Martin Schiller wrote: > Well, the really responsible code is the following: > > ------------------------------------------------------------------------ > static unsigned int > ip_nat_local_fn(unsigned int hooknum, > struct sk_buff **pskb, > const struct net_device *in, > const struct net_device *out, > int (*okfn)(struct sk_buff *)) > { > struct ip_conntrack *ct; > enum ip_conntrack_info ctinfo; > unsigned int ret; > > /* root is playing with raw sockets. */ > if ((*pskb)->len < sizeof(struct iphdr) > || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) > return NF_ACCEPT; > > ret = ip_nat_fn(hooknum, pskb, in, out, okfn); > if (ret != NF_DROP && ret != NF_STOLEN > && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) { > enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); > > if (ct->tuplehash[dir].tuple.dst.ip != > ct->tuplehash[!dir].tuple.src.ip > #ifdef CONFIG_XFRM > || ct->tuplehash[dir].tuple.dst.u.all != > ct->tuplehash[!dir].tuple.src.u.all > #endif > ) > if (ip_route_me_harder(pskb, RTN_UNSPEC)) > ret = NF_DROP; > } > return ret; > } > ---------------------------------------------------------------------------- > > To be more exactly, it's the examination of > "ct->tuplehash[dir].tuple.dst.u.all != ct->tuplehash[!dir].tuple.src.u.all" > which is only be done if XFRM is configured. Since I don't need this anyway, > I deactivated XFRM now and my "ping -I" is working now.
You're right, that doesn't really work for ICMP since the tuples are asymetric even without NAT. I didn't expect the unnecessary call to ip_route_me_harder to have any side-effects. I'll look into fixing this properly. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html