From: Patrick McHardy <kaber@trash.net>
To: Konstantin Ushakov <kostik@oktetlabs.ru>
Cc: coreteam@netfilter.org,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>
Subject: Re: [netfilter-core] Mangle table rules are not taken into account in preliminary routing decision
Date: Thu, 11 Oct 2007 09:21:35 +0200 [thread overview]
Message-ID: <470DCEFF.6030709@trash.net> (raw)
In-Reply-To: <470DC711.4020701@oktetlabs.ru>
Konstantin Ushakov wrote:
> Patrick McHardy wrote:
>>> Questions:
>>> - is it a bug or it's a deliberate decision to have such behaviour?
>>> - is there any known add-hock solution for the problem?
>>
>> Its a consequence of how routing by fwmark works. Its not perfect,
>> but I don't see a better solution since the initial routing takes
>> place before we even have a packet.
>>
>> Just add a route to the dummy device or something like that, that
>> should make sure you don't get ENETUNREACH.
>
> I'm afraid that dummy route does not solve the problem. I mean
> - we should not pass out the packets, so where should the route lead?
> To loopback?
As I said, to the dummy device.
> - another thing is that on 'send' (for, say, some external address,
> port 239)
> with dummy route we hang, but if in fact the packet can't be routed,
> we should get ENETUNREACH.
> [...]
> Idea that we had is the following:
>
> we mark all packets that have passed netfilter (mangle table) with a
> specific mark (see configuration below).
> We add 2 rules:
> - unreachable, for packets that have passed mange table but should not
> be routed
> - rule that lookup table #100 for all packets, in table #100 we have
> route like
> ip route add default via 127.0.0.2 table 100
>
> Local traffic that goes to tcp port 80 is routed correctly. Forwarded
> traffic is not routed,
> ENETUNREACH is received on the lan side. BUT for local traffic that
> should not be forwarded,
> we don't receive UNREACH, 'send' just hangs.
>
> Example:
>
> on host on LAN side of the router:
> bash$ nc 192.168.1.5 81
> (UNKNOWN) [192.168.1.5] 80 (www) : No route to host
>
> BUT if we issue that same command on the router itself, it handgs.
Ah, I see the problem. The route returns unreachable, which
iptable_mangle translates to NF_DROP. The problem is that
netfilter itself can't return ENETUNREACH and there is no
valid output function attached to the dst_entry that would
send an icmp unreachable. I think the only thing you could
do is manually call icmp_send(ICMP_DEST_UNREACH) in
ip_route_me_harder for this case.
next prev parent reply other threads:[~2007-10-11 7:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <470CA4DF.6000803@oktetlabs.ru>
2007-10-11 4:10 ` [netfilter-core] Mangle table rules are not taken into account in preliminary routing decision Patrick McHardy
2007-10-11 6:47 ` Konstantin Ushakov
2007-10-11 7:21 ` Patrick McHardy [this message]
2007-10-11 9:13 ` Pascal Hambourg
2007-10-15 14:11 ` Konstantin Ushakov
2007-10-15 15:01 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=470DCEFF.6030709@trash.net \
--to=kaber@trash.net \
--cc=coreteam@netfilter.org \
--cc=kostik@oktetlabs.ru \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.