MASQUERADE: Route sent us somewhere else (was Re: Fw: Rusty's brain broke!)
From: Harald Welte
Date: Sun Jan 11 2004 - 08:05:42 EST
On Fri, Jul 25, 2003 at 09:56:57PM +0400, kuznet@xxxxxxxxxxxxx wrote:
> Hello!
Hi Alexey, I have to follow-up on this old thraed.
> > Hmm, what's your routing setup? And what kernel? It's possible with
> > wierd setups, like source routing.
>
> Unlikely, source address is unspecified here. Most likely, it is fwmark.
>
> Unrelated: giving out->ifindex is a bug, by the way. It can screw up
> the things a lot. In this context, if you want to be sure that packet
> will go out expected interface you do plain lookup and drop packet
> if it gave you some strange route.
Your proposed change (key.oif = 0 instead of out->ifindex) went into
2.4.23, and we've received a number of bug reports like
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=144
http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0465.html
http://www.ussg.iu.edu/hypermail/linux/kernel/0312.0/0408.html
This means that ip_route_output_key() returns a route with a different
outgoing interface than the skb->dst->dev of our to-be-masqueraded
packet.
Why was it wrong to specify skb->dst->dev->ifindex of the previous
'real' routing decision as key to our current routing decision?
As an example case where I would suspect problems: The packet could be
coming from a local socket, and the socket be bound to a specific
interface (sk->bound_dev_if).
Please comment, thanks.
> Alexey
--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature