Patrick McHardy <[EMAIL PROTECTED]> wrote: > Andrew Morton wrote: >> >> http://bugzilla.kernel.org/show_bug.cgi?id=5936 > > Please post your iptables rules and the full list of loaded modules.
The problem is caused by SNAT on a dst that already has an xfrm set. When ip_route_me_harder processes the dst it will cause the dst to lose its xfrm since it has IPSKB_XFRM_TRANSFORMED set. Since xfrm4_output_finish does not expect dst's to lose their xfrm's after POST_ROUTING, it crashes. Obviously we could add a check in xfrm4_output_finish to prevent this crash, however, I think we need to consider this a bit more since it breaks a fairly common setup where people just stick a rule into the NAT table that says iptables -t nat -I POSTROUTING -i eth1 -j MASQUERADE where eth1 is the outbound interface. If this rule catches any IPsec VPN traffic then it'll SNAT them even though the intention is obviously to let them through without SNAT. Perhaps it's best to have SNAT not touch packets with dst->xfrm set. Unfortunately that leads to problems as well (albeit rarer) since you may have catch-all IPsec policies that every packet matches, but you want certain packets to be SNATed so that they match more specific policies. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
