| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Feb 2007 16:52:31 +0100 From: Ingo Oeser <netdev@...eo.de> To: Patrick McHardy <kaber@...sh.net> Cc: netdev@...r.kernel.org Subject: Re: Funny Routing change since 2.6.16.x Hi Patrick, Patrick McHardy schrieb: > Ingo Oeser wrote: > > Patrick McHardy schrieb: > > > >>My guess is that you're using MASQUERADE on ppp0, which since 2.6.14 > >>doesn't exclude locally generated packets anymore, so it translates > >>them to the primary ppp0 address. For replies it works because NAT > >>is already set up for the incoming packet, without masquerading. > > > > > > Your guess is right! Thanks for that hint. Do you have any idea, how to > > restore the old behavior? > > > > I have to, because the ISP cannot assign a different local address > > and have problems with the new behavior, because that IP adress is an MX entry > > and the VPN gateway address for several third party vendor tunnels. > > So changing that is quite an effort. > > > Since these packets already have the proper source address chosen > by routing, there is no need to NAT them anymore. So the easiest > fix is to exclude them manually from masquerading based on the > address. Just did that (iptables -t nat -I POSTROUTING -s $SRCADDR -o ppp0 -j ACCEPT) and it works without any problems. Many thanks for your very fast help! I'm very happy now :-) Do you know any good place, where this can be documented? Best regards Ingo Oeser - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists