[tproxy] Problem with Tproxy more kernel2.6.22.9
KOVACS Krisztian
hidden at sch.bme.hu
Tue Jan 15 12:42:37 CET 2008
Hi,
On szo, jan 12, 2008 at 11:47:44 +0800, Ming-Ching Tiew wrote:
> 2 ) IP FREEBIND packets spoofed with foreign source address will not
> leave the system when there is a FWMARK in the mangle table OUTPUT
> chain. This patch is created by me based on the information given by
> Kovacs, code quality is highly questionable as I barely understood
> what's it is all about, but it seems to work.
>
> --- linux-2.6.22-org/net/ipv4/netfilter.c 2007-12-13
> 20:55:45.000000000 +0800
> +++ linux-2.6.22-new/net/ipv4/netfilter.c 2007-12-13
> 20:55:03.000000000 +0800
> @@ -24,7 +24,7 @@
> /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
> * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
> */
> - if (addr_type == RTN_LOCAL) {
> +// if (addr_type == RTN_LOCAL) {
> fl.nl_u.ip4_u.daddr = iph->daddr;
> if (type == RTN_LOCAL)
> fl.nl_u.ip4_u.saddr = iph->saddr;
> @@ -37,10 +37,10 @@
> /* Drop old route. */
> dst_release((*pskb)->dst);
> (*pskb)->dst = &rt->u.dst;
> - } else {
> +// } else {
> /* non-local src, find valid iif to satisfy
> * rp-filter when calling ip_route_input. */
> - fl.nl_u.ip4_u.daddr = iph->saddr;
> +/* fl.nl_u.ip4_u.daddr = iph->saddr;
> if (ip_route_output_key(&rt, &fl) != 0)
> return -1;
>
> @@ -53,7 +53,7 @@
> dst_release(&rt->u.dst);
> dst_release(odst);
> }
> -
> +*/
> if ((*pskb)->dst->error)
> return -1;
We should probably first ask on netfilter-devel@ why this whole route
lookup thing is necessary...
--
KOVACS Krisztian
More information about the tproxy
mailing list