| From foo@baz Wed Apr 11 10:26:56 CEST 2018 |
| From: Jeff Barnhill <0xeffeff@gmail.com> |
| Date: Thu, 5 Apr 2018 21:29:47 +0000 |
| Subject: net/ipv6: Increment OUTxxx counters after netfilter hook |
| |
| From: Jeff Barnhill <0xeffeff@gmail.com> |
| |
| |
| [ Upstream commit 71a1c915238c970cd9bdd5bf158b1279d6b6d55b ] |
| |
| At the end of ip6_forward(), IPSTATS_MIB_OUTFORWDATAGRAMS and |
| IPSTATS_MIB_OUTOCTETS are incremented immediately before the NF_HOOK call |
| for NFPROTO_IPV6 / NF_INET_FORWARD. As a result, these counters get |
| incremented regardless of whether or not the netfilter hook allows the |
| packet to continue being processed. This change increments the counters |
| in ip6_forward_finish() so that it will not happen if the netfilter hook |
| chooses to terminate the packet, which is similar to how IPv4 works. |
| |
| Signed-off-by: Jeff Barnhill <0xeffeff@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv6/ip6_output.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| --- a/net/ipv6/ip6_output.c |
| +++ b/net/ipv6/ip6_output.c |
| @@ -356,6 +356,11 @@ static int ip6_forward_proxy_check(struc |
| static inline int ip6_forward_finish(struct net *net, struct sock *sk, |
| struct sk_buff *skb) |
| { |
| + struct dst_entry *dst = skb_dst(skb); |
| + |
| + __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS); |
| + __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len); |
| + |
| return dst_output(net, sk, skb); |
| } |
| |
| @@ -549,8 +554,6 @@ int ip6_forward(struct sk_buff *skb) |
| |
| hdr->hop_limit--; |
| |
| - __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS); |
| - __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len); |
| return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, |
| net, NULL, skb, skb->dev, dst->dev, |
| ip6_forward_finish); |