Message ID | 1365799891-7731-1-git-send-email-fw@strlen.de |
---|---|
State | Superseded |
Headers | show |
Hi Florian, On Fri, Apr 12, 2013 at 10:51:31PM +0200, Florian Westphal wrote: > Alex Efros reported rpfilter module doesn't match following packets: > IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ] > (netfilter bugzilla #814). > > Problem is that network stack arranges for the locally generated broadcasts > to appear on the interface they were sent out, so the IFF_LOOPBACK check > doesn't trigger. > > As -m rpfilter is restricted to PREROUTING, we can check for existing > skb_dst instead, it catches locally-generated broad/multicast case, too. > > Signed-off-by: Florian Westphal <fw@strlen.de> > --- > net/ipv4/netfilter/ipt_rpfilter.c | 2 +- > net/ipv6/netfilter/ip6t_rpfilter.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c > index c301300..601abf2 100644 > --- a/net/ipv4/netfilter/ipt_rpfilter.c > +++ b/net/ipv4/netfilter/ipt_rpfilter.c > @@ -76,7 +76,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) > info = par->matchinfo; > invert = info->flags & XT_RPFILTER_INVERT; > > - if (par->in->flags & IFF_LOOPBACK) > + if (skb_dst(skb)) /* locally generated? */ I'd prefer if this is narrowed down to locally generated traffic in the same way we do in nf_conntrack_broadcast.c. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > Hi Florian, > > > diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c > > index c301300..601abf2 100644 > > --- a/net/ipv4/netfilter/ipt_rpfilter.c > > +++ b/net/ipv4/netfilter/ipt_rpfilter.c > > @@ -76,7 +76,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) > > info = par->matchinfo; > > invert = info->flags & XT_RPFILTER_INVERT; > > > > - if (par->in->flags & IFF_LOOPBACK) > > + if (skb_dst(skb)) /* locally generated? */ > > I'd prefer if this is narrowed down to locally generated traffic in > the same way we do in nf_conntrack_broadcast.c. Fair enough, i will change it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c index c301300..601abf2 100644 --- a/net/ipv4/netfilter/ipt_rpfilter.c +++ b/net/ipv4/netfilter/ipt_rpfilter.c @@ -76,7 +76,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) info = par->matchinfo; invert = info->flags & XT_RPFILTER_INVERT; - if (par->in->flags & IFF_LOOPBACK) + if (skb_dst(skb)) /* locally generated? */ return true ^ invert; iph = ip_hdr(skb); diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c index 5060d54..8767991 100644 --- a/net/ipv6/netfilter/ip6t_rpfilter.c +++ b/net/ipv6/netfilter/ip6t_rpfilter.c @@ -78,7 +78,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) struct ipv6hdr *iph; bool invert = info->flags & XT_RPFILTER_INVERT; - if (par->in->flags & IFF_LOOPBACK) + if (skb_dst(skb)) /* locally generated? */ return true ^ invert; iph = ipv6_hdr(skb);
Alex Efros reported rpfilter module doesn't match following packets: IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ] (netfilter bugzilla #814). Problem is that network stack arranges for the locally generated broadcasts to appear on the interface they were sent out, so the IFF_LOOPBACK check doesn't trigger. As -m rpfilter is restricted to PREROUTING, we can check for existing skb_dst instead, it catches locally-generated broad/multicast case, too. Signed-off-by: Florian Westphal <fw@strlen.de> --- net/ipv4/netfilter/ipt_rpfilter.c | 2 +- net/ipv6/netfilter/ip6t_rpfilter.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)