Sophie: kernel-2.6.18-238.el5 src

kernel-2.6.18-238.el5.src.rpm

From: Thomas Graf <tgraf@redhat.com>
Date: Thu, 26 Aug 2010 12:52:45 -0400
Subject: [net] ipv6: reroute packets after netfilter mangling
Message-id: <20100826125244.GA7800@lsx.localdomain>
Patchwork-id: 27825
O-Subject: [RHEL5.6 PATCH] ipv6: reroute packets after netfilter mangling
	(BZ517327)
Bugzilla: 517327
RH-Acked-by: David S. Miller <davem@redhat.com>

This patch resolves the issue of IPv6 packets not being correctly
rerouted after it has been mangled by a netfilter module.

We need to call ip6_route_me_harder() after the packet was mangled
and respect the value of nfmark when we do.

This patch brings the code in line with upstream.

Brew build:
https://brewweb.devel.redhat.com/taskinfo?taskID=2711234

Resolves BZ517327

Signed-off-by: Jarod Wilson <jarod@redhat.com>

diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 52a7b9e..d97e268 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -73,6 +73,7 @@ enum nf_ip6_hook_priorities {
 };
 
 #ifdef CONFIG_NETFILTER
+extern int ip6_route_me_harder(struct sk_buff *skb);
 extern unsigned int nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
 				    unsigned int dataoff, u_int8_t protocol);
 
diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
index bff447f..5a27e12 100644
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -57,8 +57,6 @@ extern void			ip6_route_input(struct sk_buff *skb);
 extern struct dst_entry *	ip6_route_output(struct sock *sk,
 						 struct flowi *fl);
 
-extern int			ip6_route_me_harder(struct sk_buff *skb);
-
 extern int			ip6_route_init(void);
 extern void			ip6_route_cleanup(void);
 
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 72fff3d..59c430e 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -18,7 +18,8 @@ int ip6_route_me_harder(struct sk_buff *skb)
 		.nl_u =
 		{ .ip6_u =
 		  { .daddr = iph->daddr,
-		    .saddr = iph->saddr, } },
+		    .saddr = iph->saddr,
+		    .fwmark = skb->nfmark, } },
 	};
 
 	dst = ip6_route_output(skb->sk, &fl);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 03a13ea..b4734a1 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -181,10 +181,7 @@ ip6t_local_hook(unsigned int hook,
 		    || memcmp(&(*pskb)->nh.ipv6h->daddr, &daddr, sizeof(daddr))
 		    || (*pskb)->nfmark != nfmark
 		    || (*pskb)->nh.ipv6h->hop_limit != hop_limit)) {
-
-		/* something which could affect routing has changed */
-
-		DEBUGP("ip6table_mangle: we'd need to re-route a packet\n");
+		return ip6_route_me_harder(*pskb) == 0 ? ret : NF_DROP;
 	}
 
 	return ret;