Re-routing packets via netfilter (ip_rt_bug)

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re-routing packets via netfilter (ip_rt_bug)

Ric Wheeler

Patrick, Hebert,

This issues stills seems to be in the latest trees - is this patch or a
variation on it still bumping around?

Thanks!

Yair Itzhaki wrote:

>Can anyone propose a patch that I can start checking?
>
>I have come up with the following:
>
>--- net/core/netfilter.c.orig   2005-04-18 21:55:30.000000000 +0300
>+++ net/core/netfilter.c        2005-05-02 17:35:20.000000000 +0300
>@@ -622,9 +622,10 @@
>        /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
>         * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
>         */
>-       if (inet_addr_type(iph->saddr) == RTN_LOCAL) {
>+       if ((inet_addr_type(iph->saddr) == RTN_LOCAL) ||
>+           (inet_addr_type(iph->daddr) == RTN_LOCAL)) {
>                fl.nl_u.ip4_u.daddr = iph->daddr;
>-               fl.nl_u.ip4_u.saddr = iph->saddr;
>+               fl.nl_u.ip4_u.saddr = 0;
>                fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
>                fl.oif = (*pskb)->sk ? (*pskb)->sk->sk_bound_dev_if : 0;
> #ifdef CONFIG_IP_ROUTE_FWMARK
>
>Please advise,
>Yair
>
>
>  
>
>>-----Original Message-----
>>From: Patrick McHardy [mailto:[hidden email]]
>>Sent: Wednesday, April 27, 2005 14:05
>>To: Herbert Xu
>>Cc: Jozsef Kadlecsik; [hidden email];
>>[hidden email]; Yair Itzhaki;
>>[hidden email]
>>Subject: Re: Re-routing packets via netfilter (ip_rt_bug)
>>
>>
>>Herbert Xu wrote:
>>    
>>
>>>Here is another reason why these packets should go through FORWARD.
>>>They were generated in response to packets in INPUT/FORWARD/OUTPUT.
>>>The original packet has not undergone SNAT in any of these cases.
>>>
>>>However, if we feed the response packet through LOCAL_OUT it will
>>>be subject to DNAT.  This creates a NAT asymmetry and we may end
>>>up with the wrong destination address.
>>>
>>>By pushing it through FORWARD it will only undergo SNAT which is
>>>correct since the original packet would have undergone DNAT.
>>>      
>>>
>>This is only a problem since the recent NAT changes, but I agree
>>that we should fix it by moving these packets to FORWARD.
>>
>>Regards
>>Patrick
>>
>>    
>>
>
>  
>

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re-routing packets via netfilter (ip_rt_bug)

Helbing63
This post has NOT been accepted by the mailing list yet.
In reply to this post by Yair Itzhaki
I have been using free VPN but it is not that good because network is always congested which leads to slower connection. I just finished reading expressvpn review and it seems like a good option. Does anyone here have experience with this VPN? If yes, please share.
12
Loading...