From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH] netfilter: TCP and raw fix for ip_route_me_harder Date: Sun, 07 Aug 2011 22:53:52 -0700 (PDT) Message-ID: <20110807.225352.1009726356333252181.davem@davemloft.net> References: Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org To: ja@ssi.bg Return-path: In-Reply-To: Sender: netdev-owner@vger.kernel.org List-Id: netfilter-devel.vger.kernel.org From: Julian Anastasov Date: Sun, 7 Aug 2011 22:11:00 +0300 (EEST) > > TCP in some cases uses different global (raw) socket > to send RST and ACK. The transparent flag is not set there. > Currently, it is a problem for rerouting after the previous > change. > > Fix it by simplifying the checks in ip_route_me_harder > and use FLOWI_FLAG_ANYSRC even for sockets. It looks safe > because the initial routing allowed this source address to > be used and now we just have to make sure the packet is rerouted. > > As a side effect this also allows rerouting for normal > raw sockets that use spoofed source addresses which was not possible > even before we eliminated the ip_route_input call. > > Signed-off-by: Julian Anastasov Applied.