On Sunday 2013-05-05 20:24, Dmitry Popov wrote:
>Also, shouldn't xt_RAWNAT depend on nf_defrag_ipv4 module?
Dunno. Being a module for really "raw" nf_conntrack-less static NAT, I
feel no reason to make it hard-depend on nf_defrag, and instead leave it
up to the user whether or not to load nf_defrag.
With nf_nat having gained IPv6 support, I also feel less inclined to
keep xt_RAWNAT around.
(In the meantime, your patch is applied.)
>xt_RAWNAT may work with ip fragments in PREROUTING chain, changing ip payload
>(believing it's tcp/udp checksum) in fragment is harmful.
I would tend to just ignore the fragment case for now, like many other
modules. Comments against?
diff --git a/extensions/xt_RAWNAT.c b/extensions/xt_RAWNAT.c
index 858f911..0a24e77 100644
--- a/extensions/xt_RAWNAT.c
+++ b/extensions/xt_RAWNAT.c
@@ -87,6 +87,13 @@ static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
struct udphdr *udph;
bool cond;
+ /*
+ * We do not really deal with fragments. On the first packet, we can attempt
+ * to modify the L4 header, otherwise just ignore the data.
+ */
+ if ((iph->frag_off & htons(IP_OFFSET)) == 0)
+ return;
+
switch (iph->protocol) {
case IPPROTO_TCP:
tcph = transport_hdr;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
