In message <200307251756.VAA12609@dub.inr.ac.ru> you write: > Hello! > > > Hmm, what's your routing setup? And what kernel? It's possible with > > wierd setups, like source routing. > > Unlikely, source address is unspecified here. Most likely, it is fwmark. Unlikely, since fwmark will match first time it was routed, unless something very strange was happening. > Unrelated: giving out->ifindex is a bug, by the way. It can screw up > the things a lot. In this context, if you want to be sure that packet > will go out expected interface you do plain lookup and drop packet > if it gave you some strange route. Thanks! I did this by checking rt->rt_iif equals out->ifindex. I haven't tested, but how does this look? Name: Fix masquerade routing check Author: Rusty Russell Status: Experimental D: Unrelated: giving out->ifindex is a bug, by the way. It can screw up D: the things a lot. In this context, if you want to be sure that packet D: will go out expected interface you do plain lookup and drop packet D: if it gave you some strange route. diff -urpN --exclude TAGS -X /home/rusty/devel/kernel/kernel-patches/current-dontdiff --minimal .32756-linux-2.6.0-test1-bk2/net/ipv4/netfilter/ipt_MASQUERADE.c .32756-linux-2.6.0-test1-bk2.updated/net/ipv4/netfilter/ipt_MASQUERADE.c --- .32756-linux-2.6.0-test1-bk2/net/ipv4/netfilter/ipt_MASQUERADE.c 2003-05-27 15:02:27.000000000 +1000 +++ .32756-linux-2.6.0-test1-bk2.updated/net/ipv4/netfilter/ipt_MASQUERADE.c 2003-07-26 05:16:46.000000000 +1000 @@ -91,11 +91,18 @@ masquerade_target(struct sk_buff **pskb, #ifdef CONFIG_IP_ROUTE_FWMARK .fwmark = (*pskb)->nfmark #endif - } }, - .oif = out->ifindex }; + } } }; if (ip_route_output_key(&rt, &fl) != 0) { - /* Shouldn't happen */ - printk("MASQUERADE: No route: Rusty's brain broke!\n"); + /* Funky routing can do this. */ + if (net_ratelimit()) + printk("MASQUERADE:" + " No route: Rusty's brain broke!\n"); + return NF_DROP; + } + if (rt->rt_iif != out->ifindex) { + if (net_ratelimit()) + printk("MASQUERADE:" + " Route sent us somewhere else.\n"); return NF_DROP; } } > > Alexey -- Anyone who quotes me in their sig is an idiot. -- Rusty Russell. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
