Re: Netfilter problem with new 2.4.22

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Diadon <diadon@isfera.ru>
Cc: netfilter-devel@lists.netfilter.org, netfilter@lists.netfilter.org
Subject: Re: Netfilter problem with new 2.4.22
Date: Thu, 18 Sep 2003 23:40:02 +0200	[thread overview]
Message-ID: <3F6A2632.6030005@trash.net> (raw)
In-Reply-To: <3F697788.8080103@isfera.ru>

[-- Attachment #1: Type: text/plain, Size: 968 bytes --]

Diadon wrote:

> > On 2.4.21 all works fine
> > In tcpdump on 2.4.21:
> > 14:41:41.752557 somehost.auth > somehost1.32825: R 0:0(0) ack 
> 217583467 win 0 (DF)
>
> > In tcpdump on 2.4.22:
> > nothing....... 


Hi Diadon,
the problem seems to be that a dst for local input doesn't carry pmtu 
information, the pmtu
is set by rt_set_nexthop which is skipped for local input. The packet is 
dropped by send_reset
because of this check:

        /* "Never happens" */
        if (nskb->len > nskb->dst->pmtu)
                goto free_nskb;

;)

I've attached two possible fixes for this. The first one restores 
behaviour from before the
routing changes for LOCAL_OUT, the other one removes the check since 
obviously
"Never happens" is not true anymore (and it is not an error). Another 
possibility would
be something like "if (nskb->dst->pmtu && nskb->len > nskb->dst->pmtu)  ..."
Someone from the coreteam should comment which solution is prefered.

Regards,
Patrick

[-- Attachment #2: x.diff --]
[-- Type: text/plain, Size: 1448 bytes --]

===== net/ipv4/netfilter/ipt_REJECT.c 1.13 vs edited =====
--- 1.13/net/ipv4/netfilter/ipt_REJECT.c	Fri Jul 25 23:15:41 2003
+++ edited/net/ipv4/netfilter/ipt_REJECT.c	Thu Sep 18 23:00:58 2003
@@ -34,16 +34,17 @@
 		attach(new_skb, nfct);
 }
 
-static inline struct rtable *route_reverse(struct sk_buff *skb, int local)
+static inline struct rtable *route_reverse(struct sk_buff *skb, int hook)
 {
 	struct iphdr *iph = skb->nh.iph;
 	struct dst_entry *odst;
 	struct rt_key key = {};
 	struct rtable *rt;
 
-	if (local) {
+	if (hook != NF_IP_FORWARD) {
 		key.dst = iph->saddr;
-		key.src = iph->daddr;
+		if (hook == NF_IP_LOCAL_IN)
+			key.src = iph->daddr;
 		key.tos = RT_TOS(iph->tos);
 
 		if (ip_route_output_key(&rt, &key) != 0)
@@ -75,7 +76,7 @@
 }
 
 /* Send RST reply */
-static void send_reset(struct sk_buff *oldskb, int local)
+static void send_reset(struct sk_buff *oldskb, int hook)
 {
 	struct sk_buff *nskb;
 	struct tcphdr *otcph, *tcph;
@@ -104,7 +105,7 @@
 			 csum_partial((char *)otcph, otcplen, 0)) != 0)
 		return;
 
-	if ((rt = route_reverse(oldskb, local)) == NULL)
+	if ((rt = route_reverse(oldskb, hook)) == NULL)
 		return;
 
 	hh_len = (rt->u.dst.dev->hard_header_len + 15)&~15;
@@ -372,7 +373,7 @@
 		send_unreach(*pskb, ICMP_PKT_FILTERED);
 		break;
 	case IPT_TCP_RESET:
-		send_reset(*pskb, hooknum == NF_IP_LOCAL_IN);
+		send_reset(*pskb, hooknum);
 	case IPT_ICMP_ECHOREPLY:
 		/* Doesn't happen. */
 		break;

[-- Attachment #3: y.diff --]
[-- Type: text/plain, Size: 501 bytes --]

===== net/ipv4/netfilter/ipt_REJECT.c 1.13 vs edited =====
--- 1.13/net/ipv4/netfilter/ipt_REJECT.c	Fri Jul 25 23:15:41 2003
+++ edited/net/ipv4/netfilter/ipt_REJECT.c	Thu Sep 18 23:28:49 2003
@@ -186,10 +186,6 @@
 	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, 
 					   nskb->nh.iph->ihl);
 
-	/* "Never happens" */
-	if (nskb->len > nskb->dst->pmtu)
-		goto free_nskb;
-
 	connection_attach(nskb, oldskb->nfct);
 
 	NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,

next prev parent reply	other threads:[~2003-09-18 21:40 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-09-18  9:14 Netfilter problem with new 2.4.22 Diadon
2003-09-18 21:40 ` Patrick McHardy [this message]
2003-09-21 14:34   ` Harald Welte
2003-09-22  7:28 ` Diadon
2003-09-22  7:44 ` Diadon
  -- strict thread matches above, loose matches on Subject: below --
2003-09-16 12:11 Diadon
2003-09-16 10:22 Diadon
2003-09-16 13:47 ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3F6A2632.6030005@trash.net \
    --to=kaber@trash.net \
    --cc=diadon@isfera.ru \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.