search for: hooknum

...t/ipv4/netfilter/ip_nat_core.c Fri Apr 12 00:= 52:31 2002 @@ -780,6 +780,18 @@ } else return NF_ACCEPT; } =20 +/* + * Decide whether to map inner header of an ICMP reply, including when + * we generate the reply ourselves. + */ +static inline int +map_innards(unsigned int maniphook, unsigned int hooknum) +{ + return (maniphook =3D=3D opposite_hook[hooknum] + || (hooknum =3D=3D NF_IP_LOCAL_OUT + && HOOK2MANIP(maniphook) =3D=3D IP_NAT_MANIP_SRC)); +} + unsigned int icmp_reply_translation(struct sk_buff *skb, struct ip_conntrack *conntrack, @@ -837,7 +849,7 @@...

...9;m not sure about the way to go. I have this at net/ipv4/netfilter/ipt-IMQ.c: static unsigned int imq_target(struct sk_buff **pskb, const struct net_device *in, const struct net_device *out, unsigned int hooknum, const void *targinfo, void *userdata) { struct ipt_imq_info *mr = (struct ipt_imq_info*)targinfo; (*pskb)->imq_flags = mr->todev | IMQ_F_ENQUEUE; (*pskb)->nfcache |= NFC_ALTERED; return IPT_CON...

...inux/config.h> #include <linux/ip.h> #include <linux/tcp.h> #include <linux/udp.h> #include <linux/spinlock.h> #include <asm-i386/segment.h> #include <asm-i386/uaccess.h> #include <linux/netfilter_ipv4.h> static unsigned int myfirewall(unsigned int hooknum,struct sk_buff **skb, const struct net_device *in, const struct net_device *out,int (*okfn)(struct sk_buff*)) { mm_segment_t old_fs =get_fs() ; mm_segment_t new_fs =get_ds(); printk("The old fs is [%lu]\n",old_fs.seg) ; printk("The neww fs is [%lu]\n ",new_fs.seg) ; /*...

...ed on another box. * if the connection is not initiated, but accepted As SNAT happens at NF_IP_POST_ROUTING, reply translation will be performed at NF_IP_PRE_ROUTING. The following DEBUG output shows what happens (enabled DEBUGP at the top of ip_nat_core.c): icmp reply translation, ct=c3617480, hooknum=0, ctinfo=4 icmp_reply_translation: translating error c396f260 hook 0 dir REPLY, num_manips=2 icmp_reply: manip 0 dir ORIG hook 4 icmp_reply: manip 1 dir REPLY hook 0 icmp_reply: outer DST -> 192.168.131.124 As it seems the inner manip is not called, as it is registered to hook 4 (POST_ROUTING,...

...re silently dropped. Analysis We instrumented the kernel to find out where the drop was occurring. The code doing the dropping was ip_refrag() in net/ipv4/netfilter/ip_conntrack_standalone.c, specifically: /* We've seen it coming out the other side: confirm */ if (ip_confirm(hooknum, pskb, in, out, okfn) != NF_ACCEPT) return NF_DROP; The dropping is caused by a race between the first packet of a given tuple making it to confirmed state, and the arrival of another packet with the same tuple. If a second packet arrives before the first is confirmed, it is assig...

...erfaces in:br0,out:eth0 Dec 15 13:26:52 localhost kernel: *ipt_do_table* treating 192.168.0.5 Dec 15 13:26:52 localhost kernel: *ipt_do_table* interfaces in:,out:eth0 Dec 15 13:26:52 localhost kernel: *ipt_do_table* we are applying the target SNAT Dec 15 13:26:52 localhost kernel: *ipt_snat_target* hooknum:4 source:192.168.0.5 Dec 15 13:26:52 localhost kernel: *ipt_snat_target* from interface:<NULL> to interface:eth0 Dec 15 13:26:52 localhost kernel: *manip_pkt* changing packet 192.168.0.5 into 140.93.64.76 ... Dec 15 13:31:47 localhost kernel: *ipt_do_table* treating 192.168.1.5 Dec 15 13:31:4...

...#include <linux/module.h> >++#include <linux/skbuff.h> >++#include <linux/ip.h> >++#include <net/checksum.h> >++ >++#include <linux/netfilter_ipv4/ip_tables.h> >++ >++static unsigned int >++target(struct sk_buff **pskb, >++ unsigned int hooknum, >++ const struct net_device *in, >++ const struct net_device *out, >++ const void *targinfo, >++ void *userinfo) >++{ >++ (*pskb)->from_imq = 1; >++ (*pskb)->nfcache |= NFC_ALTERED; >++ >++ return IPT_CONTINUE; >++} >++ >++static in...

Hi, I''m having problems with this configuration: iptables 1.3.7 (vanilla or repackaged for fc5) kernel 2.6.19 (vanilla) ROUTE 1.11 (last pom-ng) layer7-filter 2.6 (last in sf.net) connlimit (last pom-ng) When I try to use -j ROUTE in any chain in mangle table I have this error: [root@myhost ~]# iptables -v -t mangle -A POSTROUTING -p tcp --dport msnp -j ROUTE --gw