[Bridge] [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device
Florian Westphal
fw at strlen.de
Wed Mar 15 10:26:08 UTC 2017
Linus Lüssing <linus.luessing at c0d3.blue> wrote:
> When trying to redirect bridged frames to the bridge device itself
> via the ebtables nat-prerouting chain and the dnat target then this
> currently fails:
>
> The ethernet destination of the frame is dnat'ed to the MAC address of
> the bridge itself just fine and the correctly altered frame can even
> be captured via a tcpdump on br0 (with or without promisc mode).
>
> However, the IP code drops it in the beginning of ip_input.c/ip_rcv()
> as the dnat target did not update the skb->pkt_type.
Right, thats the reason why ebtables also has ebt_redirect target
which does this pkt_type fixup.
> - if (dst->is_local)
> + if (dst->is_local) {
> + /* fix up potential DNAT mess */
> + skb->pkt_type = PACKET_HOST;
> +
> return br_pass_frame_up(skb);
> + }
I don't mind this change though (i.e. I don't see how this would
bite us later).
More information about the Bridge
mailing list