Re: 2.4.23 masquerading broken? key.oif = 0; perhaps in bad position ?

[Zoran Davidovac <zoran.davidovac@transacty.co.yu>]

[-- Attachment #1: Type: text/plain, Size: 2225 bytes --]

Wilmer van der Gaast wrote:
> For security reasons, I upgraded to 2.4.23 last night. Now, suddenly, IP
> masquerading seems to be broken. When I use SNAT instead of
> masquerading, everything works.
> 
> Unfortunately, I think it's hard to reproduce the problem. Right after
> booting .23 for the first time, everything seemed to be okay. The
> problems started just an hour ago, after having the server running for
> fifteen hours without any problems.
> 
> Unfortunately there's not much more information I can provide. I can
> attach my iptables/rule/route file and keep my machine running in case
> anyone needs/wants more information. For now I'll just stick with SNAT.
> It works good enough for me.
> 
> Just FYI, and maybe someone else will have a similar problem.
> 
> Wilmer v/d Gaast. (not on the list)
I remember problem with masquerade on 2.4.22 and there was included attached 
diff on Slackware 9.1


==========================================================================
# This patch is needed in 2.4.22 or else NAT (masquerade) will not work.
# It fixes the "Rusty's broken brain" error/failure.

===== net/ipv4/netfilter/ipt_MASQUERADE.c 1.6 vs edited =====
--- 1.6/net/ipv4/netfilter/ipt_MASQUERADE.c     Tue Aug 12 11:30:12 2003
+++ edited/net/ipv4/netfilter/ipt_MASQUERADE.c  Thu Aug 28 16:54:15 2003
@@ -90,6 +90,7 @@
  #ifdef CONFIG_IP_ROUTE_FWMARK
         key.fwmark = (*pskb)->nfmark;
  #endif
+       key.oif = 0;
         if (ip_route_output_key(&rt, &key) != 0) {
                  /* Funky routing can do this. */
                  if (net_ratelimit())
==========================================================================

interesting is that 2.4.23 is pached BUT

==========================================================================

         key.tos = RT_TOS((*pskb)->nh.iph->tos)|RTO_CONN;
         key.oif = 0;
#ifdef CONFIG_IP_ROUTE_FWMARK
         key.fwmark = (*pskb)->nfmark;
#endif
         if (ip_route_output_key(&rt, &key) != 0) {
                 /* Funky routing can do this. */
==========================================================================

So problem is there perhaps, anyway edit file or patch it with att, patch
ipt_MASQ.diff


-- 
Zoran Davidovac

[-- Attachment #2: 2.4.22.nat.diff --]
[-- Type: text/plain, Size: 567 bytes --]

# This patch is needed in 2.4.22 or else NAT (masquerade) will not work.
# It fixes the "Rusty's broken brain" error/failure.

===== net/ipv4/netfilter/ipt_MASQUERADE.c 1.6 vs edited =====
--- 1.6/net/ipv4/netfilter/ipt_MASQUERADE.c	Tue Aug 12 11:30:12 2003
+++ edited/net/ipv4/netfilter/ipt_MASQUERADE.c	Thu Aug 28 16:54:15 2003
@@ -90,6 +90,7 @@
 #ifdef CONFIG_IP_ROUTE_FWMARK
 	key.fwmark = (*pskb)->nfmark;
 #endif
+	key.oif = 0;
 	if (ip_route_output_key(&rt, &key) != 0) {
                 /* Funky routing can do this. */
                 if (net_ratelimit())

[-- Attachment #3: ipt_MASQUERADE.c-2.4.23.diff --]
[-- Type: text/plain, Size: 530 bytes --]

--- ipt_MASQUERADE.c.2.4.23	2003-12-03 11:26:45.000000000 +0100
+++ ipt_MASQUERADE.c	2003-12-03 11:27:22.000000000 +0100
@@ -87,10 +87,10 @@
 	key.dst = (*pskb)->nh.iph->daddr;
 	key.src = 0; /* Unknown: that's what we're trying to establish */
 	key.tos = RT_TOS((*pskb)->nh.iph->tos)|RTO_CONN;
-	key.oif = 0;
 #ifdef CONFIG_IP_ROUTE_FWMARK
 	key.fwmark = (*pskb)->nfmark;
 #endif
+	key.oif = 0;
 	if (ip_route_output_key(&rt, &key) != 0) {
                 /* Funky routing can do this. */
                 if (net_ratelimit())