[netfilter-cvslog] r3290 - trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter

yasuyuki at netfilter.org yasuyuki at netfilter.org
Sat Nov 20 19:15:05 CET 2004


Author: yasuyuki at netfilter.org
Date: 2004-11-20 19:15:04 +0100 (Sat, 20 Nov 2004)
New Revision: 3290

Modified:
   trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_ftp.c
Log:
just cleanup.



Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_ftp.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_ftp.c	2004-11-20 17:37:00 UTC (rev 3289)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_ftp.c	2004-11-20 18:15:04 UTC (rev 3290)
@@ -307,7 +307,7 @@
 
 	if (length == 0)
 		return 0;
-	DEBUGP("EPRT: Got IP or IPv6 address!\n");
+	DEBUGP("EPRT: Got IP address!\n");
 	/* Start offset includes initial "|1|", and trailing delimiter */
 	return get_port(data, 3 + length + 1, dlen, delim, &cmd->u.tcp.port);
 }
@@ -399,13 +399,12 @@
 	unsigned int matchlen, matchoff;
 	struct nf_ct_ftp_master *ct_ftp_info = &ct->help->ct_ftp_info;
 	struct nf_conntrack_expect *exp;
+	struct nf_conntrack_man cmd = {};
 	struct nf_ct_ftp_expect *exp_ftp_info;
 
 	unsigned int i;
 	int found = 0;
 
-	struct nf_conntrack_man cmd = {};
-
 	/* Until there's been traffic both ways, don't look in packets. */
 	if (ctinfo != NF_CT_ESTABLISHED
 	    && ctinfo != NF_CT_ESTABLISHED+NF_CT_IS_REPLY) {
@@ -524,6 +523,10 @@
 							.tuple.src.u3.ip6)));
 		}
 
+		/* Thanks to Cristiano Lincoln Mattos
+		   <lincoln at cesar.org.br> for reporting this potential
+		   problem (DMZ machines opening holes to internal
+		   networks, or the packet filter itself). */
 		if (!loose) {
 			ret = NF_ACCEPT;
 			goto out;




More information about the netfilter-cvslog mailing list