ipt_time fixes (resend, sorry)

Krzysztof Oledzki olenf at ans.pl
Fri Jan 14 16:24:01 CET 2005 


On Fri, 14 Jan 2005, Samuel Jean wrote:

> On Fri, January 14, 2005 9:48 am, Krzysztof Oledzki said:
>>> This is most likely due to Andi Kleen's net timestamp optimization,
>>> which
>>> avoids calling gettimeofday in the network fastpath unless it is needed.
>>
>> I see... So, where we should fix this in netfilter code?
>
> Am sorry, I haven't looked much at your patches. But here's my opinion.
>
> Netfilter shouldn't enable this for the unique reason a match/target
> will possibly rely on this.
>
> I think it's the job of the first rule (of a given module) seeing that
> 'new' packet to keep counting the last-seen time. Yes, the stamp is a bit
> later than it should. But that's not dramatic and still consistant among
> multiple rules (of a common module) needing that reference.

OK, How about...

diff -Nur patch-o-matic-ng-20050113-orig/time/linux/include/linux/netfilter_ipv4/ipt_time.h patch-o-matic-ng-20050113/time/linux/include/linux/netfilter_ipv4/ipt_time.h
--- patch-o-matic-ng-20050113-orig/time/linux/include/linux/netfilter_ipv4/ipt_time.h	2004-05-05 12:11:24.000000000 +0200
+++ patch-o-matic-ng-20050113/time/linux/include/linux/netfilter_ipv4/ipt_time.h	2005-01-14 16:06:54.000000000 +0100
@@ -6,7 +6,10 @@
  	u_int8_t  days_match;   /* 1 bit per day. -SMTWTFS                      */
  	u_int16_t time_start;   /* 0 < time_start < 23*60+59 = 1439             */
  	u_int16_t time_stop;    /* 0:0 < time_stat < 23:59                      */
+
+				/* FIXME: Keep this one for userspace iptables binary compability: */
  	u_int8_t  kerneltime;   /* ignore skb time (and use kerneltime) or not. */
+
  	time_t    date_start;
  	time_t    date_stop;
  };
diff -Nur patch-o-matic-ng-20050113-orig/time/linux/net/ipv4/netfilter/ipt_time.c patch-o-matic-ng-20050113/time/linux/net/ipv4/netfilter/ipt_time.c
--- patch-o-matic-ng-20050113-orig/time/linux/net/ipv4/netfilter/ipt_time.c	2004-05-05 12:11:24.000000000 +0200
+++ patch-o-matic-ng-20050113/time/linux/net/ipv4/netfilter/ipt_time.c	2005-01-14 16:15:30.000000000 +0100
@@ -56,24 +56,17 @@
  	struct tm currenttime;                          /* time human readable */
  	u_int8_t days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
  	u_int16_t packet_time;
-	struct timeval kerneltimeval;
-	time_t packet_local_time;

-	/* if kerneltime=1, we don't read the skb->timestamp but kernel time instead */
-	if (info->kerneltime)
-	{
-		do_gettimeofday(&kerneltimeval);
-		packet_local_time = kerneltimeval.tv_sec;
-	}
-	else
-		packet_local_time = skb->stamp.tv_sec;
+	/* We might not have a timestamp, get one */
+	if (skb->stamp.tv_sec == 0)
+		do_gettimeofday((struct timeval *)&skb->stamp);

  	/* First we make sure we are in the date start-stop boundaries */
-	if ((packet_local_time < info->date_start) || (packet_local_time > info->date_stop))
+	if ((skb->stamp.tv_sec < info->date_start) || (skb->stamp.tv_sec > info->date_stop))
  		return 0; /* We are outside the date boundaries */

  	/* Transform the timestamp of the packet, in a human readable form */
-	localtime(&packet_local_time, &currenttime);
+	localtime(&skb->stamp.tv_sec, &currenttime);

  	/* check if we match this timestamp, we start by the days... */
  	if ((days_of_week[currenttime.tm_wday] & info->days_match) != days_of_week[currenttime.tm_wday])
@@ -104,11 +97,6 @@
  		printk("ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT)\n");
  		return 0;
  	}
-	/* we use the kerneltime if we are in forward or output */
-	info->kerneltime = 1;
-	if (hook_mask & ~((1 << NF_IP_FORWARD) | (1 << NF_IP_LOCAL_OUT))) 
-		/* we use the skb time */
-		info->kerneltime = 0;

  	/* Check the size */
  	if (matchsize != IPT_ALIGN(sizeof(struct ipt_time_info)))

Best regards,

 			Krzysztof Olędzki
-------------- next part --------------
diff -Nur patch-o-matic-ng-20050113-orig/time/linux/include/linux/netfilter_ipv4/ipt_time.h patch-o-matic-ng-20050113/time/linux/include/linux/netfilter_ipv4/ipt_time.h
--- patch-o-matic-ng-20050113-orig/time/linux/include/linux/netfilter_ipv4/ipt_time.h	2004-05-05 12:11:24.000000000 +0200
+++ patch-o-matic-ng-20050113/time/linux/include/linux/netfilter_ipv4/ipt_time.h	2005-01-14 16:06:54.000000000 +0100
@@ -6,7 +6,10 @@
 	u_int8_t  days_match;   /* 1 bit per day. -SMTWTFS                      */
 	u_int16_t time_start;   /* 0 < time_start < 23*60+59 = 1439             */
 	u_int16_t time_stop;    /* 0:0 < time_stat < 23:59                      */
+
+				/* FIXME: Keep this one for userspace iptables binary compability: */
 	u_int8_t  kerneltime;   /* ignore skb time (and use kerneltime) or not. */
+
 	time_t    date_start;
 	time_t    date_stop;
 };
diff -Nur patch-o-matic-ng-20050113-orig/time/linux/net/ipv4/netfilter/ipt_time.c patch-o-matic-ng-20050113/time/linux/net/ipv4/netfilter/ipt_time.c
--- patch-o-matic-ng-20050113-orig/time/linux/net/ipv4/netfilter/ipt_time.c	2004-05-05 12:11:24.000000000 +0200
+++ patch-o-matic-ng-20050113/time/linux/net/ipv4/netfilter/ipt_time.c	2005-01-14 16:15:30.000000000 +0100
@@ -56,24 +56,17 @@
 	struct tm currenttime;                          /* time human readable */
 	u_int8_t days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
 	u_int16_t packet_time;
-	struct timeval kerneltimeval;
-	time_t packet_local_time;
 
-	/* if kerneltime=1, we don't read the skb->timestamp but kernel time instead */
-	if (info->kerneltime)
-	{
-		do_gettimeofday(&kerneltimeval);
-		packet_local_time = kerneltimeval.tv_sec;
-	}
-	else
-		packet_local_time = skb->stamp.tv_sec;
+	/* We might not have a timestamp, get one */
+	if (skb->stamp.tv_sec == 0)
+		do_gettimeofday((struct timeval *)&skb->stamp);
 
 	/* First we make sure we are in the date start-stop boundaries */
-	if ((packet_local_time < info->date_start) || (packet_local_time > info->date_stop))
+	if ((skb->stamp.tv_sec < info->date_start) || (skb->stamp.tv_sec > info->date_stop))
 		return 0; /* We are outside the date boundaries */
 
 	/* Transform the timestamp of the packet, in a human readable form */
-	localtime(&packet_local_time, &currenttime);
+	localtime(&skb->stamp.tv_sec, &currenttime);
 
 	/* check if we match this timestamp, we start by the days... */
 	if ((days_of_week[currenttime.tm_wday] & info->days_match) != days_of_week[currenttime.tm_wday])
@@ -104,11 +97,6 @@
 		printk("ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT)\n");
 		return 0;
 	}
-	/* we use the kerneltime if we are in forward or output */
-	info->kerneltime = 1;
-	if (hook_mask & ~((1 << NF_IP_FORWARD) | (1 << NF_IP_LOCAL_OUT))) 
-		/* we use the skb time */
-		info->kerneltime = 0;
 
 	/* Check the size */
 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_time_info)))

More information about the netfilter-devel mailing list