Re: Fw: Rusty's brain broke!

From: Rusty Russell (rusty@rustcorp.com.au)
Date: Fri Jul 25 2003 - 17:22:51 EST


In message <200307251756.VAA12609@dub.inr.ac.ru> you write:
> Hello!
>
> > Hmm, what's your routing setup? And what kernel? It's possible with
> > wierd setups, like source routing.
>
> Unlikely, source address is unspecified here. Most likely, it is fwmark.

Unlikely, since fwmark will match first time it was routed, unless
something very strange was happening.

> Unrelated: giving out->ifindex is a bug, by the way. It can screw up
> the things a lot. In this context, if you want to be sure that packet
> will go out expected interface you do plain lookup and drop packet
> if it gave you some strange route.

Thanks!

        I did this by checking rt->rt_iif equals out->ifindex. I
haven't tested, but how does this look?

Name: Fix masquerade routing check
Author: Rusty Russell
Status: Experimental

D: Unrelated: giving out->ifindex is a bug, by the way. It can screw up
D: the things a lot. In this context, if you want to be sure that packet
D: will go out expected interface you do plain lookup and drop packet
D: if it gave you some strange route.

diff -urpN --exclude TAGS -X /home/rusty/devel/kernel/kernel-patches/current-dontdiff --minimal .32756-linux-2.6.0-test1-bk2/net/ipv4/netfilter/ipt_MASQUERADE.c .32756-linux-2.6.0-test1-bk2.updated/net/ipv4/netfilter/ipt_MASQUERADE.c
--- .32756-linux-2.6.0-test1-bk2/net/ipv4/netfilter/ipt_MASQUERADE.c 2003-05-27 15:02:27.000000000 +1000
+++ .32756-linux-2.6.0-test1-bk2.updated/net/ipv4/netfilter/ipt_MASQUERADE.c 2003-07-26 05:16:46.000000000 +1000
@@ -91,11 +91,18 @@ masquerade_target(struct sk_buff **pskb,
 #ifdef CONFIG_IP_ROUTE_FWMARK
                                                 .fwmark = (*pskb)->nfmark
 #endif
- } },
- .oif = out->ifindex };
+ } } };
                 if (ip_route_output_key(&rt, &fl) != 0) {
- /* Shouldn't happen */
- printk("MASQUERADE: No route: Rusty's brain broke!\n");
+ /* Funky routing can do this. */
+ if (net_ratelimit())
+ printk("MASQUERADE:"
+ " No route: Rusty's brain broke!\n");
+ return NF_DROP;
+ }
+ if (rt->rt_iif != out->ifindex) {
+ if (net_ratelimit())
+ printk("MASQUERADE:"
+ " Route sent us somewhere else.\n");
                         return NF_DROP;
                 }
         }

>
> Alexey

--
  Anyone who quotes me in their sig is an idiot. -- Rusty Russell.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



This archive was generated by hypermail 2b29 : Thu Jul 31 2003 - 22:00:01 EST