Alexander Samad wrote:
Hi
Think their might be a problem with this patch.
Potientially a packet could traverse the pre, forward and the post
routing, at which point it can be SNAT'ed or MASQ'ed and then re
injected into route_me_harder. This potiential could allow packets to
be rerouted based on the new src/dst addresses differently to the intail
packet but this new packet doesn't traverse any of the chains with the
new information.
This is just as without the patches, SNAT in POST_ROUTING never causes
a packet to re-traverse the hooks. There is one minor difference,
packets which match a policy after NAT stop traversing the hooks at
NF_IP_PRI_NAT_SRC priority. I will fix this this for the final version.
Regards
Patrick
Alex
On Thu, Mar 18, 2004 at 05:32:23PM +0100, Patrick McHardy wrote:
This patch adds policy lookups to ip_route_me_harder and makes NAT
reroute for any change that affects route/policy lookups.
|