Good Morning.
I am resending this patch, as I got no feedback the previous time.
Cheers.
On Thu, Feb 26, 2009 at 10:48 AM, Nir Tzachar <nir.tzachar@xxxxxxxxx> wrote:
> Hello.
>
> There is a problem with the current version of ipt_REJECT when
> operating on a bridge interface.
> To be more exact, an RST is never sent to connections over the bridge,
> as the ip_route_me_harder function always fail.
>
> The problem arises from the following code
> (net/ipv4/netfilter/ipt_REJECT.c line 221:)
>
> if (hook != NF_INET_FORWARD
> #ifdef CONFIG_BRIDGE_NETFILTER
> || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
> #endif
> )
> addr_type = RTN_LOCAL;
>
> but, as nskb was newly allocated just a few line back, the
> oldskb->nf_bridge was never copied, so nskb->nf_bridge is always NULL.
> The following patch corrects the problem. Please review and apply.
>
> Cheers, Nir.
>
>
> Signed-off-by: Nir Tzachar <nir.tzachar@xxxxxxxxx>
> Tested-by: Elad Kertis <elad.kertis@xxxxxxxxx>
>
> --- linux-2.6.28.7.old/net/ipv4/netfilter/ipt_REJECT.c 2009-02-26
> 10:28:51.000000000 +0200
> +++ linux-2.6.28.7/net/ipv4/netfilter/ipt_REJECT.c 2009-02-26
> 10:31:26.000000000 +0200
> @@ -98,6 +98,12 @@
> niph->saddr, niph->daddr,
> csum_partial(tcph,
> sizeof(struct tcphdr), 0));
> +#ifdef CONFIG_BRIDGE_NETFILTER
> + if (oldskb->nf_bridge){
> + nf_bridge_get(oldskb->nf_bridge);
> + nskb->nf_bridge = oldskb->nf_bridge;
> + }
> +#endif
>
> addr_type = RTN_UNSPEC;
> if (hook != NF_INET_FORWARD
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
