Hi Florian, On Fri, Apr 12, 2013 at 10:51:31PM +0200, Florian Westphal wrote: > Alex Efros reported rpfilter module doesn't match following packets: > IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ] > (netfilter bugzilla #814). > > Problem is that network stack arranges for the locally generated broadcasts > to appear on the interface they were sent out, so the IFF_LOOPBACK check > doesn't trigger. > > As -m rpfilter is restricted to PREROUTING, we can check for existing > skb_dst instead, it catches locally-generated broad/multicast case, too. > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > net/ipv4/netfilter/ipt_rpfilter.c | 2 +- > net/ipv6/netfilter/ip6t_rpfilter.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c > index c301300..601abf2 100644 > --- a/net/ipv4/netfilter/ipt_rpfilter.c > +++ b/net/ipv4/netfilter/ipt_rpfilter.c > @@ -76,7 +76,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) > info = par->matchinfo; > invert = info->flags & XT_RPFILTER_INVERT; > > - if (par->in->flags & IFF_LOOPBACK) > + if (skb_dst(skb)) /* locally generated? */ I'd prefer if this is narrowed down to locally generated traffic in the same way we do in nf_conntrack_broadcast.c. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
