• Ido Schimmel's avatar
    netfilter: Dissect flow after packet mangling · 812fa71f
    Ido Schimmel authored
    Netfilter tries to reroute mangled packets as a different route might
    need to be used following the mangling. When this happens, netfilter
    does not populate the IP protocol, the source port and the destination
    port in the flow key. Therefore, FIB rules that match on these fields
    are ignored and packets can be misrouted.
    
    Solve this by dissecting the outer flow and populating the flow key
    before rerouting the packet. Note that flow dissection only happens when
    FIB rules that match on these fields are installed, so in the common
    case there should not be a penalty.
    Reported-by: default avatarMichal Soltys <msoltyspl@yandex.pl>
    Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    812fa71f
netfilter.c 6.59 KB