netfilter: TCP and raw fix for ip_route_me_harder
This fixes a case where SNAT/masquerading is not done. David Miller has queued this for 3.0.y. svn path=/dists/sid/linux-2.6/; revision=17987
This commit is contained in:
parent
cdcd919fec
commit
676cff8256
|
@ -7,6 +7,8 @@ linux-2.6 (3.0.0-3) UNRELEASED; urgency=low
|
||||||
- atm: br2864: sent packets truncated in VC routed mode (Closes: #638656)
|
- atm: br2864: sent packets truncated in VC routed mode (Closes: #638656)
|
||||||
For the complete list of changes, see:
|
For the complete list of changes, see:
|
||||||
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.3
|
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.3
|
||||||
|
* netfilter: TCP and raw fix for ip_route_me_harder (fixes case where
|
||||||
|
SNAT/masquerading is not done)
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Sun, 21 Aug 2011 16:18:29 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Sun, 21 Aug 2011 16:18:29 +0100
|
||||||
|
|
||||||
|
|
67
debian/patches/bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
vendored
Normal file
67
debian/patches/bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
vendored
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
From: Julian Anastasov <ja@ssi.bg>
|
||||||
|
Date: Sun, 7 Aug 2011 09:11:00 +0000
|
||||||
|
Subject: [PATCH] netfilter: TCP and raw fix for ip_route_me_harder
|
||||||
|
|
||||||
|
commit 797fd3913abf2f7036003ab8d3d019cbea41affd upstream.
|
||||||
|
|
||||||
|
TCP in some cases uses different global (raw) socket
|
||||||
|
to send RST and ACK. The transparent flag is not set there.
|
||||||
|
Currently, it is a problem for rerouting after the previous
|
||||||
|
change.
|
||||||
|
|
||||||
|
Fix it by simplifying the checks in ip_route_me_harder
|
||||||
|
and use FLOWI_FLAG_ANYSRC even for sockets. It looks safe
|
||||||
|
because the initial routing allowed this source address to
|
||||||
|
be used and now we just have to make sure the packet is rerouted.
|
||||||
|
|
||||||
|
As a side effect this also allows rerouting for normal
|
||||||
|
raw sockets that use spoofed source addresses which was not possible
|
||||||
|
even before we eliminated the ip_route_input call.
|
||||||
|
|
||||||
|
Signed-off-by: Julian Anastasov <ja@ssi.bg>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
net/ipv4/netfilter.c | 18 ++++++++----------
|
||||||
|
1 files changed, 8 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
|
||||||
|
index 2e97e3e..929b27b 100644
|
||||||
|
--- a/net/ipv4/netfilter.c
|
||||||
|
+++ b/net/ipv4/netfilter.c
|
||||||
|
@@ -18,17 +18,15 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
|
||||||
|
struct rtable *rt;
|
||||||
|
struct flowi4 fl4 = {};
|
||||||
|
__be32 saddr = iph->saddr;
|
||||||
|
- __u8 flags = 0;
|
||||||
|
+ __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
|
||||||
|
unsigned int hh_len;
|
||||||
|
|
||||||
|
- if (!skb->sk && addr_type != RTN_LOCAL) {
|
||||||
|
- if (addr_type == RTN_UNSPEC)
|
||||||
|
- addr_type = inet_addr_type(net, saddr);
|
||||||
|
- if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
|
||||||
|
- flags |= FLOWI_FLAG_ANYSRC;
|
||||||
|
- else
|
||||||
|
- saddr = 0;
|
||||||
|
- }
|
||||||
|
+ if (addr_type == RTN_UNSPEC)
|
||||||
|
+ addr_type = inet_addr_type(net, saddr);
|
||||||
|
+ if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
|
||||||
|
+ flags |= FLOWI_FLAG_ANYSRC;
|
||||||
|
+ else
|
||||||
|
+ saddr = 0;
|
||||||
|
|
||||||
|
/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
|
||||||
|
* packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook.
|
||||||
|
@@ -38,7 +36,7 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
|
||||||
|
fl4.flowi4_tos = RT_TOS(iph->tos);
|
||||||
|
fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
|
||||||
|
fl4.flowi4_mark = skb->mark;
|
||||||
|
- fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : flags;
|
||||||
|
+ fl4.flowi4_flags = flags;
|
||||||
|
rt = ip_route_output_key(net, &fl4);
|
||||||
|
if (IS_ERR(rt))
|
||||||
|
return -1;
|
||||||
|
--
|
||||||
|
1.7.5.4
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
- bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
|
- bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
|
||||||
+ bugfix/all/stable/3.0.3.patch
|
+ bugfix/all/stable/3.0.3.patch
|
||||||
|
+ bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
|
||||||
|
|
Loading…
Reference in New Issue