Martin Schiller wrote:
> Well, the really responsible code is the following:
>
> ------------------------------------------------------------------------
> static unsigned int
> ip_nat_local_fn(unsigned int hooknum,
> struct sk_buff **pskb,
> const struct net_device *in,
> const struct net_device *out,
> int (*okfn)(struct sk_buff *))
> {
> struct ip_conntrack *ct;
> enum ip_conntrack_info ctinfo;
> unsigned int ret;
>
> /* root is playing with raw sockets. */
> if ((*pskb)->len < sizeof(struct iphdr)
> || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr))
> return NF_ACCEPT;
>
> ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
> if (ret != NF_DROP && ret != NF_STOLEN
> && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
> enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
>
> if (ct->tuplehash[dir].tuple.dst.ip !=
> ct->tuplehash[!dir].tuple.src.ip
> #ifdef CONFIG_XFRM
> || ct->tuplehash[dir].tuple.dst.u.all !=
> ct->tuplehash[!dir].tuple.src.u.all
> #endif
> )
> if (ip_route_me_harder(pskb, RTN_UNSPEC))
> ret = NF_DROP;
> }
> return ret;
> }
> ----------------------------------------------------------------------------
>
> To be more exactly, it's the examination of
> "ct->tuplehash[dir].tuple.dst.u.all != ct->tuplehash[!dir].tuple.src.u.all"
> which is only be done if XFRM is configured. Since I don't need this anyway,
> I deactivated XFRM now and my "ping -I" is working now.
You're right, that doesn't really work for ICMP since the tuples are
asymetric even without NAT. I didn't expect the unnecessary call to
ip_route_me_harder to have any side-effects. I'll look into fixing
this properly.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
