From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, netfilter-devel@vger.kernel.org,
Patrick McHardy <kaber@trash.net>,
davem@davemloft.net
Subject: [patch 16/16] netfilter: restore lost ifdef guarding defrag exception
Date: Fri, 7 Nov 2008 15:26:31 -0800 [thread overview]
Message-ID: <20081107232631.GQ4282@kroah.com> (raw)
In-Reply-To: <20081107232544.GA4282@kroah.com>
[-- Attachment #1: netfilter-restore-lost-ifdef-guarding-defrag-exception.patch --]
[-- Type: text/plain, Size: 1518 bytes --]
2.6.25-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <kaber@trash.net>
netfilter: restore lost #ifdef guarding defrag exception
Upstream commit 38f7ac3eb:
Nir Tzachar <nir.tzachar@gmail.com> reported a warning when sending
fragments over loopback with NAT:
[ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155()
The reason is that defragmentation is skipped for already tracked connections.
This is wrong in combination with NAT and ip_conntrack actually had some ifdefs
to avoid this behaviour when NAT is compiled in.
The entire "optimization" may seem a bit silly, for now simply restoring the
lost #ifdef is the easiest solution until we can come up with something better.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -138,10 +138,12 @@ static unsigned int ipv4_conntrack_defra
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
+#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
/* Previously seen (loopback)? Ignore. Do this before
fragment check. */
if (skb->nfct)
return NF_ACCEPT;
+#endif
/* Gather fragments. */
if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
--
prev parent reply other threads:[~2008-11-07 23:27 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20081107231848.995297975@mini.kroah.org>
2008-11-07 23:25 ` [patch 00/16] 2.6.25.20-stable review Greg KH
2008-11-07 23:25 ` [patch 01/16] gpiolib: fix oops in gpio_get_value_cansleep() Greg KH
2008-11-07 23:26 ` [patch 02/16] ext: Avoid printk floods in the face of directory corruption (CVE-2008-3528) Greg KH
2008-11-10 2:57 ` Eugene Teo
2008-11-07 23:26 ` [patch 03/16] edac cell: fix incorrect edac_mode Greg KH
2008-11-07 23:26 ` [patch 04/16] net: Fix recursive descent in __scm_destroy() Greg KH
2008-11-07 23:26 ` [patch 05/16] libertas: fix buffer overrun Greg KH
2008-11-07 23:26 ` [patch 06/16] file caps: always start with clear bprm->caps_* Greg KH
2008-11-07 23:26 ` [patch 07/16] ALSA: use correct lock in snd_ctl_dev_disconnect() Greg KH
2008-11-07 23:26 ` [patch 08/16] ACPI: dock: avoid check _STA method Greg KH
2008-11-07 23:26 ` [patch 09/16] tcpv6: fix option space offsets with md5 Greg KH
2008-11-07 23:26 ` [patch 10/16] net: Fix netdev_run_todo dead-lock Greg KH
2008-11-07 23:26 ` [patch 11/16] sparc64: Fix race in arch/sparc64/kernel/trampoline.S Greg KH
2008-11-07 23:26 ` [patch 12/16] math-emu: Fix signalling of underflow and inexact while packing result Greg KH
2008-11-07 23:26 ` [patch 13/16] ACPI: video: fix brightness allocation Greg KH
2008-11-07 23:26 ` [patch 14/16] netfilter: xt_iprange: fix range inversion match Greg KH
2008-11-07 23:26 ` [patch 15/16] netfilter: snmp nat leaks memory in case of failure Greg KH
2008-11-07 23:26 ` Greg KH
2008-11-07 23:26 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081107232631.GQ4282@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.