From: Ric Wheeler <ric@emc.com>
To: Patrick McHardy <kaber@trash.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Yair Itzhaki <Yair@arx.com>,
netdev@oss.sgi.com, netfilter-devel@lists.netfilter.org,
linux-kernel@vger.kernel.org, "Chitrapu,
Kishore" <Chitrapu_Kishore@emc.com>,
"Mellors, Andrew" <Mellors_Andrew@emc.com>
Subject: Re: Re-routing packets via netfilter (ip_rt_bug)
Date: Thu, 14 Jul 2005 08:27:45 -0400 [thread overview]
Message-ID: <42D65A41.7070403__33785.859301179$1121344546$gmane$org@emc.com> (raw)
In-Reply-To: <4151C0F9B9C25C47B3328922A6297A3286CFB8@post.arx.com>
Patrick, Hebert,
This issues stills seems to be in the latest trees - is this patch or a
variation on it still bumping around?
Thanks!
Yair Itzhaki wrote:
>Can anyone propose a patch that I can start checking?
>
>I have come up with the following:
>
>--- net/core/netfilter.c.orig 2005-04-18 21:55:30.000000000 +0300
>+++ net/core/netfilter.c 2005-05-02 17:35:20.000000000 +0300
>@@ -622,9 +622,10 @@
> /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
> * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
> */
>- if (inet_addr_type(iph->saddr) == RTN_LOCAL) {
>+ if ((inet_addr_type(iph->saddr) == RTN_LOCAL) ||
>+ (inet_addr_type(iph->daddr) == RTN_LOCAL)) {
> fl.nl_u.ip4_u.daddr = iph->daddr;
>- fl.nl_u.ip4_u.saddr = iph->saddr;
>+ fl.nl_u.ip4_u.saddr = 0;
> fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
> fl.oif = (*pskb)->sk ? (*pskb)->sk->sk_bound_dev_if : 0;
> #ifdef CONFIG_IP_ROUTE_FWMARK
>
>Please advise,
>Yair
>
>
>
>
>>-----Original Message-----
>>From: Patrick McHardy [mailto:kaber@trash.net]
>>Sent: Wednesday, April 27, 2005 14:05
>>To: Herbert Xu
>>Cc: Jozsef Kadlecsik; netdev@oss.sgi.com;
>>netfilter-devel@lists.netfilter.org; Yair Itzhaki;
>>linux-kernel@vger.kernel.org
>>Subject: Re: Re-routing packets via netfilter (ip_rt_bug)
>>
>>
>>Herbert Xu wrote:
>>
>>
>>>Here is another reason why these packets should go through FORWARD.
>>>They were generated in response to packets in INPUT/FORWARD/OUTPUT.
>>>The original packet has not undergone SNAT in any of these cases.
>>>
>>>However, if we feed the response packet through LOCAL_OUT it will
>>>be subject to DNAT. This creates a NAT asymmetry and we may end
>>>up with the wrong destination address.
>>>
>>>By pushing it through FORWARD it will only undergo SNAT which is
>>>correct since the original packet would have undergone DNAT.
>>>
>>>
>>This is only a problem since the recent NAT changes, but I agree
>>that we should fix it by moving these packets to FORWARD.
>>
>>Regards
>>Patrick
>>
>>
>>
>
>
>
next prev parent reply other threads:[~2005-07-14 12:27 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-02 17:17 Re-routing packets via netfilter (ip_rt_bug) Yair Itzhaki
2005-07-14 12:27 ` Ric Wheeler [this message]
2005-07-14 12:27 ` Ric Wheeler
-- strict thread matches above, loose matches on Subject: below --
2005-04-26 15:39 Yair Itzhaki
2005-04-25 16:51 Yair Itzhaki
2005-04-25 16:51 ` Yair Itzhaki
2005-04-25 9:49 Yair Itzhaki
2005-04-25 9:07 ` Patrick McHardy
2005-04-25 9:07 ` Patrick McHardy
2005-04-25 10:52 ` Herbert Xu
2005-04-25 10:52 ` Herbert Xu
2005-04-25 15:28 ` Patrick McHardy
2005-04-25 15:28 ` Patrick McHardy
2005-04-25 21:34 ` Herbert Xu
2005-04-25 21:34 ` Herbert Xu
2005-04-26 0:08 ` Patrick McHardy
2005-04-26 0:08 ` Patrick McHardy
2005-04-26 0:39 ` Herbert Xu
2005-04-26 0:39 ` Herbert Xu
2005-04-26 13:17 ` Patrick McHardy
2005-04-26 13:17 ` Patrick McHardy
2005-04-26 23:28 ` Herbert Xu
2005-04-26 23:28 ` Herbert Xu
2005-04-27 0:56 ` Patrick McHardy
2005-04-27 0:56 ` Patrick McHardy
2005-04-27 1:07 ` Herbert Xu
2005-04-27 1:07 ` Herbert Xu
2005-04-27 10:26 ` Patrick McHardy
2005-04-27 10:26 ` Patrick McHardy
2005-04-27 10:30 ` Herbert Xu
2005-04-27 10:30 ` Herbert Xu
2005-04-27 10:41 ` Jozsef Kadlecsik
2005-04-27 10:41 ` Jozsef Kadlecsik
2005-04-27 11:35 ` Herbert Xu
2005-04-27 11:35 ` Herbert Xu
2005-04-27 11:54 ` Herbert Xu
2005-04-27 11:54 ` Herbert Xu
2005-04-27 12:05 ` Patrick McHardy
2005-04-27 12:05 ` Patrick McHardy
2017-07-10 9:20 ` Helbing63
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='42D65A41.7070403__33785.859301179$1121344546$gmane$org@emc.com' \
--to=ric@emc.com \
--cc=Chitrapu_Kishore@emc.com \
--cc=Mellors_Andrew@emc.com \
--cc=Yair@arx.com \
--cc=herbert@gondor.apana.org.au \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.