[PATCH 2.4] fix ipt_REJECT when used in OUTPUT
From: Harald Welte
Date: Sun Sep 21 2003 - 14:53:06 EST
Hi Dave!
Some people use REJECT in the OUTPUT chain (rejecting locally generated
packets). This didn't work anymore starting with some fixes we did in 2.4.22.
A dst_entry for a local source doesn't contain pmtu information - and
thus the newly-created packet would instantly be dropped again.
I'll send you a 2.6.x merge for this later.
Please apply the following fix, thanks
--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.4.22/net/ipv4/netfilter/ipt_REJECT.c linux-2.4.22-rejectfix/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.22/net/ipv4/netfilter/ipt_REJECT.c 2003-08-25 13:44:44.000000000 +0200
+++ linux-2.4.22-rejectfix/net/ipv4/netfilter/ipt_REJECT.c 2003-09-21 16:39:25.000000000 +0200
@@ -186,8 +186,8 @@
nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
nskb->nh.iph->ihl);
- /* "Never happens" */
- if (nskb->len > nskb->dst->pmtu)
+ /* dst->pmtu can be zero because it is not set for local dst's */
+ if (nskb->dst->pmtu && nskb->len > nskb->dst->pmtu)
goto free_nskb;
connection_attach(nskb, oldskb->nfct);
Attachment:
pgp00001.pgp
Description: PGP signature