Commit 3dfdabda authored by Rusty Russell's avatar Rusty Russell Committed by Stephen Hemminger

[NETFILTER]: Fix masquerade routing check.

Alexey says:
 Unrelated: giving out->ifindex is a bug, by the way. It can screw up
 the things a lot. In this context, if you want to be sure that packet
 will go out expected interface you do plain lookup and drop packet
 if it gave you some strange route.
parent 2f5c4f3e
...@@ -91,11 +91,18 @@ masquerade_target(struct sk_buff **pskb, ...@@ -91,11 +91,18 @@ masquerade_target(struct sk_buff **pskb,
#ifdef CONFIG_IP_ROUTE_FWMARK #ifdef CONFIG_IP_ROUTE_FWMARK
.fwmark = (*pskb)->nfmark .fwmark = (*pskb)->nfmark
#endif #endif
} }, } } };
.oif = out->ifindex };
if (ip_route_output_key(&rt, &fl) != 0) { if (ip_route_output_key(&rt, &fl) != 0) {
/* Shouldn't happen */ /* Funky routing can do this. */
printk("MASQUERADE: No route: Rusty's brain broke!\n"); if (net_ratelimit())
printk("MASQUERADE:"
" No route: Rusty's brain broke!\n");
return NF_DROP;
}
if (rt->u.dst.dev != out) {
if (net_ratelimit())
printk("MASQUERADE:"
" Route sent us somewhere else.\n");
return NF_DROP; return NF_DROP;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment