iptable_nat seriously b0rken

Brent Scriver bscriver@speakeasy.org
Sat, 8 Jul 2000 10:05:21 -0700 

I'll give it a try.  Don't have another machine with pptp on it, so it may
be a couple of days.

Brent

----- Original Message -----
From: "Steve Moro" <steve.moro@home.com>
To: "Multiple recipients of list NETFILTER" <netfilter@samba.org>
Sent: Saturday, July 08, 2000 9:21 AM
Subject: RE: iptable_nat seriously b0rken


> Can you from 2 machines at the same time PPTP out to different PPTP
server?
> I thought the iptables code could only track one at a time..
>
> Steve
>
> > -----Original Message-----
> > From: Brent Scriver [mailto:bscriver@speakeasy.org]
> > Sent: Friday, July 07, 2000 2:39 AM
> > To: steve.moro@home.com; Multiple recipients of list NETFILTER
> > Subject: Re: iptable_nat seriously b0rken
> >
> >
> >
> > I haven't had a problem with pptp, and I'm using the iptables 1.1.0 and
> > 2.3.99-pre8.
> >
> > Brent
> >
> > ----- Original Message -----
> > From: "Steve Moro" <steve.moro@home.com>
> > To: "Multiple recipients of list NETFILTER" <netfilter@samba.org>
> > Sent: Thursday, July 06, 2000 7:25 PM
> > Subject: RE: iptable_nat seriously b0rken
> >
> >
> > > Will this fix make PPTP connection tracking work?
> > >
> > > Just woundering.
> > > Steve
> > >
> > > > -----Original Message-----
> > > > From: netfilter@samba.org [mailto:netfilter@samba.org]On
> > Behalf Of Rusty
> > > > Russell
> > > > Sent: Thursday, July 06, 2000 9:10 PM
> > > > To: Multiple recipients of list NETFILTER
> > > > Subject: Re: iptable_nat seriously b0rken
> > > >
> > > >
> > > > In message <20000705011142.A2931@sith.mimuw.edu.pl> you write:
> > > > > Please CC answers to me as I'm not subscribed to the lists.
> > > > >
> > > > > The problem is simple, iptable_nat kills sit tunnels, see this:
> > > >
> > > > Dave, please merge.  Having tunnels pass the entunnelled packets
> > > > through the LOCAL_OUT hook is nicer anyway (from a filtering and
> > > > least-surprise perspective), and allows my connection tracking code
to
> > > > do its magic...
> > > >
> > > > Since ip_gre and ipip are basically identical, fixed them too.
> > > >
> > > > Rusty.
> > > >
> > > > diff -urN -X /tmp/filenPQH5d --minimal
> > > > linux-2.4.0-test3-2/net/ipv4/ip_gre.c
> > > > working-2.4.0-test3-2/net/ipv4/ip_gre.c
> > > > --- linux-2.4.0-test3-2/net/ipv4/ip_gre.c Thu May 25 12:41:52 2000
> > > > +++ working-2.4.0-test3-2/net/ipv4/ip_gre.c Thu Jul  6 14:03:16 2000
> > > > @@ -27,6 +27,7 @@
> > > >  #include <linux/in6.h>
> > > >  #include <linux/inetdevice.h>
> > > >  #include <linux/igmp.h>
> > > > +#include <linux/netfilter_ipv4.h>
> > > >
> > > >  #include <net/sock.h>
> > > >  #include <net/ip.h>
> > > > @@ -616,6 +617,12 @@
> > > >  return(0);
> > > >  }
> > > >
> > > > +/* Need this wrapper because NF_HOOK takes the function address */
> > > > +static inline int do_ip_send(struct sk_buff *skb)
> > > > +{
> > > > + return ip_send(skb);
> > > > +}
> > > > +
> > > >  static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device
> > *dev)
> > > >  {
> > > >  struct ip_tunnel *tunnel = (struct ip_tunnel*)dev->priv;
> > > > @@ -829,7 +836,8 @@
> > > >
> > > >  stats->tx_bytes += skb->len;
> > > >  stats->tx_packets++;
> > > > - ip_send(skb);
> > > > + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
> > > > + do_ip_send);
> > > >  tunnel->recursion--;
> > > >  return 0;
> > > >
> > > > diff -urN -X /tmp/filenPQH5d --minimal
> > > > linux-2.4.0-test3-2/net/ipv4/ipip.c
> > working-2.4.0-test3-2/net/ipv4/ipip.c
> > > > --- linux-2.4.0-test3-2/net/ipv4/ipip.c Thu May 25 12:41:52 2000
> > > > +++ working-2.4.0-test3-2/net/ipv4/ipip.c Thu Jul  6 14:01:41 2000
> > > > @@ -107,6 +107,7 @@
> > > >  #include <linux/if_arp.h>
> > > >  #include <linux/mroute.h>
> > > >  #include <linux/init.h>
> > > > +#include <linux/netfilter_ipv4.h>
> > > >
> > > >  #include <net/sock.h>
> > > >  #include <net/ip.h>
> > > > @@ -499,6 +500,12 @@
> > > >  return 0;
> > > >  }
> > > >
> > > > +/* Need this wrapper because NF_HOOK takes the function address */
> > > > +static inline int do_ip_send(struct sk_buff *skb)
> > > > +{
> > > > + return ip_send(skb);
> > > > +}
> > > > +
> > > >  /*
> > > >   * This function assumes it is being called from dev_queue_xmit()
> > > >   * and that skb is filled properly by that function.
> > > > @@ -631,7 +638,8 @@
> > > >
> > > >  stats->tx_bytes += skb->len;
> > > >  stats->tx_packets++;
> > > > - ip_send(skb);
> > > > + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
> > > > + do_ip_send);
> > > >  tunnel->recursion--;
> > > >  return 0;
> > > >
> > > > diff -urN -X /tmp/filenPQH5d --minimal
> > > > linux-2.4.0-test3-2/net/ipv6/sit.c
> > working-2.4.0-test3-2/net/ipv6/sit.c
> > > > --- linux-2.4.0-test3-2/net/ipv6/sit.c Fri May 12 13:22:39 2000
> > > > +++ working-2.4.0-test3-2/net/ipv6/sit.c Thu Jul  6 14:03:23 2000
> > > > @@ -29,6 +29,7 @@
> > > >  #include <linux/icmp.h>
> > > >  #include <asm/uaccess.h>
> > > >  #include <linux/init.h>
> > > > +#include <linux/netfilter_ipv4.h>
> > > >
> > > >  #include <net/sock.h>
> > > >  #include <net/snmp.h>
> > > > @@ -404,6 +405,12 @@
> > > >  return 0;
> > > >  }
> > > >
> > > > +/* Need this wrapper because NF_HOOK takes the function address */
> > > > +static inline int do_ip_send(struct sk_buff *skb)
> > > > +{
> > > > + return ip_send(skb);
> > > > +}
> > > > +
> > > >  /*
> > > >   * This function assumes it is being called from dev_queue_xmit()
> > > >   * and that skb is filled properly by that function.
> > > > @@ -559,7 +566,8 @@
> > > >
> > > >  stats->tx_bytes += skb->len;
> > > >  stats->tx_packets++;
> > > > - ip_send(skb);
> > > > + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
> > > > + do_ip_send);
> > > >
> > > >  tunnel->recursion--;
> > > >  return 0;
> > > > --
> > > > Hacking time.
> > >
> > >
> >
>
>