On Thursday 2008-09-25 20:47, Horton, Dave wrote:
>
>Actually, my code is rather simple. I've posted it at the bottom of
>this response.
>
>Here is the main piece of my code:
>
> case IPT_PACTOLUS_STATE_FORWARD:
>
>
> /* modify the source ip:port and the dest
>ip:port,
> * recalc checksums
> */
> udph->source = ptr->new_src_port ;
> udph->dest = ptr->new_dst_port ;
> if (udph->check) {
> u_int32_t newudplen = (*pskb)->len -
> iph->ihl
>* 4;
>
> /* calculate checksum of the data
>portion */
> (*pskb)->csum = csum_partial((char
>*)udph +
> sizeof(struct udphdr),
> newudplen - sizeof(struct
>udphdr), 0);
> udph->check = 0;
> udph->check =
>csum_tcpudp_magic(iph->daddr,
> ptr->new_dst_ip,
> newudplen, IPPROTO_UDP,
> csum_partial((char *)udph,
> sizeof(struct udphdr),
>(*pskb)->csum));
> }
>
> iph->saddr = iph->daddr;
> iph->daddr = ptr->new_dst_ip;
You cannot change the IP address or L4 port without making conntrack
very unhappy. In the simplest case, you're "just" voiding any state
matching and flow accounting. In the worst case, iph->daddr (and
other fields) does not match skb->nfct->....->daddr (respectively)
anymore and cosmic rays could catalyze up, er, undefined behavior
could arise.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
