From: KOVACS Krisztian <hidden@sch.bme.hu>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org,
Balazs Scheidler <bazsi@balabit.hu>,
Toth Laszlo Attila <panther@balabit.hu>
Subject: [PATCH 01/13] Loosen source address check on IPv4 output
Date: Tue, 02 Oct 2007 22:40:14 +0200 [thread overview]
Message-ID: <20071002204014.11052.31242.stgit@nessa.odu> (raw)
In-Reply-To: <20071002203942.11052.7303.stgit@nessa.odu>
ip_route_output() contains a check to make sure that no flows with
non-local source IP addresses are routed. This obviously makes using
such addresses impossible.
This patch introduces a flowi flag which makes omitting this check
possible. The new flag provides a way of handling transparent and
non-transparent connections differently.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Acked-by: Patrick McHardy <kaber@trash.net>
---
include/net/flow.h | 1 +
net/ipv4/route.c | 20 +++++++++++++-------
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/include/net/flow.h b/include/net/flow.h
index af59fa5..c734d50 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -49,6 +49,7 @@ struct flowi {
__u8 proto;
__u8 flags;
#define FLOWI_FLAG_MULTIPATHOLDROUTE 0x01
+#define FLOWI_FLAG_ANYSRC 0x02
union {
struct {
__be16 sport;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index c7ca94b..26e9659 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2172,11 +2172,6 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
ZERONET(oldflp->fl4_src))
goto out;
- /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
- dev_out = ip_dev_find(oldflp->fl4_src);
- if (dev_out == NULL)
- goto out;
-
/* I removed check for oif == dev_out->oif here.
It was wrong for two reasons:
1. ip_dev_find(saddr) can return wrong iface, if saddr is
@@ -2187,6 +2182,11 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
if (oldflp->oif == 0
&& (MULTICAST(oldflp->fl4_dst) || oldflp->fl4_dst == htonl(0xFFFFFFFF))) {
+ /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
+ dev_out = ip_dev_find(oldflp->fl4_src);
+ if (dev_out == NULL)
+ goto out;
+
/* Special hack: user can direct multicasts
and limited broadcast via necessary interface
without fiddling with IP_MULTICAST_IF or IP_PKTINFO.
@@ -2205,9 +2205,15 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
fl.oif = dev_out->ifindex;
goto make_route;
}
- if (dev_out)
+
+ if (!(oldflp->flags & FLOWI_FLAG_ANYSRC)) {
+ /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
+ dev_out = ip_dev_find(oldflp->fl4_src);
+ if (dev_out == NULL)
+ goto out;
dev_put(dev_out);
- dev_out = NULL;
+ dev_out = NULL;
+ }
}
next prev parent reply other threads:[~2007-10-02 20:40 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-02 20:39 [PATCH 00/13] Transparent Proxying Patches, Take 4 KOVACS Krisztian
2007-10-02 20:40 ` KOVACS Krisztian [this message]
2007-10-02 20:40 ` [PATCH 02/13] Implement IP_TRANSPARENT socket option KOVACS Krisztian
2007-10-02 20:41 ` [PATCH 03/13] Allow binding to non-local addresses if IP_TRANSPARENT is set KOVACS Krisztian
2007-10-02 20:41 ` [PATCH 04/13] Conditionally enable transparent flow flag when connecting KOVACS Krisztian
2007-10-02 20:42 ` [PATCH 05/13] Handle TCP SYN+ACK/ACK/RST transparency KOVACS Krisztian
2007-10-02 20:42 ` [PATCH 06/13] Port redirection support for TCP KOVACS Krisztian
2007-10-02 20:43 ` [PATCH 07/13] Export UDP socket lookup function KOVACS Krisztian
2007-10-02 20:43 ` [PATCH 08/13] Split Netfilter IPv4 defragmentation into a separate module KOVACS Krisztian
2007-10-08 8:30 ` Patrick McHardy
2007-10-17 19:11 ` Krzysztof Oledzki
2007-10-23 18:26 ` KOVACS Krisztian
2007-10-02 20:44 ` [PATCH 09/13] iptables tproxy core KOVACS Krisztian
2007-10-02 20:44 ` [PATCH 10/13] iptables socket match KOVACS Krisztian
2007-10-08 8:32 ` Patrick McHardy
2007-10-02 20:45 ` [PATCH 11/13] iptables TPROXY target KOVACS Krisztian
2007-10-08 8:34 ` Patrick McHardy
2007-10-02 20:45 ` [PATCH 12/13] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2007-10-02 20:46 ` [PATCH 13/13] " KOVACS Krisztian
-- strict thread matches above, loose matches on Subject: below --
2007-09-30 20:51 [PATCH 00/13] Transparent Proxying Patches, Take 3 KOVACS Krisztian
2007-09-30 20:51 ` [PATCH 01/13] Loosen source address check on IPv4 output KOVACS Krisztian
2007-09-30 22:12 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071002204014.11052.31242.stgit@nessa.odu \
--to=hidden@sch.bme.hu \
--cc=bazsi@balabit.hu \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=panther@balabit.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.