From: Patrick McHardy <kaber@trash.net>
To: Christophe Saout <christophe@saout.de>
Cc: netfilter-devel@lists.netfilter.org,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: 2.6.16-rc1-mm3 XFRM+NAT issue
Date: Sun, 29 Jan 2006 23:59:24 +0100 [thread overview]
Message-ID: <43DD48CC.9070709@trash.net> (raw)
In-Reply-To: <1138573848.28464.1.camel@leto.intern.saout.de>
[-- Attachment #1: Type: text/plain, Size: 2898 bytes --]
Christophe Saout wrote:
> Am Sonntag, den 29.01.2006, 23:14 +0100 schrieb Patrick McHardy:
>
>
>>41 is IPPROTO_IPV6, you seem to be talking to the remote side using IPv6
>>over sit, which is why NAT on the TCP packet doesn't work.
>
>
> Ok, I'm stupid, forget this, IPv6 is a completely different issue. It's
> really IPv4 that isn't working.
>
> This time with -4 on the command line:
>
> Jan 29 23:27:38 server IN=eth0 OUT= MAC=00:01:80:5c:0f:48:00:02:8a:ba:b8:58:08:00 SRC=192.168.80.90 DST=<inet host> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=38799 DF PROTO=TCP SPT=40255 DPT=25 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
> Jan 29 23:27:38 server IN=eth0 OUT=ppp0 SRC=192.168.80.90 DST=<inet host> LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=38799 DF PROTO=TCP SPT=40255 DPT=25 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
> Jan 29 23:27:38 server IN= OUT=ppp0 SRC=192.168.80.90 DST=<inet host> LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=38799 DF PROTO=TCP SPT=40255 DPT=25 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
> Jan 29 23:27:38 server IN= OUT=ppp0 SRC=<gateway pub ip> DST=<inet host> LEN=104 TOS=0x10 PREC=0x00 TTL=63 ID=38799 DF PROTO=ESP SPI=0x1249d895
> Jan 29 23:27:38 server IN= OUT=ppp0 SRC=<gateway pub ip> DST=<inet host> LEN=104 TOS=0x10 PREC=0x00 TTL=63 ID=38799 DF PROTO=ESP SPI=0x1249d895
> Jan 29 23:27:38 server IN=ppp0 OUT= MAC= SRC=<inet host> DST=<gateway pub ip> LEN=104 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=ESP SPI=0xbdbf1ca7
> Jan 29 23:27:38 server IN=ppp0 OUT= MAC= SRC=<inet host> DST=<gateway pub ip> LEN=104 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=ESP SPI=0xbdbf1ca7
> Jan 29 23:27:38 server IN=ppp0 OUT= MAC=45:00:00:68:00:00:40:00:37:06:56:bd:d5:ef:c5:f1:54:38:fc:8d:bd:bf SRC=<inet host> DST=<gateway pub ip> LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=25 DPT=40255 WINDOW=5792 RES=0x00 ECE ACK SYN URGP=0
> Jan 29 23:27:38 server IN=ppp0 OUT= MAC=45:00:00:68:00:00:40:00:37:06:56:bd:d5:ef:c5:f1:54:38:fc:8d:bd:bf SRC=<inet host> DST=192.168.80.90 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=25 DPT=40255 WINDOW=5792 RES=0x00 ECE ACK SYN URGP=0
> Jan 29 23:27:38 server IN= OUT=ppp0 SRC=<gateway pub ip> DST=<inet host> LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=954 DF PROTO=TCP SPT=40255 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
> Jan 29 23:27:38 server IN= OUT=ppp0 SRC=<gateway pub ip> DST=<inet host> LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=954 DF PROTO=TCP SPT=40255 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
> Jan 29 23:27:38 server IN= OUT=ppp0 SRC=<gateway pub ip> DST=<inet host> LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=954 DF PROTO=ESP SPI=0x1249d895
> Jan 29 23:27:38 server IN= OUT=ppp0 SRC=<gateway pub ip> DST=<inet host> LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=954 DF PROTO=ESP SPI=0x1249d895
Found it, the packet doesn't have its dst_entry released after DNAT in
PRE_ROUTING because of an incorrect check and is delivered locally.
This patch should fix it.
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 609 bytes --]
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index ad438fb..74633cd 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -209,8 +209,8 @@ ip_nat_in(unsigned int hooknum,
&& (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
- if (ct->tuplehash[dir].tuple.src.ip !=
- ct->tuplehash[!dir].tuple.dst.ip) {
+ if (ct->tuplehash[dir].tuple.dst.ip !=
+ ct->tuplehash[!dir].tuple.src.ip) {
dst_release((*pskb)->dst);
(*pskb)->dst = NULL;
}
next prev parent reply other threads:[~2006-01-29 22:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-29 19:41 2.6.16-rc1-mm3 XFRM+NAT issue Christophe Saout
2006-01-29 19:57 ` Patrick McHardy
2006-01-29 20:59 ` Christophe Saout
2006-01-29 22:14 ` Patrick McHardy
2006-01-29 22:30 ` Christophe Saout
2006-01-29 22:43 ` Patrick McHardy
2006-01-29 23:11 ` Christophe Saout
2006-01-29 22:59 ` Patrick McHardy [this message]
2006-01-29 23:24 ` Christophe Saout
2006-01-29 23:26 ` Patrick McHardy
2006-01-29 23:29 ` Patrick McHardy
2006-01-29 23:30 ` Christophe Saout
2006-02-03 1:16 ` David S. Miller
2006-02-03 10:24 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43DD48CC.9070709@trash.net \
--to=kaber@trash.net \
--cc=christophe@saout.de \
--cc=herbert@gondor.apana.org.au \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.