[PATCH] netfilter-0.1.10 conntrack/NAT problems
Paul Rusty Russell
Thu, 07 Oct 1999 21:20:33 +0930
In message <199910060510.BAA17942@opium.mbsi.ca> you write:
> The enclosed patch addresses a couple of conntrack/NAT problems I
> 1) crashes in ip_nat_cleanup_conntrack() [sometimes called without prior
> place_in_hashes()] because when DEBUG_CONNTRACK is undefined the
> LIST_DELETE() macro not checking if entry in list,
Good point. I'd missed it (most packets pass straight from
conntrack to NAT). A slightly clearer fix is to simply insert `if
(!info->initialized) return;' at the top of the function.
> 2) some connections were not being tracked properly
> --- netfilter-0.1.10/conntrack/ip_conntrack_core.c 1999/10/04 20:44:10 1.1
> +++ netfilter-0.1.10/conntrack/ip_conntrack_core.c 1999/10/06 03:54:08
> @@ -479,7 +479,8 @@
> (*pskb)->nfcache |= NFC_UNKNOWN;
> /* Not for us, or previously seen (loopback)? Ignore. */
> - if ((*pskb)->nfreason)
> + if ((*pskb)->nfreason
> + && (*pskb)->nfreason <= NF_REASON_MIN_RESERVED_FOR_CONNTRACK)
> return NF_ACCEPT;
> /* Gather fragments. */
This addresses the fundamental conflict between other uses of `reason'
and this one. It's a losing game (see other mail).