In message <20030811224451.1f7564ac.davem@redhat.com> you write: > On Sun, 10 Aug 2003 15:15:12 +1000 > Rusty Russell <rusty@rustcorp.com.au> wrote: > > Here's the new version, if you haven't done it yourself while I was > > out of the loop. > > Applied, thank you. > > If someone could backport this to 2.4.x I'd appreciate it. Here 'tis. Since noone has actually reported this before the current report, maybe best to delay for 2.4.23 just in case I screwed up. Rusty. diff -urpN --exclude TAGS -X /home/rusty/devel/kernel/kernel-patches/current-dontdiff --minimal linux-2.4.22-rc2/net/ipv4/netfilter/ipt_MASQUERADE.c working-2.4.22-rc2-masq_brain_broke/net/ipv4/netfilter/ipt_MASQUERADE.c --- linux-2.4.22-rc2/net/ipv4/netfilter/ipt_MASQUERADE.c 2003-02-27 14:51:10.000000000 +1100 +++ working-2.4.22-rc2-masq_brain_broke/net/ipv4/netfilter/ipt_MASQUERADE.c 2003-08-23 04:21:43.000000000 +1000 @@ -87,13 +87,21 @@ masquerade_target(struct sk_buff **pskb, key.dst = (*pskb)->nh.iph->daddr; key.src = 0; /* Unknown: that's what we're trying to establish */ key.tos = RT_TOS((*pskb)->nh.iph->tos)|RTO_CONN; - key.oif = out->ifindex; + key.oif = 0; #ifdef CONFIG_IP_ROUTE_FWMARK key.fwmark = (*pskb)->nfmark; #endif if (ip_route_output_key(&rt, &key) != 0) { - /* Shouldn't happen */ - printk("MASQUERADE: No route: Rusty's brain broke!\n"); + /* Funky routing can do this. */ + if (net_ratelimit()) + printk("MASQUERADE:" + " No route: Rusty's brain broke!\n"); + return NF_DROP; + } + if (rt->u.dst.dev != out) { + if (net_ratelimit()) + printk("MASQUERADE:" + " Route sent us somewhere else.\n"); return NF_DROP; } -- Anyone who quotes me in their sig is an idiot. -- Rusty Russell. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
