bugzilla-daemon at bugzilla.netfilter.org
2009-Mar-18 14:33 UTC
[Bug 586] New: Problems changing the source address of a packet
http://bugzilla.netfilter.org/show_bug.cgi?id=586 Summary: Problems changing the source address of a packet Product: libnetfilter_queue Version: unspecified Platform: All OS/Version: All Status: NEW Severity: blocker Priority: P1 Component: libnetfilter_queue AssignedTo: laforge at netfilter.org ReportedBy: damian.lezama at hotmail.com Hi, I'm changing the source IP of incoming packets and it fails. If I change it in PREROUTING the packet disappears even if I ACCEPT or REPEAT as verdict. If I change it in INPUT the application gets the old one, If I change it in FORWARD the router uses the old one. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Mar-18 14:35 UTC
[Bug 586] Problems changing the source address of a packet
http://bugzilla.netfilter.org/show_bug.cgi?id=586 ------- Comment #1 from damian.lezama at hotmail.com 2009-03-18 15:35 ------- Oh, and changing the protocol also has similar efects -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Mar-29 22:59 UTC
[Bug 586] Problems changing the source address of a packet
http://bugzilla.netfilter.org/show_bug.cgi?id=586 jengelh at medozas.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Comment #2 from jengelh at medozas.de 2009-03-30 00:59 ------- Do not forget to update the checksums. Please reopen if the problem persists. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Mar-30 07:02 UTC
[Bug 586] Problems changing the source address of a packet
http://bugzilla.netfilter.org/show_bug.cgi?id=586 damian.lezama at hotmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Comment #3 from damian.lezama at hotmail.com 2009-03-30 09:02 ------- I update the checksums. I continued looking into this and the problem seems to be specific to changing the source to a source asociated to your own host in PREROUTING. This may be by design since a packet with the host as source doesn't seem to be expected in PRE. Any workaround? -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Mar-30 16:03 UTC
[Bug 586] Problems changing the source address of a packet
http://bugzilla.netfilter.org/show_bug.cgi?id=586 jengelh at medozas.de changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|laforge at netfilter.org |jengelh at medozas.de Status|REOPENED |NEW ------- Comment #4 from jengelh at medozas.de 2009-03-30 18:03 ------- nf_conntrack already recorded the connection with the given <src,dst,...> addr tuple, and changing them leads to confusion (ultimately dropping it)?? at least for when this is done within the kernel, e.g. an Xtables target. (libnetfilter_queue is exempt because skbs are new ones, with skb->nfct reset, when packets are received from userspace.) Modifications to the packet that involve parts of this tuple need to be done in the raw table (or rawpost for outgoing traffic). raw runs before connection tracking, and rawpost (available via an Xtables-addons branch ATM) runs afterwards, hence ct would never see the original addresses and thus have no way to get confused. An alternative is that you remove the nfct entry from the tuplehash array and reinsert it with the new tuple but that may mean more hairy code. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 716] New: nfq_errno+pthreads is not compatible
- [Bug 747] New: IPtables marked packets not being inpsected in NAT table.
- [Bug 591] New: NAT REDIRECT target does not always work
- [Bug 789] New: ulog_ct loses outputentries
- [Bug 720] New: iptables no longer compiles for Linux 2.4 because it uses linux/magic.h