netdev
[Top] [All Lists]

Re: iptable_nat seriously b0rken

To: baggins@xxxxxxxxxxxxxxxxx
Subject: Re: iptable_nat seriously b0rken
From: Rusty Russell <rusty@xxxxxxxxxxxxxxxx>
Date: Thu, 06 Jul 2000 14:09:44 +1000
Cc: Multiple recipients of list NETFILTER <netfilter@xxxxxxxxx>, netdev@xxxxxxxxxxx
In-reply-to: Your message of "Wed, 05 Jul 2000 09:12:18 +1000." <20000705011142.A2931@xxxxxxxxxxxxxxxxx>
Sender: owner-netdev@xxxxxxxxxxx
In message <20000705011142.A2931@xxxxxxxxxxxxxxxxx> you write:
> Please CC answers to me as I'm not subscribed to the lists.
> 
> The problem is simple, iptable_nat kills sit tunnels, see this:

Dave, please merge.  Having tunnels pass the entunnelled packets
through the LOCAL_OUT hook is nicer anyway (from a filtering and
least-surprise perspective), and allows my connection tracking code to
do its magic...

Since ip_gre and ipip are basically identical, fixed them too.

Rusty.

diff -urN -X /tmp/filenPQH5d --minimal linux-2.4.0-test3-2/net/ipv4/ip_gre.c 
working-2.4.0-test3-2/net/ipv4/ip_gre.c
--- linux-2.4.0-test3-2/net/ipv4/ip_gre.c       Thu May 25 12:41:52 2000
+++ working-2.4.0-test3-2/net/ipv4/ip_gre.c     Thu Jul  6 14:03:16 2000
@@ -27,6 +27,7 @@
 #include <linux/in6.h>
 #include <linux/inetdevice.h>
 #include <linux/igmp.h>
+#include <linux/netfilter_ipv4.h>
 
 #include <net/sock.h>
 #include <net/ip.h>
@@ -616,6 +617,12 @@
        return(0);
 }
 
+/* Need this wrapper because NF_HOOK takes the function address */
+static inline int do_ip_send(struct sk_buff *skb)
+{
+       return ip_send(skb);
+}
+
 static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
 {
        struct ip_tunnel *tunnel = (struct ip_tunnel*)dev->priv;
@@ -829,7 +836,8 @@
 
        stats->tx_bytes += skb->len;
        stats->tx_packets++;
-       ip_send(skb);
+       NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
+               do_ip_send);
        tunnel->recursion--;
        return 0;
 
diff -urN -X /tmp/filenPQH5d --minimal linux-2.4.0-test3-2/net/ipv4/ipip.c 
working-2.4.0-test3-2/net/ipv4/ipip.c
--- linux-2.4.0-test3-2/net/ipv4/ipip.c Thu May 25 12:41:52 2000
+++ working-2.4.0-test3-2/net/ipv4/ipip.c       Thu Jul  6 14:01:41 2000
@@ -107,6 +107,7 @@
 #include <linux/if_arp.h>
 #include <linux/mroute.h>
 #include <linux/init.h>
+#include <linux/netfilter_ipv4.h>
 
 #include <net/sock.h>
 #include <net/ip.h>
@@ -499,6 +500,12 @@
        return 0;
 }
 
+/* Need this wrapper because NF_HOOK takes the function address */
+static inline int do_ip_send(struct sk_buff *skb)
+{
+       return ip_send(skb);
+}
+
 /*
  *     This function assumes it is being called from dev_queue_xmit()
  *     and that skb is filled properly by that function.
@@ -631,7 +638,8 @@
 
        stats->tx_bytes += skb->len;
        stats->tx_packets++;
-       ip_send(skb);
+       NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
+               do_ip_send);
        tunnel->recursion--;
        return 0;
 
diff -urN -X /tmp/filenPQH5d --minimal linux-2.4.0-test3-2/net/ipv6/sit.c 
working-2.4.0-test3-2/net/ipv6/sit.c
--- linux-2.4.0-test3-2/net/ipv6/sit.c  Fri May 12 13:22:39 2000
+++ working-2.4.0-test3-2/net/ipv6/sit.c        Thu Jul  6 14:03:23 2000
@@ -29,6 +29,7 @@
 #include <linux/icmp.h>
 #include <asm/uaccess.h>
 #include <linux/init.h>
+#include <linux/netfilter_ipv4.h>
 
 #include <net/sock.h>
 #include <net/snmp.h>
@@ -404,6 +405,12 @@
        return 0;
 }
 
+/* Need this wrapper because NF_HOOK takes the function address */
+static inline int do_ip_send(struct sk_buff *skb)
+{
+       return ip_send(skb);
+}
+
 /*
  *     This function assumes it is being called from dev_queue_xmit()
  *     and that skb is filled properly by that function.
@@ -559,7 +566,8 @@
 
        stats->tx_bytes += skb->len;
        stats->tx_packets++;
-       ip_send(skb);
+       NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
+               do_ip_send);
 
        tunnel->recursion--;
        return 0;
--
Hacking time.

<Prev in Thread] Current Thread [Next in Thread>