From: Patrick McHardy <kaber@trash.net>
To: "David S. Miller" <davem@davemloft.net>
Cc: Harald Welte <laforge@netfilter.org>,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>
Subject: Re: Fw: [Bug 133788] New: ip_conntrack_in: Frag of proto 17
Date: Wed, 29 Sep 2004 01:35:53 +0200 [thread overview]
Message-ID: <4159F559.3040400@trash.net> (raw)
In-Reply-To: <20040928220532.GN29961@sunbeam.de.gnumonks.org>
[-- Attachment #1: Type: text/plain, Size: 497 bytes --]
Harald Welte wrote:
>The conntrack message basically means that at NF_IP_PRE_ROUTING we
>suddenly see fragmented packets. This "can never happen" since at the
>same PRE_ROUTING hook we defragment just before
>via ip_conntrack_defrag() -> ip_ct_gather_frags() -> ip_defrag()
>
>
Here is the patch. Untracked and already tracked (loopback) packets
are not defragmented, but the check in ip_conntrack_in for
untracked/already tracked is after the check for fragments.
This patch moves it up.
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1298 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/09/29 01:26:22+02:00 kaber@coreworks.de
# [NETFILTER]: move check for already tracked/untracked before fragment check
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# net/ipv4/netfilter/ip_conntrack_core.c
# 2004/09/29 01:25:49+02:00 kaber@coreworks.de +6 -6
# [NETFILTER]: move check for already tracked/untracked before fragment check
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
diff -Nru a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
--- a/net/ipv4/netfilter/ip_conntrack_core.c 2004-09-29 01:27:34 +02:00
+++ b/net/ipv4/netfilter/ip_conntrack_core.c 2004-09-29 01:27:34 +02:00
@@ -688,6 +688,12 @@
int set_reply;
int ret;
+ /* Previously seen (loopback or untracked)? Ignore. */
+ if ((*pskb)->nfct) {
+ CONNTRACK_STAT_INC(ignore);
+ return NF_ACCEPT;
+ }
+
/* Never happen */
if ((*pskb)->nh.iph->frag_off & htons(IP_OFFSET)) {
if (net_ratelimit()) {
@@ -714,12 +720,6 @@
(*pskb)->sk, (*pskb)->pkt_type);
}
#endif
-
- /* Previously seen (loopback or untracked)? Ignore. */
- if ((*pskb)->nfct) {
- CONNTRACK_STAT_INC(ignore);
- return NF_ACCEPT;
- }
proto = ip_ct_find_proto((*pskb)->nh.iph->protocol);
next prev parent reply other threads:[~2004-09-28 23:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20040928130512.57479400.davem@davemloft.net>
2004-09-28 22:05 ` Fw: [Bug 133788] New: ip_conntrack_in: Frag of proto 17 Harald Welte
2004-09-28 22:36 ` Patrick McHardy
2004-09-28 23:35 ` Patrick McHardy [this message]
2004-09-29 3:54 ` David S. Miller
2004-09-29 7:43 ` Harald Welte
2004-09-29 8:41 ` Henrik Nordstrom
2004-09-29 10:11 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4159F559.3040400@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.