[PATCH] [BRIDGE-NETFILTER] make IP DNAT work on bridged vlan/pppoe packets

[PATCH] [BRIDGE-NETFILTER] make IP DNAT work on bridged vlan/pppoe packets

[Bart De Schuymer]

[-- Attachment #1: Type: text/plain, Size: 657 bytes --]

Hi,

The attached patch makes IP DNAT work on bridged IP packets encapsulated 
in a VLAN/PPoE packet. I only tested that it works for VLAN, but the 
PPoE case should be fixed too.
This bug was introduced by commit 
2948d2ebbb98747b912ac6d0c864b4d02be8a6f5 on January 12, 2008.
The patch also makes IP DNATing more transparent on a bridge: for 
bridged-and-dnated traffic, the source MAC address is no longer changed 
to the MAC address of the bridge port. If one wants, ebtables snat can 
be used to change the source MAC address in the POSTROUTING chain.

Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>

-- 
Bart De Schuymer
www.artinalgorithms.be


[-- Attachment #2: vlan_nat_filtering.diff --]
[-- Type: text/plain, Size: 925 bytes --]

--- linux-2.6.31-uml/net/bridge/br_netfilter.c.ori	2009-10-03 17:17:37.000000000 +0200
+++ linux-2.6.31-uml/net/bridge/br_netfilter.c	2009-10-04 17:28:40.000000000 +0200
@@ -324,7 +324,10 @@ static int br_nf_pre_routing_finish_brid
 	if (skb->dev) {
 		struct dst_entry *dst = skb_dst(skb);
 
-		nf_bridge_pull_encap_header(skb);
+		/* the neigh functions below overwrite the MAC header, so we
+		 * save the Ethernet source address and protocol number */
+		skb_copy_from_linear_data_offset(skb, -8,
+						 skb->nf_bridge->data, 8);
 
 		if (dst->hh)
 			return neigh_hh_output(dst->hh, skb);
@@ -784,7 +787,7 @@ static unsigned int br_nf_local_out(unsi
 		skb->pkt_type = PACKET_OTHERHOST;
 		nf_bridge->mask ^= BRNF_PKT_TYPE;
 	}
-	nf_bridge_push_encap_header(skb);
+	skb_copy_to_linear_data_offset(skb, -8, skb->nf_bridge->data, 8);
 
 	NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
 		br_forward_finish);

Re: [PATCH] [BRIDGE-NETFILTER] make IP DNAT work on bridged vlan/pppoe packets

[Patrick McHardy]

Bart De Schuymer wrote:
> Hi,
> 
> The attached patch makes IP DNAT work on bridged IP packets encapsulated
> in a VLAN/PPoE packet. I only tested that it works for VLAN, but the
> PPoE case should be fixed too.
> This bug was introduced by commit
> 2948d2ebbb98747b912ac6d0c864b4d02be8a6f5 on January 12, 2008.
> The patch also makes IP DNATing more transparent on a bridge: for
> bridged-and-dnated traffic, the source MAC address is no longer changed
> to the MAC address of the bridge port. If one wants, ebtables snat can
> be used to change the source MAC address in the POSTROUTING chain.

Applied, thanks Bart.

Re: [PATCH] [BRIDGE-NETFILTER] make IP DNAT work on bridged vlan/pppoe packets

[Bart De Schuymer]

Patrick McHardy wrote:
> Bart De Schuymer wrote:
>> Hi,
>>
>> The attached patch makes IP DNAT work on bridged IP packets encapsulated
>> in a VLAN/PPoE packet. I only tested that it works for VLAN, but the
>> PPoE case should be fixed too.
>> This bug was introduced by commit
>> 2948d2ebbb98747b912ac6d0c864b4d02be8a6f5 on January 12, 2008.
>> The patch also makes IP DNATing more transparent on a bridge: for
>> bridged-and-dnated traffic, the source MAC address is no longer changed
>> to the MAC address of the bridge port. If one wants, ebtables snat can
>> be used to change the source MAC address in the POSTROUTING chain.
> 
> Applied, thanks Bart.

Hello Patrick,

I just noticed the above mentioned patch isn't yet in the standard
kernel. It was sent on October 24, 2009. Was there a problem with the patch?


cheers,
Bart


-- 
Bart De Schuymer
www.artinalgorithms.be