Hi Florian, On Thu, Apr 18, 2013 at 10:45:24AM +0200, Florian Westphal wrote: > Alex Efros reported rpfilter module doesn't match following packets: > IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ] > (netfilter bugzilla #814). > > Problem is that network stack arranges for the locally generated broadcasts > to appear on the interface they were sent out, so the IFF_LOOPBACK check > doesn't trigger. > > As -m rpfilter is restricted to PREROUTING, we can check for existing > rtable instead, it catches locally-generated broad/multicast case, too. > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > Pablo, > > I did have a look at nf_conntrack_broadcast, but > 1. I cannot check skb->sk (TPROXY can set that for incoming packets) > 2. I don't want to test conntrack info to avoid dependency on conntrack > > So, this is pretty much the very same patch as V1, except that this > also checks for _LOCAL flag instead of just checking for presence of > skb_dst(). > > Is this ok, or did you have something else in mind? That's fine. I just wanted a bit further validation to avoid an easy breakage in case this assumption is not fulfilled anymore. I have made a comestic change: renamed is_local to rpfilter_is_local just to stick to the corresponding function namespace. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
