From: Konstantin Ushakov <kostik@oktetlabs.ru>
To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>
Subject: Re: [netfilter-core] Mangle table rules are not taken into account in preliminary routing decision
Date: Mon, 15 Oct 2007 18:11:41 +0400 [thread overview]
Message-ID: <4713751D.6080309@oktetlabs.ru> (raw)
In-Reply-To: <470DE946.9090301@plouf.fr.eu.org>
Pascal Hambourg wrote:
> Hello,
>
> Patrick McHardy a écrit :
>>
>> Ah, I see the problem. The route returns unreachable, which
>> iptable_mangle translates to NF_DROP. The problem is that
>> netfilter itself can't return ENETUNREACH and there is no
>> valid output function attached to the dst_entry that would
>> send an icmp unreachable. I think the only thing you could
>> do is manually call icmp_send(ICMP_DEST_UNREACH) in
>> ip_route_me_harder for this case.
>
> What about the REJECT target ?
Correct me if I'm mistaken, but REJECT target is only valid in filter
table. But the
packet does not reach filter table because of reasons described by
Patric (as we DROP
it after mangle). It is clearly observed by me when I insert LOG into
filter table.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2007-10-15 14:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <470CA4DF.6000803@oktetlabs.ru>
2007-10-11 4:10 ` [netfilter-core] Mangle table rules are not taken into account in preliminary routing decision Patrick McHardy
2007-10-11 6:47 ` Konstantin Ushakov
2007-10-11 7:21 ` Patrick McHardy
2007-10-11 9:13 ` Pascal Hambourg
2007-10-15 14:11 ` Konstantin Ushakov [this message]
2007-10-15 15:01 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4713751D.6080309@oktetlabs.ru \
--to=kostik@oktetlabs.ru \
--cc=netfilter-devel@vger.kernel.org \
--cc=pascal.mail@plouf.fr.eu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).