[Bug 586] Problems changing the source address of a packet
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Mon Mar 30 18:03:51 CEST 2009
http://bugzilla.netfilter.org/show_bug.cgi?id=586
jengelh at medozas.de changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|laforge at netfilter.org |jengelh at medozas.de
Status|REOPENED |NEW
------- Comment #4 from jengelh at medozas.de 2009-03-30 18:03 -------
nf_conntrack already recorded the connection with the given <src,dst,...> addr
tuple, and changing them leads to confusion (ultimately dropping it) — at
least for when this is done within the kernel, e.g. an Xtables target.
(libnetfilter_queue is exempt because skbs are new ones, with skb->nfct reset,
when packets are received from userspace.)
Modifications to the packet that involve parts of this tuple need to be done in
the raw table (or rawpost for outgoing traffic). raw runs before connection
tracking, and rawpost (available via an Xtables-addons branch ATM) runs
afterwards, hence ct would never see the original addresses and thus have no
way to get confused.
An alternative is that you remove the nfct entry from the tuplehash array and
reinsert it with the new tuple but that may mean more hairy code.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.
More information about the netfilter-buglog
mailing list