[NETFILTER 04/08]: nf_conntrack: Don't track locally generated special ICMP error

David Miller davem at davemloft.net
Sun Jul 15 05:45:51 CEST 2007

From: Patrick McHardy <kaber at trash.net>
Date: Sat, 14 Jul 2007 17:12:39 +0200 (MEST)

> [NETFILTER]: nf_conntrack: Don't track locally generated special ICMP error
> The conntrack assigned to locally generated ICMP error is usually the one
> assigned to the original packet which has caused the error. But if
> the original packet is handled as invalid by nf_conntrack, no conntrack
> is assigned to the original packet. Then nf_ct_attach() cannot assign
> any conntrack to the ICMP error packet. In that case the current
> nf_conntrack_icmp assigns appropriate conntrack to it. But the current
> code mistakes the direction of the packet. As a result, NAT code mistakes
> the address to be mangled.
> To fix the bug, this changes nf_conntrack_icmp not to assign conntrack
> to such ICMP error. Actually no address is necessary to be mangled
> in this case.
> Spotted by Jordan Russell.
> Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai at toshiba.co.jp>
> Signed-off-by: Patrick McHardy <kaber at trash.net>


More information about the netfilter-devel mailing list