From: Patrick McHardy <kaber@trash.net>
To: stable@kernel.org
Cc: netfilter-devel@lists.netfilter.org,
Patrick McHardy <kaber@trash.net>,
davem@davemloft.net
Subject: [NETFILTER 01/04]: Fix routing of REJECT target generated packets in output chain
Date: Wed, 10 Jan 2007 08:04:46 +0100 (MET) [thread overview]
Message-ID: <20070110070446.13495.72221.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20070110070444.13495.95670.sendpatchset@localhost.localdomain>
[NETFILTER]: Fix routing of REJECT target generated packets in output chain
Packets generated by the REJECT target in the output chain have a local
destination address and a foreign source address. Make sure not to use
the foreign source address for the output route lookup.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 8d63ea0b410fed5a1d7493fa139592394ad01664
tree 859623f78e85fddaf314ba3d8b6a623fcda8d5bb
parent 1edb5a2de7a29144644794208eb63abbca419430
author Patrick McHardy <kaber@trash.net> Wed, 10 Jan 2007 05:43:39 +0100
committer Patrick McHardy <kaber@trash.net> Wed, 10 Jan 2007 05:43:39 +0100
net/ipv4/netfilter.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index e2005c6..0147a18 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -15,16 +15,19 @@ int ip_route_me_harder(struct sk_buff **
struct flowi fl = {};
struct dst_entry *odst;
unsigned int hh_len;
+ unsigned int type;
+ type = inet_addr_type(iph->saddr);
if (addr_type == RTN_UNSPEC)
- addr_type = inet_addr_type(iph->saddr);
+ addr_type = type;
/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
* packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
*/
if (addr_type == RTN_LOCAL) {
fl.nl_u.ip4_u.daddr = iph->daddr;
- fl.nl_u.ip4_u.saddr = iph->saddr;
+ if (type == RTN_LOCAL)
+ fl.nl_u.ip4_u.saddr = iph->saddr;
fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
fl.oif = (*pskb)->sk ? (*pskb)->sk->sk_bound_dev_if : 0;
#ifdef CONFIG_IP_ROUTE_FWMARK
next prev parent reply other threads:[~2007-01-10 7:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-10 7:04 [NETFILTER 00/04]: Netfilter -stable fixes Patrick McHardy
2007-01-10 7:04 ` Patrick McHardy [this message]
2007-01-10 7:04 ` [NETFILTER 02/04]: nf_conntrack_ipv6: fix crash when handling fragments Patrick McHardy
2007-01-10 7:04 ` [NETFILTER 03/04]: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value Patrick McHardy
2007-01-10 7:04 ` [NETFILTER 04/04]: arp_tables: fix userspace compilation Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070110070446.13495.72221.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.