iptable_nat seriously b0rken
Steve Moro
steve.moro@home.com
Thu, 6 Jul 2000 22:25:26 -0400
Will this fix make PPTP connection tracking work?
Just woundering.
Steve
> -----Original Message-----
> From: netfilter@samba.org [mailto:netfilter@samba.org]On Behalf Of Rusty
> Russell
> Sent: Thursday, July 06, 2000 9:10 PM
> To: Multiple recipients of list NETFILTER
> Subject: Re: iptable_nat seriously b0rken
>
>
> In message <20000705011142.A2931@sith.mimuw.edu.pl> you write:
> > Please CC answers to me as I'm not subscribed to the lists.
> >
> > The problem is simple, iptable_nat kills sit tunnels, see this:
>
> Dave, please merge. Having tunnels pass the entunnelled packets
> through the LOCAL_OUT hook is nicer anyway (from a filtering and
> least-surprise perspective), and allows my connection tracking code to
> do its magic...
>
> Since ip_gre and ipip are basically identical, fixed them too.
>
> Rusty.
>
> diff -urN -X /tmp/filenPQH5d --minimal
> linux-2.4.0-test3-2/net/ipv4/ip_gre.c
> working-2.4.0-test3-2/net/ipv4/ip_gre.c
> --- linux-2.4.0-test3-2/net/ipv4/ip_gre.c Thu May 25 12:41:52 2000
> +++ working-2.4.0-test3-2/net/ipv4/ip_gre.c Thu Jul 6 14:03:16 2000
> @@ -27,6 +27,7 @@
> #include <linux/in6.h>
> #include <linux/inetdevice.h>
> #include <linux/igmp.h>
> +#include <linux/netfilter_ipv4.h>
>
> #include <net/sock.h>
> #include <net/ip.h>
> @@ -616,6 +617,12 @@
> return(0);
> }
>
> +/* Need this wrapper because NF_HOOK takes the function address */
> +static inline int do_ip_send(struct sk_buff *skb)
> +{
> + return ip_send(skb);
> +}
> +
> static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
> {
> struct ip_tunnel *tunnel = (struct ip_tunnel*)dev->priv;
> @@ -829,7 +836,8 @@
>
> stats->tx_bytes += skb->len;
> stats->tx_packets++;
> - ip_send(skb);
> + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
> + do_ip_send);
> tunnel->recursion--;
> return 0;
>
> diff -urN -X /tmp/filenPQH5d --minimal
> linux-2.4.0-test3-2/net/ipv4/ipip.c working-2.4.0-test3-2/net/ipv4/ipip.c
> --- linux-2.4.0-test3-2/net/ipv4/ipip.c Thu May 25 12:41:52 2000
> +++ working-2.4.0-test3-2/net/ipv4/ipip.c Thu Jul 6 14:01:41 2000
> @@ -107,6 +107,7 @@
> #include <linux/if_arp.h>
> #include <linux/mroute.h>
> #include <linux/init.h>
> +#include <linux/netfilter_ipv4.h>
>
> #include <net/sock.h>
> #include <net/ip.h>
> @@ -499,6 +500,12 @@
> return 0;
> }
>
> +/* Need this wrapper because NF_HOOK takes the function address */
> +static inline int do_ip_send(struct sk_buff *skb)
> +{
> + return ip_send(skb);
> +}
> +
> /*
> * This function assumes it is being called from dev_queue_xmit()
> * and that skb is filled properly by that function.
> @@ -631,7 +638,8 @@
>
> stats->tx_bytes += skb->len;
> stats->tx_packets++;
> - ip_send(skb);
> + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
> + do_ip_send);
> tunnel->recursion--;
> return 0;
>
> diff -urN -X /tmp/filenPQH5d --minimal
> linux-2.4.0-test3-2/net/ipv6/sit.c working-2.4.0-test3-2/net/ipv6/sit.c
> --- linux-2.4.0-test3-2/net/ipv6/sit.c Fri May 12 13:22:39 2000
> +++ working-2.4.0-test3-2/net/ipv6/sit.c Thu Jul 6 14:03:23 2000
> @@ -29,6 +29,7 @@
> #include <linux/icmp.h>
> #include <asm/uaccess.h>
> #include <linux/init.h>
> +#include <linux/netfilter_ipv4.h>
>
> #include <net/sock.h>
> #include <net/snmp.h>
> @@ -404,6 +405,12 @@
> return 0;
> }
>
> +/* Need this wrapper because NF_HOOK takes the function address */
> +static inline int do_ip_send(struct sk_buff *skb)
> +{
> + return ip_send(skb);
> +}
> +
> /*
> * This function assumes it is being called from dev_queue_xmit()
> * and that skb is filled properly by that function.
> @@ -559,7 +566,8 @@
>
> stats->tx_bytes += skb->len;
> stats->tx_packets++;
> - ip_send(skb);
> + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
> + do_ip_send);
>
> tunnel->recursion--;
> return 0;
> --
> Hacking time.