MASQUERADE + DHCP problem

All of lore.kernel.org
 help / color / mirror / Atom feed

* MASQUERADE + DHCP problem
@ 2005-09-11 15:07 Patrick McHardy
  2005-09-11 23:34 ` Rusty Russell
  0 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2005-09-11 15:07 UTC (permalink / raw)
  To: Netfilter Development Mailinglist; +Cc: Harald Welte, Rusty Russell

Hi,

in 2.6.13 I removed this part from MASQUERADE to get more consistency
in source address selection:

-	/* FIXME: For the moment, don't do local packets, breaks
-	   testsuite for 2.3.49 --RR */
-	if ((*pskb)->sk)
-		return NF_ACCEPT;
-

Unfortunately this broke pump, it uses a regular UDP socket for
DHCP requests while no IP address is configured and fails in
MASQUERADE because no IP can be found. I'm not much in favour
of putting the check back in, so I want to discuss other
possiblities to keep pump working.

So far what's come to my mind is:
1) Tell users not to masquerade DHCP queries - makes most sense
   in my opinion, but breaks existing setups
2) Add a special hack to masquerade to handle DHCP while no
   local address exists by looking at the port and src/dst
   address. Incredibly ugly and wrong :)
3) Combination of the above - add the hack and print a warning
   to tell users to fix their ruleset, remove the hack after
   6 month

None of them is perfect, any other suggestions are welcome.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: MASQUERADE + DHCP problem
  2005-09-11 15:07 MASQUERADE + DHCP problem Patrick McHardy
@ 2005-09-11 23:34 ` Rusty Russell
  2005-09-11 23:57   ` Patrick McHardy
  0 siblings, 1 reply; 5+ messages in thread
From: Rusty Russell @ 2005-09-11 23:34 UTC (permalink / raw)
  To: Patrick McHardy; +Cc: Harald Welte, Netfilter Development Mailinglist

On Sun, 2005-09-11 at 17:07 +0200, Patrick McHardy wrote:
> 2) Add a special hack to masquerade to handle DHCP while no
>    local address exists by looking at the port and src/dst
>    address. Incredibly ugly and wrong :)

If IP src is 0.0.0.0, let it through untouched.  Those packets are
presumably not supposed to be masqueraded, so it's the Right Think
AFAICT.

Will that fix DHCP?
Rusty.
-- 
A bad analogy is like a leaky screwdriver -- Richard Braakman

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: MASQUERADE + DHCP problem
  2005-09-11 23:34 ` Rusty Russell
@ 2005-09-11 23:57   ` Patrick McHardy
  2005-09-12  3:07     ` David S. Miller
  0 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2005-09-11 23:57 UTC (permalink / raw)
  To: Rusty Russell; +Cc: Harald Welte, Netfilter Development Mailinglist

Rusty Russell wrote:
> On Sun, 2005-09-11 at 17:07 +0200, Patrick McHardy wrote:
> 
>>2) Add a special hack to masquerade to handle DHCP while no
>>   local address exists by looking at the port and src/dst
>>   address. Incredibly ugly and wrong :)
> 
> 
> If IP src is 0.0.0.0, let it through untouched.  Those packets are
> presumably not supposed to be masqueraded, so it's the Right Think
> AFAICT.
> 
> Will that fix DHCP?

Absolutely. Since these packets never get routed, the only possibility
when they can occur is when a local raw socket with IP_HDRINCL chooses
a source address of 0. In that case it definitely seems right to leave
the packet alone.

Thanks!

Patrick

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: MASQUERADE + DHCP problem
  2005-09-11 23:57   ` Patrick McHardy
@ 2005-09-12  3:07     ` David S. Miller
  2005-09-12  8:52       ` Patrick McHardy
  0 siblings, 1 reply; 5+ messages in thread
From: David S. Miller @ 2005-09-12  3:07 UTC (permalink / raw)
  To: kaber; +Cc: laforge, rusty, netfilter-devel

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 12 Sep 2005 01:57:22 +0200

> Rusty Russell wrote:
> > If IP src is 0.0.0.0, let it through untouched.  Those packets are
> > presumably not supposed to be masqueraded, so it's the Right Think
> > AFAICT.
> > 
> > Will that fix DHCP?
> 
> Absolutely. Since these packets never get routed, the only possibility
> when they can occur is when a local raw socket with IP_HDRINCL chooses
> a source address of 0. In that case it definitely seems right to leave
> the packet alone.

That's a really great idea Rusty.

Patrick, I think this needs to go into -stable as well,
once you have a patch ready, right?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: MASQUERADE + DHCP problem
  2005-09-12  3:07     ` David S. Miller
@ 2005-09-12  8:52       ` Patrick McHardy
  0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2005-09-12  8:52 UTC (permalink / raw)
  To: David S. Miller; +Cc: laforge, rusty, netfilter-devel

David S. Miller wrote:
> Patrick, I think this needs to go into -stable as well,
> once you have a patch ready, right?

Yes. I already have a patch queued, I'll send it together
with some others tonight.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2005-09-12  8:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-11 15:07 MASQUERADE + DHCP problem Patrick McHardy
2005-09-11 23:34 ` Rusty Russell
2005-09-11 23:57   ` Patrick McHardy
2005-09-12  3:07     ` David S. Miller
2005-09-12  8:52       ` Patrick McHardy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.