Re: ipt_recent 0.3.0 --rttl still doesn't work (I made a patch instead, can't wait)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* per j (perj8@hotmail.com) wrote:
> Nope, my patch doesn't remove 'if(out) ttl++;'.  However I'm not too 
> certain whether one would really use it.  It doesn't really matter unless 
> --rttl is in the POSTROUTING chains.  So far -m recent and LOG are both 
> seeing the same TTL for me and I have no --rttl in POSTROUTING.  Why would 
> one use --rttl in POSTROUTING?  That's pretty late to filter incoming 
> packets (or rather outgoing packets).  Perhaps one would use it to mangle 
> forwarded parkets, but it would mean the packet already traversed the 
> FORWARD chain!  Maybe you could better explain 'if(out) ttl++;'?  I guess 
> it's there for those who must use --rttl in POSTROUTING?

The routing is done before the FORWARD chain is done (how else would you
know the outgoing interface?) and I believe the ttl incrementation
happens in the routing code.  I don't know that for sure and havn't had
time to test it.  The 'if(out) ttl++;' is meant to make TTL matching
work for people who use recent matching between PREROUTING and
FORWARD/POSTROUTING.  If you're using -j TTL and whatnot then really all
bets are off and there's no way for ipt_recent to figure that out so if
you're doing that you're kind of on your own with the ipt_recent TTL
matching.  The point of the 'if(out) ttl++;' is to allow you to 'set' in
PREROUTING and then 'rcheck' or 'update' in FORWARD, after the routing
code is done and have the TTL match work correctly, provided you are not
otherwise mucking the TTL.

> On the other hand, I use -j TTL --ttl-inc 1 in PREROUTING to restore the 
> TTL of packets going through the gateway as if packets forwarded through 
> the gateway are coming from the gateway.  So this _conflicts_ with your 
> 'if(out) ttl++;' if I were to use --rttl in POSTROUTING after -j TTL in the 
> mangle table.  I think it best not to use 'if(out) ttl++;' in ipt_recent in 
> this case.

I guess I could make that bit of code optional if there's really a need
for it to be?

> I see your point about making a new table entry for any different TTL from 
> the same ip address.  Valid point indeed!  --rttl seems to work fine with 
> your suggested code change to r_list[location].ttl, so I'm using the 
> following patch instead.

Glad that's working.

> I wonder why you left the ?old? bug hanging around without giving your 
> users any notice?  You should have publicly announced --rttl code is not 
> yet done somewhere in the documentation or on your announcement pages.  
> It's kinda a lie to publicly release ipt_recent without announcing the TODO 
> list of _old_ bugs.  Before this patch, --rttl worked only in extremely 
> rare condition when r_list[location].addr==addr and location==0.  and u 
> knew this was an old bug for a year or so? (sigh)

I didn't know about the bug before you pointed it out to me.  After you
pointed it out I realized how old a bug it was because of what it was
doing.

	Stephen

Attachment: pgp00358.pgp
Description: PGP signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux