netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: can't initialize iptables table `filter'

from [Rusty Russell] [Permanent Link][Original]
To: david@xxxxxxxxxxxxxx
Subject: Re: can't initialize iptables table `filter'
From: Rusty Russell <rusty@xxxxxxxxxxxxxxxx>
Date: Thu, 08 Jun 2000 17:20:08 +1000
Cc: netdev@xxxxxxxxxxx
In-reply-to: Your message of "Thu, 08 Jun 2000 12:14:57 +1000." <393F00FE.A3A5859F@kalifornia.com>
Sender: owner-netdev@xxxxxxxxxxx 
In message <393F00FE.A3A5859F@xxxxxxxxxxxxxx> you write:
> Hmm, odd.  Well, I'm stuck on ac8 with iptables and mine and rusty's
> patches, ac10 breaks GRE tunneling again.

Didn't submit GRE patch: not my area, so I want to pass it through
the gurus in netdev.

This patch changes GRE to send packets through the NF_IP_LOCAL_OUT
hook.  This is the most sane semantics for tunnels (someone want to
change the others, like ipip?)

diff -urN -X /tmp/filej9FJZx --minimal 
linux-2.4.0-test1-official/net/ipv4/ip_gre.c 
working-2.4.0-test1/net/ipv4/ip_gre.c
--- linux-2.4.0-test1-official/net/ipv4/ip_gre.c        Tue May 23 02:50:55 2000
+++ working-2.4.0-test1/net/ipv4/ip_gre.c       Mon Jun  5 18:24:29 2000
@@ -27,6 +27,7 @@
 #include <linux/in6.h>
 #include <linux/inetdevice.h>
 #include <linux/igmp.h>
+#include <linux/netfilter_ipv4.h>
 
 #include <net/sock.h>
 #include <net/ip.h>
@@ -529,6 +530,46 @@
 #endif
 }
 
+#ifdef CONFIG_NETFILTER
+/* To preserve the cute illusion that a locally-generated packet can
+   be mangled before routing, we actually reroute if a hook altered
+   the packet. -RR */
+static int route_me_harder(struct sk_buff *skb)
+{
+       struct iphdr *iph = skb->nh.iph;
+       struct rtable *rt;
+
+       if (ip_route_output(&rt, iph->daddr, iph->saddr,
+                           RT_TOS(iph->tos) | RTO_CONN,
+                           skb->sk ? skb->sk->bound_dev_if : 0)) {
+               printk("route_me_harder: No more route.\n");
+               return -EINVAL;
+       }
+
+       /* Drop old route. */
+       dst_release(skb->dst);
+
+       skb->dst = &rt->u.dst;
+       return 0;
+}
+#endif
+
+/* Do route recalc if netfilter changes skb. */
+static inline int
+send_maybe_reroute(struct sk_buff *skb)
+{
+#ifdef CONFIG_NETFILTER
+       if (skb->nfcache & NFC_ALTERED) {
+               if (route_me_harder(skb) != 0) {
+                       kfree_skb(skb);
+                       return -EINVAL;
+               }
+       }
+#endif
+       ip_send(skb);
+       return 0;
+}
+
 int ipgre_rcv(struct sk_buff *skb, unsigned short len)
 {
        struct iphdr *iph = skb->nh.iph;
@@ -829,7 +870,8 @@
 
        stats->tx_bytes += skb->len;
        stats->tx_packets++;
-       ip_send(skb);
+       NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
+               send_maybe_reroute);
        tunnel->recursion--;
        return 0;
 

Rusty.
--
Hacking time.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: can't initialize iptables table `filter', Rusty Russell <=
Previous by Date:  RE: Email address test, Riley Williams
Next by Date:  Re: IFA_F_NO_NDISC (for vrrp), Andrey Savochkin
Previous by Thread:  ipchains fw, portforwarding and masquerading, blind-fire.net
Next by Thread:  ipv6 implementation docs, Eric S. Johnson
Indexes:  [Date] [Thread] [Top] [All Lists]