Patrick McHardy [off-list ref] wrote:

Andrew Morton wrote:

quoted

http://bugzilla.kernel.org/show_bug.cgi?id=5936

Please post your iptables rules and the full list of loaded modules.

The problem is caused by SNAT on a dst that already has an xfrm set.
When ip_route_me_harder processes the dst it will cause the dst to
lose its xfrm since it has IPSKB_XFRM_TRANSFORMED set.

Since xfrm4_output_finish does not expect dst's to lose their xfrm's
after POST_ROUTING, it crashes.

Obviously we could add a check in xfrm4_output_finish to prevent this
crash, however, I think we need to consider this a bit more since it
breaks a fairly common setup where people just stick a rule into the
NAT table that says

iptables -t nat -I POSTROUTING -i eth1 -j MASQUERADE

where eth1 is the outbound interface.  If this rule catches any IPsec
VPN traffic then it'll SNAT them even though the intention is obviously
to let them through without SNAT.

Perhaps it's best to have SNAT not touch packets with dst->xfrm set.
Unfortunately that leads to problems as well (albeit rarer) since you
may have catch-all IPsec policies that every packet matches, but you
want certain packets to be SNATed so that they match more specific
policies.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt