Tproxy4, fwmark and netfilter route_me_harder

["Ming-Ching Tiew" <mingching.tiew@redtone.com>]

KOVACS Krisztian wrote:
> Hi,
>
> On szo, jan 12, 2008 at 11:47:44 +0800, Ming-Ching Tiew wrote:
>   
>> 2 ) IP FREEBIND packets spoofed with foreign source address will not 
>> leave the system when there is a FWMARK in the mangle table OUTPUT 
>> chain. This patch is created by me based on the information given by 
>> Kovacs, code quality is highly questionable as I barely understood 
>> what's it is all about, but it seems to work.
>>
>> --- linux-2.6.22-org/net/ipv4/netfilter.c       2007-12-13 
>> 20:55:45.000000000 +0800
>> +++ linux-2.6.22-new/net/ipv4/netfilter.c       2007-12-13 
>> 20:55:03.000000000 +0800
>> @@ -24,7 +24,7 @@
>>         /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
>>          * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
>>          */
>> -       if (addr_type == RTN_LOCAL) {
>> +//     if (addr_type == RTN_LOCAL) {
>>                 fl.nl_u.ip4_u.daddr = iph->daddr;
>>                 if (type == RTN_LOCAL)
>>                         fl.nl_u.ip4_u.saddr = iph->saddr;
>> @@ -37,10 +37,10 @@
>>                 /* Drop old route. */
>>                 dst_release((*pskb)->dst);
>>                 (*pskb)->dst = &rt->u.dst;
>> -       } else {
>> +//     } else {
>>                 /* non-local src, find valid iif to satisfy
>>                  * rp-filter when calling ip_route_input. */
>> -               fl.nl_u.ip4_u.daddr = iph->saddr;
>> +/*             fl.nl_u.ip4_u.daddr = iph->saddr;
>>                 if (ip_route_output_key(&rt, &fl) != 0)
>>                         return -1;
>>
>> @@ -53,7 +53,7 @@
>>                 dst_release(&rt->u.dst);
>>                 dst_release(odst);
>>         }
>> -
>> +*/
>>         if ((*pskb)->dst->error)
>>                 return -1;
>>     
>
> We should probably first ask on netfilter-devel@ why this whole route
> lookup thing is necessary...
>
>    

I  sort of just forward this to netfilter-devel.
 
For those who in netfilter-devel but not in tproxy mail list, a little 
background here :-
 
I discovered after applying the tproxy4 patch which allows one to spoof 
originating traffic with a foreign IP address ( for the purpose of doing 
transparent proxy ) that after doing it, traffics with foreign IP will 
not leave the system if there is a FWMARK in the mangle table OUTPUT 
chain. Any MARK will screw up the routing.
 
And the patch above seems to be able to get the packets out of the machine
again.

So the motivation here perhaps someone here could throw some light as to 
how this situation is best handled.
 
Regards.