Yo
On 11/05/2017 21:33, Frank Kardel wrote:
I think the solution is much simpler (as I mentioned before).
If we actually take look at ip_output we see roughly following
processing steps:
1) insert ip options
2) create IP header unless forwarding or raw output
3) handle routing (choose output interface)
4) if no source address is set, use the interface address of the
outgoing interface
5) handle IPSEC
6) run packet filter
7) check whether we are sending from a valid local address (our
discussion point)
8) do xmit accounting
9) handle TSO offloading or packet not needing fragmentation and output
via interface -> done
10) handle checksum offloading/calculation
11) handle fragmentation output fragmented packets
12) finalize
During 1...5 the assumption/requirement that non IP_FORWARDING packets
must originate from local addresses holds.
Number 6 breaks this assumption in case of a redirected remote address
to a local address. There the test in 7 relies
on a requirement that cannot be guaranteed after packet filter NAT
operations.
Moving ia pickup and !IP_FORWARDING local address check from 7 to 5a
will achieve what we want (guard against from invalid local addresses).
Also
IFA accounting would correctly measure bytes-sent at the right local
address involved in the redirect scenario.
I am currently running a check on local address violations before the
packet filter call. The invariant that 1..5 follow the local address
requirement holds so
far. Traffic processed is: normal connections, ipsec transport/NATT,
some multicast.
Can somebody verify that strategy as a correct solution?
NB: the current fix has the drawback of at least miscounting output
bytes and missing some local checks.
Why not grab the pre-filter address at 5 and if the post filter
address is NULL, use the pre-filter address?
Would that work and solve the counting issue as well?
Roy