Re: Re-routing packets via netfilter (ip_rt_bug)

From: Herbert Xu
Date: Mon Apr 25 2005 - 05:54:29 EST

Patrick McHardy <kaber@xxxxxxxxx> wrote:
> --- 70652aa8f30bea3ea83594cc4a47a11f7a8db89d/net/core/netfilter.c (mode:100644 sha1:e51cfa46950cf8f1f4dea42be94e71d76d8c3c5b)
> +++ a469360c577fdf6919b9a771521eca120103db45/net/core/netfilter.c (mode:100644 sha1:85936a0b23d9ea42e2cd9d45e8254c2f780eb786)
> @@ -611,7 +611,8 @@
> /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
> * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
> */
> - if (inet_addr_type(iph->saddr) == RTN_LOCAL) {
> + if (inet_addr_type(iph->saddr) == RTN_LOCAL ||
> + inet_addr_type(iph->daddr) == RTN_LOCAL) {
> fl.nl_u.ip4_u.daddr = iph->daddr;
> fl.nl_u.ip4_u.saddr = iph->saddr;
> fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);

You'll still BUG if the destination is multicast/broadcast. I'm also
unsure whether ipt_REJECT isn't susceptible to the same problem.
Luckily ipt_MIRROR is no more :)

What are the issues with getting rid of the ip_route_input path

The only thing we gain over calling ip_route_output is the ability
to set the input device. But even that is just a fake derived from
the source address in a deterministic way. Therefore any effects
achievable through using ip_route_input can also be done by simply
reconfiguring the policy routing table to look at the local source
addresses instead of (or in conjunction with) the input device.

Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page:
PGP Key:
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at