On Tue, 9 Mar 2021, Pablo Neira Ayuso wrote: > On Mon, Mar 08, 2021 at 09:21:20AM -0700, Marc Aurèle La France wrote: >> On Mon, 8 Mar 2021, Pablo Neira Ayuso wrote: >>> On Sun, Mar 07, 2021 at 06:16:34PM -0700, Marc Aurèle La France wrote: >>>> In the non-bridge case, the REJECT target code assumes the REJECTed >>>> packets were originally emitted by the local host, but that's not >>>> necessarily true when the local host is the default route of a subnet >>>> it is on, resulting in RST packets being sent out with an incorrect >>>> destination MAC. Address this by refactoring the handling of bridged >>>> packets which deals with a similar issue. Modulo patch fuzz, the >>>> following applies to v5 and later kernels. >>> The code this patch updates is related to BRIDGE_NETFILTER. Your patch >>> description refers to the non-bridge case. What are you trying to >>> achieve? >> Via DHCP, my subnet's default route is a Linux system so that it can monitor >> all outbound traffic. By doing so, for example, I have determined that my >> Android phone connects to Facebook despite the fact that I have no such app >> installed. I want to know, and control, what other behind-the-scenes >> (under-handed) traffic devices on my subnet generate. >>> dev_queue_xmit() path should not be exercised from the prerouting >>> chain, packets generated from the IP later must follow the >>> ip_local_out() path. >> Well, I can tell you dev_queue_xmit() does in fact work in prerouting >> chains, as it must for the bridging case. The only potential problem I've >> found so far is that the RST packet doesn't go through any netfilter hooks. > That's the issue, Netfilter rejects code from the IP layer, so the > packets follows the ip_local_out() path. ... which sets an incorrect destination MAC. Also, in this case, netfilter doesn't reject any such thing. It doesn't even "see" the RST packet dev_queue_xmit() sends out. That's OK as there is no further need to process such a packet. At least, the device whose connection request is being denied doesn't hang anymore... > You could use ingress to reject through dev_queue_xmit() / neigh_xmit(). I'm sticking to my guns. I'm a firm believer in the KISS principle, part of a dying breed to be sure. Marc.