[PATCH 2.6] LOCAL_OUT Nat fix, part 2

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 2.6] LOCAL_OUT Nat fix, part 2
@ 2003-10-02 16:18 Harald Welte
  2003-10-03  6:26 ` David S. Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Harald Welte @ 2003-10-02 16:18 UTC (permalink / raw)
  To: David Miller; +Cc: Netfilter Development Mailinglist


[-- Attachment #1.1: Type: text/plain, Size: 739 bytes --]

Hi Davem!

Please apply the following patch to your 2.6 tree, thanks.


Author: Rusty Russell / Harald Welte
Status: Pending for kernel inclusion

D: Balazs Scheidler pointed out that we can fail to call ip_nat_setup_info
D: for local NAT, which causes the connection to be added twice. Boom.
D: Also move the hash table insertion into ip_nat_setup_info.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #1.2: 84_local-nullbinding.patch --]
[-- Type: text/plain, Size: 4558 bytes --]

diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.0-test6-localnat/include/linux/netfilter_ipv4/ip_nat_rule.h linux-2.6.0-test6-localnat2/include/linux/netfilter_ipv4/ip_nat_rule.h
--- linux-2.6.0-test6-localnat/include/linux/netfilter_ipv4/ip_nat_rule.h	2003-09-28 02:51:00.000000000 +0200
+++ linux-2.6.0-test6-localnat2/include/linux/netfilter_ipv4/ip_nat_rule.h	2003-10-02 18:29:05.000000000 +0200
@@ -14,5 +14,10 @@
 			    const struct net_device *out,
 			    struct ip_conntrack *ct,
 			    struct ip_nat_info *info);
+
+extern unsigned int
+alloc_null_binding(struct ip_conntrack *conntrack,
+		   struct ip_nat_info *info,
+		   unsigned int hooknum);
 #endif
 #endif /* _IP_NAT_RULE_H */
diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_core.c linux-2.6.0-test6-localnat2/net/ipv4/netfilter/ip_nat_core.c
--- linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_core.c	2003-10-02 18:24:44.000000000 +0200
+++ linux-2.6.0-test6-localnat2/net/ipv4/netfilter/ip_nat_core.c	2003-10-02 18:29:05.000000000 +0200
@@ -516,12 +516,14 @@
 	struct ip_conntrack_tuple new_tuple, inv_tuple, reply;
 	struct ip_conntrack_tuple orig_tp;
 	struct ip_nat_info *info = &conntrack->nat.info;
+	int in_hashes = info->initialized;
 
 	MUST_BE_WRITE_LOCKED(&ip_nat_lock);
 	IP_NF_ASSERT(hooknum == NF_IP_PRE_ROUTING
 		     || hooknum == NF_IP_POST_ROUTING
 		     || hooknum == NF_IP_LOCAL_OUT);
 	IP_NF_ASSERT(info->num_manips < IP_NAT_MAX_MANIPS);
+	IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum))));
 
 	/* What we've got will look like inverse of reply. Normally
 	   this is what is in the conntrack, except for prior
@@ -638,6 +640,14 @@
 
 	/* It's done. */
 	info->initialized |= (1 << HOOK2MANIP(hooknum));
+
+	if (in_hashes) {
+		IP_NF_ASSERT(info->bysource.conntrack);
+		replace_in_hashes(conntrack, info);
+	} else {
+		place_in_hashes(conntrack, info);
+	}
+
 	return NF_ACCEPT;
 }
 
diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_rule.c linux-2.6.0-test6-localnat2/net/ipv4/netfilter/ip_nat_rule.c
--- linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_rule.c	2003-09-28 02:50:16.000000000 +0200
+++ linux-2.6.0-test6-localnat2/net/ipv4/netfilter/ip_nat_rule.c	2003-10-02 18:29:05.000000000 +0200
@@ -233,7 +233,7 @@
 	return 1;
 }
 
-static inline unsigned int
+inline unsigned int
 alloc_null_binding(struct ip_conntrack *conntrack,
 		   struct ip_nat_info *info,
 		   unsigned int hooknum)
diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_standalone.c linux-2.6.0-test6-localnat2/net/ipv4/netfilter/ip_nat_standalone.c
--- linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_standalone.c	2003-10-02 18:26:02.000000000 +0200
+++ linux-2.6.0-test6-localnat2/net/ipv4/netfilter/ip_nat_standalone.c	2003-10-02 18:29:05.000000000 +0200
@@ -119,7 +119,6 @@
 		/* Seen it before?  This can happen for loopback, retrans,
 		   or local packets.. */
 		if (!(info->initialized & (1 << maniptype))) {
-			int in_hashes = info->initialized;
 			unsigned int ret;
 
 			if (ct->master
@@ -130,9 +129,10 @@
 			} else {
 #ifdef CONFIG_IP_NF_NAT_LOCAL
 				/* LOCAL_IN hook doesn't have a chain!  */
-				if (hooknum == NF_IP_LOCAL_IN) {
-					ret = NF_ACCEPT;
-				} else
+				if (hooknum == NF_IP_LOCAL_IN)
+					ret = alloc_null_binding(ct, info,
+								 hooknum);
+				else
 #endif
 				ret = ip_nat_rule_find(pskb, hooknum, in, out,
 						       ct, info);
@@ -142,13 +142,6 @@
 				WRITE_UNLOCK(&ip_nat_lock);
 				return ret;
 			}
-
-			if (in_hashes) {
-				IP_NF_ASSERT(info->bysource.conntrack);
-				replace_in_hashes(ct, info);
-			} else {
-				place_in_hashes(ct, info);
-			}
 		} else
 			DEBUGP("Already setup manip %s for ct %p\n",
 			       maniptype == IP_NAT_MANIP_SRC ? "SRC" : "DST",

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH 2.6] LOCAL_OUT Nat fix, part 2
  2003-10-02 16:18 [PATCH 2.6] LOCAL_OUT Nat fix, part 2 Harald Welte
@ 2003-10-03  6:26 ` David S. Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David S. Miller @ 2003-10-03  6:26 UTC (permalink / raw)
  To: Harald Welte; +Cc: netfilter-devel

On Thu, 2 Oct 2003 18:18:36 +0200
Harald Welte <laforge@netfilter.org> wrote:

> Please apply the following patch to your 2.6 tree, thanks.

Applied, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2003-10-03  6:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-02 16:18 [PATCH 2.6] LOCAL_OUT Nat fix, part 2 Harald Welte
2003-10-03  6:26 ` David S. Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.