lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Mar 2007 05:13:52 +0100 From: Patrick McHardy <kaber@...sh.net> To: Martin Schiller <mschiller@....de> CC: netdev@...r.kernel.org, 'Netfilter Development Mailinglist' <netfilter-devel@...ts.netfilter.org> Subject: Re: [PATCH] NAT and requests to unrouted targets Martin Schiller wrote: > Well, the really responsible code is the following: > > ------------------------------------------------------------------------ > static unsigned int > ip_nat_local_fn(unsigned int hooknum, > struct sk_buff **pskb, > const struct net_device *in, > const struct net_device *out, > int (*okfn)(struct sk_buff *)) > { > struct ip_conntrack *ct; > enum ip_conntrack_info ctinfo; > unsigned int ret; > > /* root is playing with raw sockets. */ > if ((*pskb)->len < sizeof(struct iphdr) > || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) > return NF_ACCEPT; > > ret = ip_nat_fn(hooknum, pskb, in, out, okfn); > if (ret != NF_DROP && ret != NF_STOLEN > && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) { > enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); > > if (ct->tuplehash[dir].tuple.dst.ip != > ct->tuplehash[!dir].tuple.src.ip > #ifdef CONFIG_XFRM > || ct->tuplehash[dir].tuple.dst.u.all != > ct->tuplehash[!dir].tuple.src.u.all > #endif > ) > if (ip_route_me_harder(pskb, RTN_UNSPEC)) > ret = NF_DROP; > } > return ret; > } > ---------------------------------------------------------------------------- > > To be more exactly, it's the examination of > "ct->tuplehash[dir].tuple.dst.u.all != ct->tuplehash[!dir].tuple.src.u.all" > which is only be done if XFRM is configured. Since I don't need this anyway, > I deactivated XFRM now and my "ping -I" is working now. You're right, that doesn't really work for ICMP since the tuples are asymetric even without NAT. I didn't expect the unnecessary call to ip_route_me_harder to have any side-effects. I'll look into fixing this properly. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists