Hi, On szo, jan 12, 2008 at 11:47:44 +0800, Ming-Ching Tiew wrote:
2 ) IP FREEBIND packets spoofed with foreign source address will not leave the system when there is a FWMARK in the mangle table OUTPUT chain. This patch is created by me based on the information given by Kovacs, code quality is highly questionable as I barely understood what's it is all about, but it seems to work.
--- linux-2.6.22-org/net/ipv4/netfilter.c 2007-12-13 20:55:45.000000000 +0800 +++ linux-2.6.22-new/net/ipv4/netfilter.c 2007-12-13 20:55:03.000000000 +0800 @@ -24,7 +24,7 @@ /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook. */ - if (addr_type == RTN_LOCAL) { +// if (addr_type == RTN_LOCAL) { fl.nl_u.ip4_u.daddr = iph->daddr; if (type == RTN_LOCAL) fl.nl_u.ip4_u.saddr = iph->saddr; @@ -37,10 +37,10 @@ /* Drop old route. */ dst_release((*pskb)->dst); (*pskb)->dst = &rt->u.dst; - } else { +// } else { /* non-local src, find valid iif to satisfy * rp-filter when calling ip_route_input. */ - fl.nl_u.ip4_u.daddr = iph->saddr; +/* fl.nl_u.ip4_u.daddr = iph->saddr; if (ip_route_output_key(&rt, &fl) != 0) return -1;
@@ -53,7 +53,7 @@ dst_release(&rt->u.dst); dst_release(odst); } - +*/ if ((*pskb)->dst->error) return -1;
We should probably first ask on netfilter-devel@ why this whole route lookup thing is necessary... -- KOVACS Krisztian