Hi Dave!
Some people use REJECT in the OUTPUT chain (rejecting locally generated
packets). This didn't work anymore starting with some fixes we did in 2.4.22.
A dst_entry for a local source doesn't contain pmtu information - and
thus the newly-created packet would instantly be dropped again.
I'll send you a 2.6.x merge for this later.
Please apply the following fix, thanks
--
- Harald Welte <[email protected]> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
On Sun, 21 Sep 2003 16:40:13 +0200
Harald Welte <[email protected]> wrote:
> Some people use REJECT in the OUTPUT chain (rejecting locally generated
> packets). This didn't work anymore starting with some fixes we did in 2.4.22.
> A dst_entry for a local source doesn't contain pmtu information - and
> thus the newly-created packet would instantly be dropped again.
Applied to 2.4.x, thanks Harald.
That patch is not work, after patching the kernel problem is not
disappeared!
Patch by Patrick is working fine and fix this problem
Harald Welte wrote:
>Hi Dave!
>
>Some people use REJECT in the OUTPUT chain (rejecting locally generated
>packets). This didn't work anymore starting with some fixes we did in 2.4.22.
>A dst_entry for a local source doesn't contain pmtu information - and
>thus the newly-created packet would instantly be dropped again.
>
>I'll send you a 2.6.x merge for this later.
>
>Please apply the following fix, thanks
>
>
>
>------------------------------------------------------------------------
>
>diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.4.22/net/ipv4/netfilter/ipt_REJECT.c linux-2.4.22-rejectfix/net/ipv4/netfilter/ipt_REJECT.c
>--- linux-2.4.22/net/ipv4/netfilter/ipt_REJECT.c 2003-08-25 13:44:44.000000000 +0200
>+++ linux-2.4.22-rejectfix/net/ipv4/netfilter/ipt_REJECT.c 2003-09-21 16:39:25.000000000 +0200
>@@ -186,8 +186,8 @@
> nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
> nskb->nh.iph->ihl);
>
>- /* "Never happens" */
>- if (nskb->len > nskb->dst->pmtu)
>+ /* dst->pmtu can be zero because it is not set for local dst's */
>+ if (nskb->dst->pmtu && nskb->len > nskb->dst->pmtu)
> goto free_nskb;
>
> connection_attach(nskb, oldskb->nfct);
>
>
>------------------------------------------------------------------------
>
>Scanned by evaliation version of Dr.Web antivirus Daemon
>http://drweb.ru/unix/
>
>
>
On Mon, Sep 22, 2003 at 12:16:50PM +0400, Diadon wrote:
> That patch is not work, after patching the kernel problem is not
> disappeared!
>
> Patch by Patrick is working fine and fix this problem
David, pleas defer applying that patch until further testing is done.
Sorry for the confusion.
--
- Harald Welte <[email protected]> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
On Mon, 22 Sep 2003 10:53:26 +0200
Harald Welte <[email protected]> wrote:
> David, pleas defer applying that patch until further testing is done.
>
> Sorry for the confusion.
Already pushed to Marcelo, just send me the fix I should apply
on top once you have this issue solved.
Harald Welte wrote:
>David, pleas defer applying that patch until further testing is done.
>
>Sorry for the confusion.
>
My bad, I missed that we cannot pass the packet to ip_finish_output2
since it was routed as local input and is missing a neighbour. The correct
fix is to use ip_route_output for packets generated in LOCAL_OUT with
key.saddr set to 0 (the first one I sent to Diadon).
Best regards,
Patrick
David S. Miller wrote:
>On Mon, 22 Sep 2003 10:53:26 +0200
>Harald Welte <[email protected]> wrote:
>
>
>
>>David, pleas defer applying that patch until further testing is done.
>>
>>Sorry for the confusion.
>>
>>
>
>Already pushed to Marcelo, just send me the fix I should apply
>on top once you have this issue solved.
>
>
>
>
So we're waiting final release of this patch ;)))
On Mon, Sep 22, 2003 at 02:02:05AM -0700, David S. Miller wrote:
> Already pushed to Marcelo, just send me the fix I should apply
> on top once you have this issue solved.
Ok, here goes the (confirmed to be working) fix. TIA.
diff -Nru linux-2.4.22-laforge/net/ipv4/netfilter/ipt_REJECT.c linux-2.4.22-kaber/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.22-laforge/net/ipv4/netfilter/ipt_REJECT.c 2003-09-22 14:29:05.000000000 +0200
+++ linux-2.4.22-kaber/net/ipv4/netfilter/ipt_REJECT.c 2003-09-22 14:26:54.000000000 +0200
@@ -34,16 +34,17 @@
attach(new_skb, nfct);
}
-static inline struct rtable *route_reverse(struct sk_buff *skb, int local)
+static inline struct rtable *route_reverse(struct sk_buff *skb, int hook)
{
struct iphdr *iph = skb->nh.iph;
struct dst_entry *odst;
struct rt_key key = {};
struct rtable *rt;
- if (local) {
+ if (hook != NF_IP_FORWARD) {
key.dst = iph->saddr;
- key.src = iph->daddr;
+ if (hook == NF_IP_LOCAL_IN)
+ key.src = iph->daddr;
key.tos = RT_TOS(iph->tos);
if (ip_route_output_key(&rt, &key) != 0)
@@ -75,7 +76,7 @@
}
/* Send RST reply */
-static void send_reset(struct sk_buff *oldskb, int local)
+static void send_reset(struct sk_buff *oldskb, int hook)
{
struct sk_buff *nskb;
struct tcphdr *otcph, *tcph;
@@ -104,7 +105,7 @@
csum_partial((char *)otcph, otcplen, 0)) != 0)
return;
- if ((rt = route_reverse(oldskb, local)) == NULL)
+ if ((rt = route_reverse(oldskb, hook)) == NULL)
return;
hh_len = (rt->u.dst.dev->hard_header_len + 15)&~15;
@@ -186,8 +187,8 @@
nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
nskb->nh.iph->ihl);
- /* dst->pmtu can be zero because it is not set for local dst's */
- if (nskb->dst->pmtu && nskb->len > nskb->dst->pmtu)
+ /* "Never happens" */
+ if (nskb->len > nskb->dst->pmtu)
goto free_nskb;
connection_attach(nskb, oldskb->nfct);
@@ -372,7 +373,7 @@
send_unreach(*pskb, ICMP_PKT_FILTERED);
break;
case IPT_TCP_RESET:
- send_reset(*pskb, hooknum == NF_IP_LOCAL_IN);
+ send_reset(*pskb, hooknum);
case IPT_ICMP_ECHOREPLY:
/* Doesn't happen. */
break;
--
- Harald Welte <[email protected]> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
On Mon, 22 Sep 2003 14:21:59 +0200
Harald Welte <[email protected]> wrote:
> On Mon, Sep 22, 2003 at 02:02:05AM -0700, David S. Miller wrote:
>
> > Already pushed to Marcelo, just send me the fix I should apply
> > on top once you have this issue solved.
>
> Ok, here goes the (confirmed to be working) fix. TIA.
Applied, thanks.