On Fri, Jul 25, 2003 at 09:56:57PM +0400, kuznet@ms2.inr.ac.ru wrote: > Hello! Hi Alexey, I have to follow-up on this old thraed. > > Hmm, what's your routing setup? And what kernel? It's possible with > > wierd setups, like source routing. > > Unlikely, source address is unspecified here. Most likely, it is fwmark. > > Unrelated: giving out->ifindex is a bug, by the way. It can screw up > the things a lot. In this context, if you want to be sure that packet > will go out expected interface you do plain lookup and drop packet > if it gave you some strange route. Your proposed change (key.oif = 0 instead of out->ifindex) went into 2.4.23, and we've received a number of bug reports like https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=144 http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0465.html http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0408.html This means that ip_route_output_key() returns a route with a different outgoing interface than the skb->dst->dev of our to-be-masqueraded packet. Why was it wrong to specify skb->dst->dev->ifindex of the previous 'real' routing decision as key to our current routing decision? As an example case where I would suspect problems: The packet could be coming from a local socket, and the socket be bound to a specific interface (sk->bound_dev_if). Please comment, thanks. > Alexey -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature
