David Miller wrote:
From: Patrick McHardy <[EMAIL PROTECTED]>
Date: Mon, 14 May 2007 12:21:34 +0200
This allows any user to send spoofed packets when ip_nonlocal_bind
is set, which is a quite big change in behaviour of this option.
The TPROXY patches include a similar change, but use a flag in
Patrick McHardy wrote:
Janusz Krzysztofik wrote:
... ICMP port unreachable messages are not generated inside
IPVS code, they are just sent, with help of the patch in question, from
udp_input() or netfilter REJECT.
Both use icmp_send(), which should always pick a local source, so I
don&#
Simon Horman wrote:
On Mon, May 14, 2007 at 07:41:48PM +0200, Patrick McHardy wrote:
So you're adding a local route for non-local destination and the
address selection in icmp_send() uses the original destination
address as source because the route has RTCF_LOCAL set, resulting
in an error in ip
Julian Anastasov wrote:
If icmp_send is changed to use inet_addr_type() then ICMP will leave
with saddr != VIP and that is not nice.
...
I'm not familiar with the IPVS terms, but as far as I understand,
it is _not_ going to return RTN_LOCAL, so we get the desired
behaviour of selecting a local a
David Miller wrote:
this is a small patch by Janusz Krzysztofik to ip_route_output_slow()
that allows VIP-less LVS linux director to generate packets originating
>From VIP if sysctl_ip_nonlocal_bind is set.
Applied to net-2.6.22, thanks Simon.
Thank you,
Janusz
-
To unsubscribe from t
