Re: MASQUERADE: Route sent us somewhere else (was Re: Fw: Rusty's brain broke!)

[kuznet]

Hello!

> This means that ip_route_output_key() returns a route with a different
> outgoing interface than the skb->dst->dev of our to-be-masqueraded
> packet. =20
>
> Why was it wrong to specify skb->dst->dev->ifindex of the previous
> 'real' routing decision as key to our current routing decision?

Because in the situtation when ip_route_output_key() with oif=0 returns result
different of previous ip_route_output_key() you get undefined result.

I expected that you do ip_route_output_key() on _rewritten_ address,
in this case you have to _drop_ packet if routing contradicts to firewalling
rules or to send the packet via that interface which routng requires.
You cannot just blindly send packet to some random interface, when
firewalling rules are illegal.

> As an example case where I would suspect problems: The packet could be
> coming from a local socket, and the socket be bound to a specific
> interface (sk->bound_dev_if).

This is right observation. F.e. you could use skb->sk ? skb->sk->bound_dev_if : 0.

Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html