Jan Engelhardt wrote:
> On Thursday 2010-02-11 17:34, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> On Thursday 2010-02-11 17:12, Alexey Dobriyan wrote:
>>>
>>>> Calling POST_ROUTING hook with NULL input device is not going to work.
>>>>
>>>> --- a/net/ipv4/netfilter/iptable_mangle.c
>>>> +++ b/net/ipv4/netfilter/iptable_mangle.c
>>>> @@ -85,7 +85,7 @@ iptable_mangle_hook(unsigned int hook,
>>>> const struct net_device *out,
>>>> int (*okfn)(struct sk_buff *))
>>>> {
>>>> - if (hook == NF_INET_LOCAL_OUT)
>>>> + if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
>>>> return ipt_local_hook(hook, skb, in, out, okfn);
>>>>
>>>> /* PREROUTING/INPUT/FORWARD: */
>>> postrouting did not call ipt_local_hook before, so why now?
>> What Alexey meant is that
>>
>> /* PREROUTING/INPUT/FORWARD: */
>> return ipt_do_table(skb, hook, in, out,
>> dev_net(in)->ipv4.iptable_mangle);
>>
>> dev_net(in) for a NULL device won't work. Passing them to the local
>> hook won't work either however since we perform rerouting there.
>> I'm confused now why this didn't crash here so far ...
>
> Before, ipt_post_routing_hook just called
>
> return ipt_do_table(skb, hook, in, out,
> dev_net(out)->ipv4.iptable_mangle);
>
> Not caring about whether in and out are NULL or not,
> because ipt_do_table checks for NULL.
Its using the device to get to the table:
dev_net(in)->ipv4.iptable_mangle
The only reason why it doesn't crash for me is that the
machine I'm testing this on doesn't use network namespaces.
Please fix this up.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
