This patch is a resend, it was originally sent to Linus by Rusty, but
has not appeared in the kernel yet.
Description:
Fixes socket ownership oops and routing logic for mangled locally
generated outgoing packets.
- James
--
James Morris
<jmorris@xxxxxxxxxxxxxxxx>
diff -ur linux-2.4.4/net/ipv4/netfilter/ip_queue.c
linux-2.4.4-a/net/ipv4/netfilter/ip_queue.c
--- linux-2.4.4/net/ipv4/netfilter/ip_queue.c Tue Dec 12 07:37:04 2000
+++ linux-2.4.4-a/net/ipv4/netfilter/ip_queue.c Mon Apr 30 19:33:58 2001
@@ -24,19 +24,28 @@
#include <linux/sysctl.h>
#include <linux/proc_fs.h>
#include <net/sock.h>
+#include <net/route.h>
#include <linux/netfilter_ipv4/ip_queue.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
#define IPQ_QMAX_DEFAULT 1024
#define IPQ_PROC_FS_NAME "ip_queue"
#define NET_IPQ_QMAX 2088
#define NET_IPQ_QMAX_NAME "ip_queue_maxlen"
+typedef struct ipq_rt_info {
+ __u8 tos;
+ __u32 daddr;
+ __u32 saddr;
+} ipq_rt_info_t;
+
typedef struct ipq_queue_element {
struct list_head list; /* Links element into queue */
int verdict; /* Current verdict */
struct nf_info *info; /* Extra info from netfilter */
struct sk_buff *skb; /* Packet inside */
+ ipq_rt_info_t rt_info; /* May need post-mangle routing */
} ipq_queue_element_t;
typedef int (*ipq_send_cb_t)(ipq_queue_element_t *e);
@@ -64,7 +73,6 @@
* Packet queue
*
****************************************************************************/
-
/* Dequeue a packet if matched by cmp, or the next available if cmp is NULL */
static ipq_queue_element_t *
ipq_dequeue(ipq_queue_t *q,
@@ -150,9 +158,19 @@
printk(KERN_ERR "ip_queue: OOM in enqueue\n");
return -ENOMEM;
}
+
e->verdict = NF_DROP;
e->info = info;
e->skb = skb;
+
+ if (e->info->hook == NF_IP_LOCAL_OUT) {
+ struct iphdr *iph = skb->nh.iph;
+
+ e->rt_info.tos = iph->tos;
+ e->rt_info.daddr = iph->daddr;
+ e->rt_info.saddr = iph->saddr;
+ }
+
spin_lock_bh(&q->lock);
if (q->len >= *q->maxlen) {
spin_unlock_bh(&q->lock);
@@ -198,6 +216,32 @@
kfree(q);
}
+/* With a chainsaw... */
+static int route_me_harder(struct sk_buff *skb)
+{
+ struct iphdr *iph = skb->nh.iph;
+ struct rtable *rt;
+
+ struct rt_key key = {
+ dst:iph->daddr, src:iph->saddr,
+ oif:skb->sk ? skb->sk->bound_dev_if : 0,
+ tos:RT_TOS(iph->tos)|RTO_CONN,
+#ifdef CONFIG_IP_ROUTE_FWMARK
+ fwmark:skb->nfmark
+#endif
+ };
+
+ if (ip_route_output_key(&rt, &key) != 0) {
+ printk("route_me_harder: No more route.\n");
+ return -EINVAL;
+ }
+
+ /* Drop old route. */
+ dst_release(skb->dst);
+ skb->dst = &rt->u.dst;
+ return 0;
+}
+
static int ipq_mangle_ipv4(ipq_verdict_msg_t *v, ipq_queue_element_t *e)
{
int diff;
@@ -223,6 +267,8 @@
"in mangle, dropping packet\n");
return -ENOMEM;
}
+ if (e->skb->sk)
+ skb_set_owner_w(newskb, e->skb->sk);
kfree_skb(e->skb);
e->skb = newskb;
}
@@ -230,6 +276,19 @@
}
memcpy(e->skb->data, v->payload, v->data_len);
e->skb->nfcache |= NFC_ALTERED;
+
+ /*
+ * Extra routing may needed on local out, as the QUEUE target never
+ * returns control to the table.
+ */
+ if (e->info->hook == NF_IP_LOCAL_OUT) {
+ struct iphdr *iph = e->skb->nh.iph;
+
+ if (!(iph->tos == e->rt_info.tos
+ && iph->daddr == e->rt_info.daddr
+ && iph->saddr == e->rt_info.saddr))
+ return route_me_harder(e->skb);
+ }
return 0;
}
diff -ur linux-2.4.4/net/ipv4/netfilter/iptable_mangle.c
linux-2.4.4-a/net/ipv4/netfilter/iptable_mangle.c
--- linux-2.4.4/net/ipv4/netfilter/iptable_mangle.c Tue Jan 30 03:07:30 2001
+++ linux-2.4.4-a/net/ipv4/netfilter/iptable_mangle.c Mon Apr 30 19:29:48 2001
@@ -148,7 +148,7 @@
ret = ipt_do_table(pskb, hook, in, out, &packet_mangler, NULL);
/* Reroute for ANY change. */
- if (ret != NF_DROP && ret != NF_STOLEN
+ if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE
&& ((*pskb)->nh.iph->saddr != saddr
|| (*pskb)->nh.iph->daddr != daddr
|| (*pskb)->nfmark != nfmark
|