Re: [Bridge] 2.4.9, brigding, divert and iptables DNAT/REDIRECT

Thu, 06 Sep 2001 14:12:14 -0700 


OK, I see what you mean. This should solve your 'b' (untested, not even
tried to compile, standard disclaimer applies). Against 20010902-1.


--- br_passthrough.c.orig       Thu Sep  6 23:34:23 2001
+++ br_passthrough.c    Thu Sep  6 23:35:27 2001
@@ -66,10 +66,7 @@
        dprintk(KERN_NOTICE "br_nf_pre_routing_finish.. ");
 
        if (skb->origdstaddr != iph->daddr) {
-               struct net_device *br;
-
-               br = &(dev->br_port->br->dev);
-               if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, br)) {+      
         if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev)) {
                        struct rtable *rt;
 
                        if (ip_route_output(&rt, iph->daddr, 0, iph->tos, 0)) {
@@ -83,9 +80,7 @@
                        memset(skb->mac.ethernet->h_dest, 0x22, ETH_ALEN);
                } else {
                        dprintk("local ");
-                       memcpy(skb->mac.ethernet->h_dest,
-                               dev->br_port->br->dev.dev_addr,
-                               ETH_ALEN);
+                       memcpy(skb->mac.ethernet->h_dest, dev->dev_addr, ETH_ALEN);
                }
        } else {
                skb->dst = &__fake_dst_entry;
@@ -136,6 +131,7 @@
        }
 
        skb->physindev = skb->dev;
+       skb->dev = &(skb->dev->br_port->br->dev);
        skb->origdstaddr = iph->daddr;
        dprintk("calling br_nf_pre_routing_finish\n");
        NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL,



On Wed, Sep 05, 2001 at 11:23:20AM +0200, Henrik Nordstrom wrote:

> > > The REDIRECT target bombs out if you haven't assigned an IP address on
> > > the ethernet interface. Better to use DNAT and specify the IP of your
> > > bridge interface.
> >
> > Isn't this expected?
> 
> Not entirely.
> 
> The recommended bridge setup is using anonymous ethernet interfaces and only
> have an IP on the virtual bridge interface. REDIRECT is not happy in such
> setup as it tries to find the IP from the real interface and thus bombs out
> as the IP protocol isn't configured at all on those interfaces.
> 
> There is at least two issues here
> 
> a) A netfilter/iptables bug where REDIRECT panics if the receiving interface
> isn't configured for IP. (will write a patch for this soonish. trivial)
> 
> b) A bridge/netfilter integration bug where REDIRECT in a bridge tries to
> find the IP address from the real ethernet interface while one expects it to
> use the bridge interface.
> 
> --
> Henrik Nordstrom
> MARA Systems AB
> Sweden
> 

-- 
 I are sigfile disease!!
 All your quote are belong to us.
 Copy us every "sig"!
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge

Reply via email to