ip_rt_bug in mangle/OUTPUT
Patrick McHardy
kaber at trash.net
Wed Jun 6 13:36:38 CEST 2007
Rennie deGraaf wrote:
> Patrick McHardy wrote:
>
>>If you don't need the rerouting to be happen (you only change the
>>source address and don't use routing rules based on that) you can
>>simply return NF_STOP instead of NF_ACCEPT. It will do exactly
>>the same thing but avoid rerouting.
>
>
> That solution worked well on recent kernels. Unfortunately, my boss now
> wants my code to work on Linux 2.6.9, which doesn't appear to have
> NF_STOP. (It seems to have been added in 2.6.12.) Can you think of any
> other work-arounds, short of dropping the packets and re-injecting the
> modified versions through raw sockets?
No, old kernel version will even leak packets when you send unknown
return codes.
More information about the netfilter-devel
mailing list