Jan Engelhardt wrote: > On Wednesday 2008-10-15 21:24, Pablo Neira Ayuso wrote: > >> This patch replaces NFPROTO_ARP by NF_ARP in the hooks registered >> by arptable_filter, otherwise the arptables tool does not work. >> Thus, we use NF_ARP to register ARP hooks to match the NF_HOOK >> invocation in net/ipv4/arp.c and NFPROTO_ARP for internal xtables >> handling, ie. matches, targets and tables. > > This does not fly. You are essentially trying to register > arpt_in_hook for NFPROTO_UNSPEC, since NF_ARP == 0, and > 0 == NFPROTO_UNSPEC. This flies like a Boeing(R) 777 buddy ;). As the NFPROTO_* thing is only internal used by xtables, not by the hooks. The hooks use the protocol family, and we've been using NF_ARP to 0 by now. > Define "does not work". Do you mean arptables sees no packets? arptables sees *no packet at all*. The ARP mangling does not work. Try: arptables -o eth0 -l 6 -I OUTPUT -j mangle --mangle-mac-s 00:15:58:28:5a:30 and tcpdump the arp request. > Perhaps the following helps? Yes, your patch will also work, but it introduces an inconsistency in the naming used to register hooks in the family field. -- "Los honestos son inadaptados sociales" -- Les Luthiers -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
