Re: [RFC, PATCH 4/5]: netfilter+ipsec

netdev

Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup

To:	Alexander Samad <alex@xxxxxxxxxxxx>
Subject:	Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup
From:	Patrick McHardy <kaber@xxxxxxxxx>
Date:	Wed, 24 Mar 2004 03:39:50 +0100
Cc:	"David S. Miller" <davem@xxxxxxxxxx>, herbert@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<20040324021514.GM3387@xxxxxxxxxxxx>
References:	<20040308110331.GA20719@xxxxxxxxxxxxxxxxxxx> <404C874D.4000907@xxxxxxxxx> <20040308115858.75cdddca.davem@xxxxxxxxxx> <4059CF17.8090907@xxxxxxxxx> <20040324021514.GM3387@xxxxxxxxxxxx>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040122 Debian/1.6-1

Alexander Samad wrote:

Hi

Think their might be a problem with this patch.

Potientially a packet could traverse the pre, forward and the post
routing, at which point it can be SNAT'ed or MASQ'ed and then re
injected into route_me_harder.  This potiential could allow packets to
be rerouted based on the new src/dst addresses differently to the intail
packet but this new packet doesn't traverse any of the chains with the
new information.


This is just as without the patches, SNAT in POST_ROUTING never causes
a packet to re-traverse the hooks. There is one minor difference,
packets which match a policy after NAT stop traversing the hooks at
NF_IP_PRI_NAT_SRC priority. I will fix this this for the final version.

Regards
Patrick


Alex

On Thu, Mar 18, 2004 at 05:32:23PM +0100, Patrick McHardy wrote:

This patch adds policy lookups to ip_route_me_harder and makes NAT
reroute for any change that affects route/policy lookups.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, (continued) Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Herbert Xu Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Alexander Samad Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Patrick McHardy <= Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Alexander Samad [RFC, PATCH 5/5]: netfilter+ipsec - policy checks, Patrick McHardy Re: [RFC, PATCH 5/5]: netfilter+ipsec - policy checks, David S. Miller Re: [RFC, PATCH 5/5]: netfilter+ipsec - policy checks, Patrick McHardy

Previous by Date:	Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Alexander Samad
Next by Date:	Re: [PATCH] [RFT] 2.6.4 - epic100 napi, OGAWA Hirofumi
Previous by Thread:	Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Alexander Samad
Next by Thread:	Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, Alexander Samad
Indexes:	[Date] [Thread] [Top] [All Lists]