Herbert Xu wrote:
On Mon, Jan 16, 2006 at 08:08:19AM +0100, Patrick McHardy wrote:
I can't figure out how this can happen. If a local outgoing multicast
packet would have been SNATed to a non-local IP, ip_route_input would
have been used by ip_route_me_harder. In that case we should see
ip_output instead of ip_mc_output in the backtrace. But it definitely
looks related to the rerouting changes in the NAT code.
The reason it stays in ip_mc_output is because the SNAT is performed
by the POST_ROUTING hook in ip_mc_output. So it's too late to get out
of it.
Because at this stage in the stack we no longer look at dst->output the
skb is simply passed onto ip_finish_output and then ip_finish_output2.
You're absolutely right. Using ip_route_output for local outgoing
packets in POST_ROUTING should fix this problem.
Andi, can you please try this patch?
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index fdc4a95..4eaecea 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -78,7 +78,7 @@ enum nf_ip_hook_priorities {
#define SO_ORIGINAL_DST 80
#ifdef __KERNEL__
-extern int ip_route_me_harder(struct sk_buff **pskb);
+extern int ip_route_me_harder(struct sk_buff **pskb, unsigned int hook);
#endif /*__KERNEL__*/
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 52a3d7c..0205bfa 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -8,10 +8,10 @@
#include <net/ip.h>
/* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
-int ip_route_me_harder(struct sk_buff **pskb)
+int ip_route_me_harder(struct sk_buff **pskb, unsigned int hook)
{
struct iphdr *iph = (*pskb)->nh.iph;
- struct rtable *rt;
+ struct rtable *rt = (struct rtable *)(*pskb)->dst;
struct flowi fl = {};
struct dst_entry *odst;
unsigned int hh_len;
@@ -19,7 +19,8 @@ int ip_route_me_harder(struct sk_buff **
/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
* packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
*/
- if (inet_addr_type(iph->saddr) == RTN_LOCAL) {
+ if ((hook == NF_IP_POST_ROUTING && rt->fl.iif == 0) ||
+ inet_addr_type(iph->saddr) == RTN_LOCAL) {
fl.nl_u.ip4_u.daddr = iph->daddr;
fl.nl_u.ip4_u.saddr = iph->saddr;
fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
@@ -115,7 +116,7 @@ static int queue_reroute(struct sk_buff
if (!(iph->tos == rt_info->tos
&& iph->daddr == rt_info->daddr
&& iph->saddr == rt_info->saddr))
- return ip_route_me_harder(pskb);
+ return ip_route_me_harder(pskb, info->hook);
}
return 0;
}
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c
b/net/ipv4/netfilter/ip_nat_standalone.c
index ad438fb..d1d89ea 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -246,7 +246,8 @@ ip_nat_out(unsigned int hooknum,
ct->tuplehash[!dir].tuple.dst.u.all
#endif
)
- return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+ if (ip_route_me_harder(pskb, hooknum) != 0)
+ ret = NF_DROP;
}
return ret;
}
@@ -279,7 +280,8 @@ ip_nat_local_fn(unsigned int hooknum,
ct->tuplehash[dir].tuple.src.u.all
#endif
)
- return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+ if (ip_route_me_harder(pskb, hooknum) != 0)
+ ret = NF_DROP;
}
return ret;
}
diff --git a/net/ipv4/netfilter/iptable_mangle.c
b/net/ipv4/netfilter/iptable_mangle.c
index 3212a5c..78a58f7 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -158,7 +158,8 @@ ipt_local_hook(unsigned int hook,
|| (*pskb)->nfmark != nfmark
#endif
|| (*pskb)->nh.iph->tos != tos))
- return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+ if (ip_route_me_harder(pskb, hook) != 0)
+ ret = NF_DROP;
return ret;
}
