_check(iph);
- skb->ip_summed = CHECKSUM_NONE;
-
/* Another hack: avoid icmp_send in ip_fragment */
skb->local_df = 1;
projects / linux / commitdiff