Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > Because xt_addrtype uses ip6_route_output, the ipv6 routing > > implementation creates an unwanted cached entry, and the packet > > won't make it to the real/expected destination. > > > > Silently ignoring --limit-iface-in makes the routing work > > but it breaks rule matching (--dst-type LOCAL with limit-iface-in > > is supposed to only match if the dst address is configured on > > the incoming interface; without --limit-iface-in it will match if > > the address is reachable via lo). > > > > AFAIU the only solution is to use ipv6_chk_addr() when > > LOCAL is requested instead of a route lookup. > > > > Since this would create a dependeny on ipv6 its a no-go. > > So, it boils down to two possible solutions: > > > > a), extend struct nf_afinfo to also register > > ipv6_chk_addr(), OR > > b), revert the commit that moved ipt_addrtype to xt_addrtype, > > and keep the ipv6 code in ip6t_addrtype. > > I'd prefer something smaller so I can pass a fix to -stable. We > cannot pass patches bigger than 100 lines including context. This will be tough. Extending struct nf_afinfo for ipv6_chk_addr MIGHT come in just under 100 lines. I'll have go at this. [ i don't like this solution because we add a something for the sake of a single ipv6 special case ]. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
