On Wed, Mar 24, 2004 at 03:39:50AM +0100, Patrick McHardy wrote:
> Alexander Samad wrote:
> >Hi
> >
> >Think their might be a problem with this patch.
> >
> >Potientially a packet could traverse the pre, forward and the post
> >routing, at which point it can be SNAT'ed or MASQ'ed and then re
> >injected into route_me_harder. This potiential could allow packets to
> >be rerouted based on the new src/dst addresses differently to the intail
> >packet but this new packet doesn't traverse any of the chains with the
> >new information.
>
> This is just as without the patches, SNAT in POST_ROUTING never causes
> a packet to re-traverse the hooks. There is one minor difference,
> packets which match a policy after NAT stop traversing the hooks at
> NF_IP_PRI_NAT_SRC priority. I will fix this this for the final version.
Sorry might not have made myself clear, after an SNAT with your patch
the packet is re injected into route_me_harder, thus the packet is able
to be rerouted (sent out another interface for example)
What this would mean is a packet could meet your iptable rules with is
PRE-SNAT details and then actually behave differently once it has been
SNAT'ed (and not get checked)
Alex
>
> Regards
> Patrick
>
> >
> >Alex
> >
> >On Thu, Mar 18, 2004 at 05:32:23PM +0100, Patrick McHardy wrote:
> >
> >>This patch adds policy lookups to ip_route_me_harder and makes NAT
> >>reroute for any change that affects route/policy lookups.
> >>
> >
> >
> >
>
>
signature.asc
Description: Digital signature
|