On Thursday 2010-02-11 17:34, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> On Thursday 2010-02-11 17:12, Alexey Dobriyan wrote:
>>
>>> Calling POST_ROUTING hook with NULL input device is not going to work.
>>>
>>> --- a/net/ipv4/netfilter/iptable_mangle.c
>>> +++ b/net/ipv4/netfilter/iptable_mangle.c
>>> @@ -85,7 +85,7 @@ iptable_mangle_hook(unsigned int hook,
>>> const struct net_device *out,
>>> int (*okfn)(struct sk_buff *))
>>> {
>>> - if (hook == NF_INET_LOCAL_OUT)
>>> + if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
>>> return ipt_local_hook(hook, skb, in, out, okfn);
>>>
>>> /* PREROUTING/INPUT/FORWARD: */
>>
>> postrouting did not call ipt_local_hook before, so why now?
>
>What Alexey meant is that
>
> /* PREROUTING/INPUT/FORWARD: */
> return ipt_do_table(skb, hook, in, out,
> dev_net(in)->ipv4.iptable_mangle);
>
>dev_net(in) for a NULL device won't work. Passing them to the local
>hook won't work either however since we perform rerouting there.
>I'm confused now why this didn't crash here so far ...
Before, ipt_post_routing_hook just called
return ipt_do_table(skb, hook, in, out,
dev_net(out)->ipv4.iptable_mangle);
Not caring about whether in and out are NULL or not,
because ipt_do_table checks for NULL.
Now, iptable_mangle_hook still just calls ipt_do_table, so
nothing really changed, thus nothing broke.
Thus the confusion this patch introduces.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
