<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Problem with Masquerading + cipe + iptables
From: Jay Berkenbilt <ejb,AT,ql,DOT,org>
Date: Sun, 10 Feb 2002 06:45:44 +0100
In-reply-to: <004e01c1b1c6$73ebf8d0$012fa8c0@shake24>

This is a known bug.  A patch has previously been posted.  Here is a
patch from a message dated October 30, 2001.  You can probably find
this in the archives.

--
Jay Berkenbilt <ejb,AT,ql,DOT,org>
http://www.ql.org/q/

---------------------------------------------------------------------------

diff -ur cipe-1.5.2/cipe/output.c cipe-1.5.2-netfilter/cipe/output.c
--- cipe-1.5.2/cipe/output.c    Wed May  2 07:23:42 2001
+++ cipe-1.5.2-netfilter/cipe/output.c  Mon Oct 29 16:04:30 2001
@@ -20,6 +20,11 @@
 #include <linux/if_arp.h>
 #include <linux/socket.h>
 #include <linux/version.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0)
+#include <linux/netfilter_ipv4.h>
+#else
+#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
+#endif
 
 #ifdef DEBUG
 
@@ -83,6 +88,13 @@
 }
 #endif
 
+/* Need this wrapper because NF_HOOK takes the function address, and
+   ip_send was declared "extern inline" in the vague past. --RR */
+static inline int do_ip_send(struct sk_buff *skb)
+{
+       return ip_send(skb);
+}
+
 int cipe_xmit(struct sk_buff *skb, struct NET_DEVICE *dev)
 {
         struct cipe *tunnel = (struct cipe*)(dev->priv);
@@ -149,6 +161,16 @@
                goto tx_error_out;
 #endif
 
+       /* Tell the netfilter framework that this packet is not the
+           same as the one before! */
+#ifdef CONFIG_NETFILTER
+       nf_conntrack_put(skb->nfct);
+       skb->nfct = NULL;
+#ifdef CONFIG_NETFILTER_DEBUG
+       skb->nf_debug = 0;
+#endif
+#endif
+
 #if 0
         dprintk(DEB_OUT, (KERN_DEBUG "routing dst=%s src=%s tos=%x oif=%d\n",
                           cipe_ntoa(0, dst), cipe_ntoa(1, tunnel->myaddr),
@@ -322,7 +344,10 @@
         if (cipe_debug&DEB_PKOU)
             cipe_dump_packet("sending", skb, 0);
 #endif
-       ip_send(skb);
+
+       /* Send "new" packet from local host */
+       NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
+               do_ip_send);
         tunnel->recursion--;
        return 0;
 





<< | Thread Index | >> ]    [ << | Date Index | >> ]