Hello.
There is a problem with the current version of ipt_REJECT when
operating on a bridge interface.
To be more exact, an RST is never sent to connections over the bridge,
as the ip_route_me_harder function always fail.
The problem arises from the following code
(net/ipv4/netfilter/ipt_REJECT.c line 221:)
if (hook != NF_INET_FORWARD
#ifdef CONFIG_BRIDGE_NETFILTER
|| (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
#endif
)
addr_type = RTN_LOCAL;
but, as nskb was newly allocated just a few line back, the
oldskb->nf_bridge was never copied, so nskb->nf_bridge is always NULL.
The following patch corrects the problem. Please review and apply.
Cheers, Nir.
Signed-off-by: Nir Tzachar <nir.tzachar@xxxxxxxxx>
Tested-by: Elad Kertis <elad.kertis@xxxxxxxxx>
--- linux-2.6.28.7.old/net/ipv4/netfilter/ipt_REJECT.c 2009-02-26
10:28:51.000000000 +0200
+++ linux-2.6.28.7/net/ipv4/netfilter/ipt_REJECT.c 2009-02-26
10:31:26.000000000 +0200
@@ -98,6 +98,12 @@
niph->saddr, niph->daddr,
csum_partial(tcph,
sizeof(struct tcphdr), 0));
+#ifdef CONFIG_BRIDGE_NETFILTER
+ if (oldskb->nf_bridge){
+ nf_bridge_get(oldskb->nf_bridge);
+ nskb->nf_bridge = oldskb->nf_bridge;
+ }
+#endif
addr_type = RTN_UNSPEC;
if (hook != NF_INET_FORWARD
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
