Re: 2.0.33: IP MASQ subtly BROKEN

Alan Cox (alan@lxorguk.ukuu.org.uk)
Sat, 3 Jan 1998 23:17:43 +0000 (GMT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bernd Paysan: "Slow SB MIDI in kernel >=2.1.75?"
Previous message: Tom Oehser: "Re: K6"

> So whats happening: A subtle bug in IP masquarding is causing the incoming
> packets to be 'demasquarded' on the ppp interface before it crosses the
> firewall, thus causing the tcpdump to lie.

It isnt a bug. The order of the firewall is

Input rule
Masquerading and Forwarding Rule
Output rule

Thats precisely defined.

What is less than perfectly defined in 2.0.x and depends on timing issues
it shouldnt is "what does tcpdump on the box doing the forwarding see". To
get an honest answer look from the outside or use skb_copy not skb_clone
for dumped packets - thats a lot slower but correct. 2.1.x does the
right thing but its not trivial and therefore "safe" to backport.

Note btw that diald doesnt exactly fit the pattern either as it snoops in
different ways on active and inactive links.

Alan

Next message: Bernd Paysan: "Slow SB MIDI in kernel >=2.1.75?"
Previous message: Tom Oehser: "Re: K6"