[PATCH] don't require ip_forwarding for reset on a bridge

[Bart De Schuymer <bdschuym@xxxxxxxxxx>]

Hi Dave,

Currently, to be able to send a reset in the FORWARD chain of iptables
for bridged traffic, ip forwarding must be enabled. This causes confusion
and in some situations people really don't want to enable ip forwarding.
The patch below lets the user send reset packets for bridged frames in
the FORWARD chain, with ip forwarding disabled (as long as there is a
route).

cheers,
Bart

--- linux-2.6.4/net/ipv4/netfilter/ipt_REJECT.c.old     Sun Mar 21 19:34:04 2004
+++ linux-2.6.4/net/ipv4/netfilter/ipt_REJECT.c Mon Mar 22 22:54:56 2004
@@ -24,6 +24,9 @@
 #include <net/route.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
+#ifdef CONFIG_BRIDGE_NETFILTER
+#include <linux/netfilter_bridge.h>
+#endif
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@xxxxxxxxxxxxx>");
@@ -56,7 +59,13 @@ static inline struct rtable *route_rever
        struct flowi fl = {};
        struct rtable *rt;
 
-       if (hook != NF_IP_FORWARD) {
+       /* We don't require ip forwarding to be enabled to be able to
+        * send a RST reply for bridged traffic. */
+       if (hook != NF_IP_FORWARD
+#ifdef CONFIG_BRIDGE_NETFILTER
+           || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
+#endif
+          ) {
                fl.nl_u.ip4_u.daddr = iph->saddr;
                if (hook == NF_IP_LOCAL_IN)
                        fl.nl_u.ip4_u.saddr = iph->daddr;