From 676cff8256b0eb9775ed878b172504b359db2d82 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 23 Aug 2011 04:24:47 +0000 Subject: [PATCH] netfilter: TCP and raw fix for ip_route_me_harder This fixes a case where SNAT/masquerading is not done. David Miller has queued this for 3.0.y. svn path=/dists/sid/linux-2.6/; revision=17987 --- debian/changelog | 2 + ...P-and-raw-fix-for-ip_route_me_harder.patch | 67 +++++++++++++++++++ debian/patches/series/3 | 1 + 3 files changed, 70 insertions(+) create mode 100644 debian/patches/bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch diff --git a/debian/changelog b/debian/changelog index 52424f05c..7008f6004 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ linux-2.6 (3.0.0-3) UNRELEASED; urgency=low - atm: br2864: sent packets truncated in VC routed mode (Closes: #638656) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.3 + * netfilter: TCP and raw fix for ip_route_me_harder (fixes case where + SNAT/masquerading is not done) -- Ben Hutchings Sun, 21 Aug 2011 16:18:29 +0100 diff --git a/debian/patches/bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch b/debian/patches/bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch new file mode 100644 index 000000000..621264055 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch @@ -0,0 +1,67 @@ +From: Julian Anastasov +Date: Sun, 7 Aug 2011 09:11:00 +0000 +Subject: [PATCH] netfilter: TCP and raw fix for ip_route_me_harder + +commit 797fd3913abf2f7036003ab8d3d019cbea41affd upstream. + +TCP in some cases uses different global (raw) socket +to send RST and ACK. The transparent flag is not set there. +Currently, it is a problem for rerouting after the previous +change. + + Fix it by simplifying the checks in ip_route_me_harder +and use FLOWI_FLAG_ANYSRC even for sockets. It looks safe +because the initial routing allowed this source address to +be used and now we just have to make sure the packet is rerouted. + + As a side effect this also allows rerouting for normal +raw sockets that use spoofed source addresses which was not possible +even before we eliminated the ip_route_input call. + +Signed-off-by: Julian Anastasov +Signed-off-by: David S. Miller +--- + net/ipv4/netfilter.c | 18 ++++++++---------- + 1 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c +index 2e97e3e..929b27b 100644 +--- a/net/ipv4/netfilter.c ++++ b/net/ipv4/netfilter.c +@@ -18,17 +18,15 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type) + struct rtable *rt; + struct flowi4 fl4 = {}; + __be32 saddr = iph->saddr; +- __u8 flags = 0; ++ __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0; + unsigned int hh_len; + +- if (!skb->sk && addr_type != RTN_LOCAL) { +- if (addr_type == RTN_UNSPEC) +- addr_type = inet_addr_type(net, saddr); +- if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST) +- flags |= FLOWI_FLAG_ANYSRC; +- else +- saddr = 0; +- } ++ if (addr_type == RTN_UNSPEC) ++ addr_type = inet_addr_type(net, saddr); ++ if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST) ++ flags |= FLOWI_FLAG_ANYSRC; ++ else ++ saddr = 0; + + /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause + * packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook. +@@ -38,7 +36,7 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type) + fl4.flowi4_tos = RT_TOS(iph->tos); + fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0; + fl4.flowi4_mark = skb->mark; +- fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : flags; ++ fl4.flowi4_flags = flags; + rt = ip_route_output_key(net, &fl4); + if (IS_ERR(rt)) + return -1; +-- +1.7.5.4 + diff --git a/debian/patches/series/3 b/debian/patches/series/3 index a141abee3..8d4269abc 100644 --- a/debian/patches/series/3 +++ b/debian/patches/series/3 @@ -1,2 +1,3 @@ - bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch + bugfix/all/stable/3.0.3.patch ++ bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch