[kernel] r17987 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Tue Aug 23 04:24:50 UTC 2011 

Author: benh
Date: Tue Aug 23 04:24:47 2011
New Revision: 17987

Log:
netfilter: TCP and raw fix for ip_route_me_harder

This fixes a case where SNAT/masquerading is not done.  David Miller
has queued this for 3.0.y.

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/3

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Mon Aug 22 06:09:27 2011	(r17986)
+++ dists/sid/linux-2.6/debian/changelog	Tue Aug 23 04:24:47 2011	(r17987)
@@ -7,6 +7,8 @@
     - atm: br2864: sent packets truncated in VC routed mode (Closes: #638656)
     For the complete list of changes, see:
      http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.3
+  * netfilter: TCP and raw fix for ip_route_me_harder (fixes case where
+    SNAT/masquerading is not done)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 21 Aug 2011 16:18:29 +0100
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch	Tue Aug 23 04:24:47 2011	(r17987)
@@ -0,0 +1,67 @@
+From: Julian Anastasov <ja at ssi.bg>
+Date: Sun, 7 Aug 2011 09:11:00 +0000
+Subject: [PATCH] netfilter: TCP and raw fix for ip_route_me_harder
+
+commit 797fd3913abf2f7036003ab8d3d019cbea41affd upstream.
+
+TCP in some cases uses different global (raw) socket
+to send RST and ACK. The transparent flag is not set there.
+Currently, it is a problem for rerouting after the previous
+change.
+
+	Fix it by simplifying the checks in ip_route_me_harder
+and use FLOWI_FLAG_ANYSRC even for sockets. It looks safe
+because the initial routing allowed this source address to
+be used and now we just have to make sure the packet is rerouted.
+
+	As a side effect this also allows rerouting for normal
+raw sockets that use spoofed source addresses which was not possible
+even before we eliminated the ip_route_input call.
+
+Signed-off-by: Julian Anastasov <ja at ssi.bg>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/netfilter.c |   18 ++++++++----------
+ 1 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
+index 2e97e3e..929b27b 100644
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -18,17 +18,15 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
+ 	struct rtable *rt;
+ 	struct flowi4 fl4 = {};
+ 	__be32 saddr = iph->saddr;
+-	__u8 flags = 0;
++	__u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
+ 	unsigned int hh_len;
+ 
+-	if (!skb->sk && addr_type != RTN_LOCAL) {
+-		if (addr_type == RTN_UNSPEC)
+-			addr_type = inet_addr_type(net, saddr);
+-		if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
+-			flags |= FLOWI_FLAG_ANYSRC;
+-		else
+-			saddr = 0;
+-	}
++	if (addr_type == RTN_UNSPEC)
++		addr_type = inet_addr_type(net, saddr);
++	if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
++		flags |= FLOWI_FLAG_ANYSRC;
++	else
++		saddr = 0;
+ 
+ 	/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
+ 	 * packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook.
+@@ -38,7 +36,7 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
+ 	fl4.flowi4_tos = RT_TOS(iph->tos);
+ 	fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
+ 	fl4.flowi4_mark = skb->mark;
+-	fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : flags;
++	fl4.flowi4_flags = flags;
+ 	rt = ip_route_output_key(net, &fl4);
+ 	if (IS_ERR(rt))
+ 		return -1;
+-- 
+1.7.5.4
+

Modified: dists/sid/linux-2.6/debian/patches/series/3
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/3	Mon Aug 22 06:09:27 2011	(r17986)
+++ dists/sid/linux-2.6/debian/patches/series/3	Tue Aug 23 04:24:47 2011	(r17987)
@@ -1,2 +1,3 @@
 - bugfix/all/perf-do-not-look-at-.-config-for-configuration.patch
 + bugfix/all/stable/3.0.3.patch
++ bugfix/all/netfilter-TCP-and-raw-fix-for-ip_route_me_harder.patch

More information about the Kernel-svn-changes mailing list