icmp_send function broken?

icmp_send function broken?

[Pierre Rondou]

Hello,

I'm a student at the University of Liege, currently developing a NAT64 
(see RFC 6146) module for Netfilter.

I am using the icmp_send() function in my module to send icmp message in 
case the packet represent an error (like, TTL exceeded or DEST_UNREACHABLE).

But it seems to be broken for me, the dst of the original packet doesn't 
seem to be set.

I'm using 2.6.32-5 kernel to developp, but the function itself didn't 
seem to have been updated in the 2.6.38 kernel.

The modification I had to apply is to re-execute the routing process on 
the incoming paquet in order to get the ICMP packet sent:

    if (!rt)
    {
       memset(&fl, 0, sizeof(fl));
       fl.fl4_dst = oldip->daddr;
       fl.fl4_tos = RT_TOS(oldip->tos);
       fl.proto = skb_in->protocol;

       if (ip_route_output_key(&init_net, &temp, &fl))
          goto out;

       if (!temp)
       {
          pr_info("NAT64: rt null\n");
          goto out;
       }
       rt = temp;
    }

instead of the simple

    if (!rt)
//       goto out;

Is there an other reason why the rtable of the incoming packet was not set?

Regards,

Pierre

Re: icmp_send function broken?

[Eric Dumazet]

Le mardi 24 mai 2011 à 15:09 +0200, Pierre Rondou a écrit :
> Hello,
> 
> I'm a student at the University of Liege, currently developing a NAT64 
> (see RFC 6146) module for Netfilter.
> 
> I am using the icmp_send() function in my module to send icmp message in 
> case the packet represent an error (like, TTL exceeded or DEST_UNREACHABLE).
> 
> But it seems to be broken for me, the dst of the original packet doesn't 
> seem to be set.
> 
> I'm using 2.6.32-5 kernel to developp, but the function itself didn't 
> seem to have been updated in the 2.6.38 kernel.
> 

You really should use 2.6.39 kernel for your dev...

> The modification I had to apply is to re-execute the routing process on 
> the incoming paquet in order to get the ICMP packet sent:



> instead of the simple
> 
>     if (!rt)
> //       goto out;
> 
> Is there an other reason why the rtable of the incoming packet was not set?

It is set by caller.

check ip_rcv_finish()

Also please take a look at commit 64f3b9e203bd06855
net: ip_expire() must revalidate route

[ Since I understand from a prior mail that you maybe queued an skb for
a while for your defrag purpose ]



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: icmp_send function broken?

[Pierre Rondou]

Le 24/05/11 15:26, Eric Dumazet a écrit :
>> I'm using 2.6.32-5 kernel to developp, but the function itself didn't
>> seem to have been updated in the 2.6.38 kernel.
>>
>>      
> You really should use 2.6.39 kernel for your dev...
>    

It is a long-term work (started in October 2010), plus I rely on Xtables 
to develop it, I used a stable kernel, as my module does not involve 
kernel re-compilation.

>    
>> The modification I had to apply is to re-execute the routing process on
>> the incoming paquet in order to get the ICMP packet sent:
>>      
>
>
>    
>> instead of the simple
>>
>>      if (!rt)
>> //       goto out;
>>
>> Is there an other reason why the rtable of the incoming packet was not set?
>>      
> It is set by caller.
>
> check ip_rcv_finish()
>
> Also please take a look at commit 64f3b9e203bd06855
> net: ip_expire() must revalidate route
>
> [ Since I understand from a prior mail that you maybe queued an skb for
> a while for your defrag purpose ]
>    

It is a packet that has just been matched by an iptables rule (my module 
is simply branched on a hook), so no queue for it.
So i just should just process the routing before calling the icmp_send() 
function?

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html