[Top] [All Lists]

[PATCH] don't require ip_forwarding for reset on a bridge

To: "David S.Miller" <davem@xxxxxxxxxx>
Subject: [PATCH] don't require ip_forwarding for reset on a bridge
From: Bart De Schuymer <bdschuym@xxxxxxxxxx>
Date: Mon, 29 Mar 2004 23:14:12 +0200
Cc: netdev <netdev@xxxxxxxxxxx>, netfilter-devel <netfilter-devel@xxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: KMail/1.5
Hi Dave,

Currently, to be able to send a reset in the FORWARD chain of iptables
for bridged traffic, ip forwarding must be enabled. This causes confusion
and in some situations people really don't want to enable ip forwarding.
The patch below lets the user send reset packets for bridged frames in
the FORWARD chain, with ip forwarding disabled (as long as there is a


--- linux-2.6.4/net/ipv4/netfilter/ipt_REJECT.c.old     Sun Mar 21 19:34:04 2004
+++ linux-2.6.4/net/ipv4/netfilter/ipt_REJECT.c Mon Mar 22 22:54:56 2004
@@ -24,6 +24,9 @@
 #include <net/route.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <linux/netfilter_bridge.h>
 MODULE_AUTHOR("Netfilter Core Team <coreteam@xxxxxxxxxxxxx>");
@@ -56,7 +59,13 @@ static inline struct rtable *route_rever
        struct flowi fl = {};
        struct rtable *rt;
-       if (hook != NF_IP_FORWARD) {
+       /* We don't require ip forwarding to be enabled to be able to
+        * send a RST reply for bridged traffic. */
+       if (hook != NF_IP_FORWARD
+           || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
+          ) {
                fl.nl_u.ip4_u.daddr = iph->saddr;
                if (hook == NF_IP_LOCAL_IN)
                        fl.nl_u.ip4_u.saddr = iph->daddr;

<Prev in Thread] Current Thread [Next in Thread>