Herbert Xu wrote: > Patrick McHardy <[EMAIL PROTECTED]> wrote: > >>Andrew Morton wrote: >> >>>http://bugzilla.kernel.org/show_bug.cgi?id=5936 >> >>Please post your iptables rules and the full list of loaded modules. > > > The problem is caused by SNAT on a dst that already has an xfrm set. > When ip_route_me_harder processes the dst it will cause the dst to > lose its xfrm since it has IPSKB_XFRM_TRANSFORMED set. > > Since xfrm4_output_finish does not expect dst's to lose their xfrm's > after POST_ROUTING, it crashes. > > Obviously we could add a check in xfrm4_output_finish to prevent this > crash, however, I think we need to consider this a bit more since it > breaks a fairly common setup where people just stick a rule into the > NAT table that says > > iptables -t nat -I POSTROUTING -i eth1 -j MASQUERADE > > where eth1 is the outbound interface. If this rule catches any IPsec > VPN traffic then it'll SNAT them even though the intention is obviously > to let them through without SNAT. > > Perhaps it's best to have SNAT not touch packets with dst->xfrm set. > Unfortunately that leads to problems as well (albeit rarer) since you > may have catch-all IPsec policies that every packet matches, but you > want certain packets to be SNATed so that they match more specific > policies.
I don't like adding this special behaviour for NAT, people need to adjust their rulesets for filtering etc. anyway. We could stop rerouting packets in between transforms (when both dst->xfrm and IPSKB_XFRM_TRANSFORMED are set), but this is inconsistent with what happens on input, when a packet is DNATed in PRE_ROUTING it does affect the SA lookup. So I think I'd prefer handling this case in xfrm[46]_output_finish, but I need to think about it a bit more. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
