[NETFILTER]: ip6table_mangle: reroute when nfmark changes in NF_IP6_LOCAL_OUT

Now that IPv6 supports policy routing we need to reroute in NF_IP6_LOCAL_OUT when the mark value changes. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2006-09-20 14:59:42 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-22 18:19:51 -0400
commit: 9123de2c043996050bacf77031cad845f5976f5d (patch)
tree: f6b20a74b75cca066d6ba6837d57fa82efe2a017
parent: 57dab5d0bfee21663ed20222b4cedeb0655ba1f3 (diff)
3 files changed, 3 insertions, 8 deletions
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 52a7b9e76428..d97e268cdfe5 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -73,6 +73,7 @@ enum nf_ip6_hook_priorities {
 };
 #ifdef CONFIG_NETFILTER
+extern int ip6_route_me_harder(struct sk_buff *skb);
 extern unsigned int nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
                                    unsigned int dataoff, u_int8_t protocol);
diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
index 297909570041..6ca6b71dfe0f 100644
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -57,8 +57,6 @@ extern void			ip6_route_input(struct sk_buff *skb);
 extern struct dst_entry *       ip6_route_output(struct sock *sk,
                                                 struct flowi *fl);
-extern int                      ip6_route_me_harder(struct sk_buff *skb);
 extern void                     ip6_route_init(void);
 extern void                     ip6_route_cleanup(void);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 32db04fd8310..386ea260e767 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -180,12 +180,8 @@ ip6t_local_hook(unsigned int hook,
                && (memcmp(&(*pskb)->nh.ipv6h->saddr, &saddr, sizeof(saddr))
                    || memcmp(&(*pskb)->nh.ipv6h->daddr, &daddr, sizeof(daddr))
                    || (*pskb)->nfmark != nfmark
-                    || (*pskb)->nh.ipv6h->hop_limit != hop_limit)) {
+                    || (*pskb)->nh.ipv6h->hop_limit != hop_limit))
+                return ip6_route_me_harder(*pskb) == 0 ? ret : NF_DROP;
-                /* something which could affect routing has changed */
-                DEBUGP("ip6table_mangle: we'd need to re-route a packet\n");
-        }
        return ret;
 }
author	Patrick McHardy <kaber@trash.net>	2006-09-20 14:59:42 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-22 18:19:51 -0400
commit	9123de2c043996050bacf77031cad845f5976f5d (patch)
tree	f6b20a74b75cca066d6ba6837d57fa82efe2a017
parent	57dab5d0bfee21663ed20222b4cedeb0655ba1f3 (diff)

diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 52a7b9e76428..d97e268cdfe5 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h
@@ -73,6 +73,7 @@ enum nf_ip6_hook_priorities {
73	};	73	};
74		74
75	#ifdef CONFIG_NETFILTER	75	#ifdef CONFIG_NETFILTER
		76	extern int ip6_route_me_harder(struct sk_buff *skb);
76	extern unsigned int nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,	77	extern unsigned int nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
77	unsigned int dataoff, u_int8_t protocol);	78	unsigned int dataoff, u_int8_t protocol);
78		79


diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h index 297909570041..6ca6b71dfe0f 100644 --- a/include/net/ip6_route.h +++ b/include/net/ip6_route.h
@@ -57,8 +57,6 @@ extern void ip6_route_input(struct sk_buff *skb);
57	extern struct dst_entry * ip6_route_output(struct sock *sk,	57	extern struct dst_entry * ip6_route_output(struct sock *sk,
58	struct flowi *fl);	58	struct flowi *fl);
59		59
60	extern int ip6_route_me_harder(struct sk_buff *skb);
61
62	extern void ip6_route_init(void);	60	extern void ip6_route_init(void);
63	extern void ip6_route_cleanup(void);	61	extern void ip6_route_cleanup(void);
64		62


diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index 32db04fd8310..386ea260e767 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -180,12 +180,8 @@ ip6t_local_hook(unsigned int hook,
180	&& (memcmp(&(*pskb)->nh.ipv6h->saddr, &saddr, sizeof(saddr))	180	&& (memcmp(&(*pskb)->nh.ipv6h->saddr, &saddr, sizeof(saddr))
181	\|\| memcmp(&(*pskb)->nh.ipv6h->daddr, &daddr, sizeof(daddr))	181	\|\| memcmp(&(*pskb)->nh.ipv6h->daddr, &daddr, sizeof(daddr))
182	\|\| (*pskb)->nfmark != nfmark	182	\|\| (*pskb)->nfmark != nfmark
183	\|\| (*pskb)->nh.ipv6h->hop_limit != hop_limit)) {	183	\|\| (*pskb)->nh.ipv6h->hop_limit != hop_limit))
184		184	return ip6_route_me_harder(*pskb) == 0 ? ret : NF_DROP;
185	/* something which could affect routing has changed */
186
187	DEBUGP("ip6table_mangle: we'd need to re-route a packet\n");
188	}
189		185
190	return ret;	186	return ret;
191	}	187	}