xt_TEE: decrease TTL on cloned packet

diff --git a/doc/changelog.txt b/doc/changelog.txt
index cca26fcb56f32f985d2e6993d31f9c0d736bd6e5..1c630d3d5011eb60a857443929f79e0df2f50286 100644 (file)
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -2,6 +2,7 @@
 HEAD
 ====
 - TEE: do rechecksumming in PREROUTING too
+- TEE: decrease TTL on cloned packet
 
 
 Xtables-addons 1.24 (March 17 2010)

diff --git a/extensions/xt_TEE.c b/extensions/xt_TEE.c
index 74ac709823759c811f738f2458bb09a5e828bc00..95c41f7f48499f9f4b3249493ed504f10121c056 100644 (file)
--- a/extensions/xt_TEE.c
+++ b/extensions/xt_TEE.c
@@ -165,11 +165,17 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
        /*
         * If we are in PREROUTING/INPUT, the checksum must be recalculated
         * since the length could have changed as a result of defragmentation.
+        *
+        * We also decrease the TTL to mitigate potential TEE loops
+        * between two hosts.
         */
        if (par->hooknum == NF_INET_PRE_ROUTING ||
-           par->hooknum == NF_INET_LOCAL_IN)
-               ip_send_check(ip_hdr(skb));
+           par->hooknum == NF_INET_LOCAL_IN) {
+               struct iphdr *iph = ip_hdr(skb);
 
+               --iph->ttl;
+               ip_send_check(iph);
+       }
        /*
         * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
         * the original skb, which should continue on its way as if nothing has
@@ -276,6 +282,11 @@ tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
        skb->nfctinfo = IP_CT_NEW;
        nf_conntrack_get(skb->nfct);
 #endif
+       if (par->hooknum == NF_INET_PRE_ROUTING ||
+           par->hooknum == NF_INET_LOCAL_IN) {
+               struct ipv6hdr *iph = ipv6_hdr(skb);
+               --iph->hop_limit;
+       }
        if (tee_tg_route6(skb, info))
                tee_tg_send(skb);