In message <20030802230816.43c4292f.davem@redhat.com> you write: > On Sat, 26 Jul 2003 08:22:51 +1000 > Rusty Russell <rusty@rustcorp.com.au> wrote: > > > > Unrelated: giving out->ifindex is a bug, by the way. It can screw up > > > the things a lot. In this context, if you want to be sure that packet > > > will go out expected interface you do plain lookup and drop packet > > > if it gave you some strange route. > > > > I did this by checking rt->rt_iif equals out->ifindex. I > > haven't tested, but how does this look? > > Alexey thinks you really mean not rt->rt_iif, but rather > rt->u.dst.dev->ifindex, right? I guessed. I should have grepped to figure out what rt_iif is. I assume that there's no difference between testing "rt->u.dst.dev == out" and "rt->u.dst.dev->ifindev == out->ifindex"? Here's the new version, if you haven't done it yourself while I was out of the loop. Rusty. -- Anyone who quotes me in their sig is an idiot. -- Rusty Russell. Name: Fix masquerade routing check Author: Rusty Russell Status: Experimental D: Alexey says: D: Unrelated: giving out->ifindex is a bug, by the way. It can screw up D: the things a lot. In this context, if you want to be sure that packet D: will go out expected interface you do plain lookup and drop packet D: if it gave you some strange route. diff -urpN --exclude TAGS -X /home/rusty/devel/kernel/kernel-patches/current-dontdiff --minimal .25610-linux-2.6.0-test2-bk7/net/ipv4/netfilter/ipt_MASQUERADE.c .25610-linux-2.6.0-test2-bk7.updated/net/ipv4/netfilter/ipt_MASQUERADE.c --- .25610-linux-2.6.0-test2-bk7/net/ipv4/netfilter/ipt_MASQUERADE.c 2003-05-27 15:02:27.000000000 +1000 +++ .25610-linux-2.6.0-test2-bk7.updated/net/ipv4/netfilter/ipt_MASQUERADE.c 2003-08-10 15:14:06.000000000 +1000 @@ -91,11 +91,18 @@ masquerade_target(struct sk_buff **pskb, #ifdef CONFIG_IP_ROUTE_FWMARK .fwmark = (*pskb)->nfmark #endif - } }, - .oif = out->ifindex }; + } } }; if (ip_route_output_key(&rt, &fl) != 0) { - /* Shouldn't happen */ - printk("MASQUERADE: No route: Rusty's brain broke!\n"); + /* Funky routing can do this. */ + if (net_ratelimit()) + printk("MASQUERADE:" + " No route: Rusty's brain broke!\n"); + return NF_DROP; + } + if (rt->u.dst.dev != out) { + if (net_ratelimit()) + printk("MASQUERADE:" + " Route sent us somewhere else.\n"); return NF_DROP; } } - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
