From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: David Miller <davem@davemloft.net>
Cc: Netdev <netdev@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] net/icmp: restore source address if packet is NATed
Date: Mon, 26 Jun 2017 00:52:09 +0200 [thread overview]
Message-ID: <CAHmME9pJ3bFR+hk6zb71SYzgamy7qHS7TY20qdw3EcCHp5Ghsw@mail.gmail.com> (raw)
In-Reply-To: <20170625.114927.1055286919675288173.davem@davemloft.net>
Hi David,
On Sun, Jun 25, 2017 at 5:49 PM, David Miller <davem@davemloft.net> wrote:
> This violates things on so many levels.
Yes, indeed.
> I think this kind of thing need to be hidden inside of netfilter,
> it can do the rate limiting and stuff like that in the spot
> where it makes the transformation and knows all of the original
> addressing and ports.
Indeed I'd prefer that, and I'll look again into trying to make that
work. But when I tried last, it seemed like there were some
insurmountable challenges. With the ratelimiting, the limit has
already been applied to one IP -- the masqueraded one -- before
netfilter even has a chance to act -- so that IP will already hit the
ratelimits well before any additional one inside netfilter would. Then
the issue of transformation: last I looked it seemed like icmp_send
threw away a bit too much information to do the transformation
entirely correctly, but I could be wrong, so I'll give it another
look. Hopefully it winds up being as easy as just reverse-transforming
ICMP's payload IP header.
>
> You definitely can't just rewrite header fields here either. The
> SKB could be shared, for example.
I was afraid of that. It's easy to rework this particular patch,
though, if you're still interested in the crufty bolt on approach...
But I think I should investigate the netfilter-only approach instead,
as you suggested.
Jason
next prev parent reply other threads:[~2017-06-25 22:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-24 2:17 [PATCH] net/icmp: restore source address if packet is NATed Jason A. Donenfeld
2017-06-25 15:49 ` David Miller
2017-06-25 22:52 ` Jason A. Donenfeld [this message]
2017-06-26 1:48 ` David Miller
2017-11-08 14:08 Jason A. Donenfeld
2017-11-09 0:01 ` Florian Westphal
2017-11-09 0:35 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9pJ3bFR+hk6zb71SYzgamy7qHS7TY20qdw3EcCHp5Ghsw@mail.gmail.com \
--to=jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.