[PATCH 2.6 0/5]: NAT fixes

[PATCH 2.6 0/5]: NAT fixes

[Patrick McHardy]

Hi Dave,

the next 5 patches (against your 2.6.11 tree) fix DNAT on loopback and 
some issues
with locally generated ICMP errors for NATed packets.

You can pull all changes from bk://212.42.230.204/nf-2.6-nat

Patrick McHardy:
  o [NETFILTER]: Verify NAT manips have been applied before reversing 
them in icmp_reply_translation
  o [NETFILTER]: Apply PRE_ROUTING manips in LOCAL_OUT for locally 
generated icmp errors
  o [NETFILTER]: Save a level of indentation in icmp_reply_translation
  o [NETFILTER]: Remove CONFIG_IP_NF_NAT_LOCAL config option
  o [NETFILTER]: Release dst_entry in PRE_ROUTING after NAT


Regards
Patrick

Re: [PATCH 2.6 0/5]: NAT fixes

[David S. Miller]

On Mon, 29 Nov 2004 00:27:56 +0100
Patrick McHardy <kaber@trash.net> wrote:

> the next 5 patches (against your 2.6.11 tree) fix DNAT on loopback and 
> some issues
> with locally generated ICMP errors for NATed packets.

So this means it's OK to push this into 2.6.11 instead of trying
to slip it into 2.6.10?

It looks like there are not OOPS or crash fixes in here.
If there are, those would be 2.6.10 candidates.

Please advise.

Re: [PATCH 2.6 0/5]: NAT fixes

[Patrick McHardy]

David S. Miller wrote:

>On Mon, 29 Nov 2004 00:27:56 +0100
>Patrick McHardy <kaber@trash.net> wrote:
>
>  
>
>>the next 5 patches (against your 2.6.11 tree) fix DNAT on loopback and 
>>some issues
>>with locally generated ICMP errors for NATed packets.
>>    
>>
>
>So this means it's OK to push this into 2.6.11 instead of trying
>to slip it into 2.6.10?
>
>It looks like there are not OOPS or crash fixes in here.
>If there are, those would be 2.6.10 candidates.
>

I think they are more 2.6.11 candidates. I've tested them well, but
they don't fix any crashes.

All of the bugs they fix except for parts of the fifth patch (verify
manips have been applied before reversing them) have been there for
ages. The fifth patch fixes a bug (besides multiple others) recently
introduced by my patch "associate locally generated icmp errors with
conntrack of original packet" (ChangeSet@1.2083.2.1), some locally
generated broken ICMP messages (not broken by the patch) can't be
matched with "-m state --state INVALID" anymore. I don't think many
people actually do this, and the patch that introduced the bug still
fixes a different kind of broken ICMP errors.

So we have three options:
1. revert the patch that introduced the latest bug
2. live with the bug in 2.6.10 and put the patches in 2.6.11
3. have me double-check the fifth patch and put it in 2.6.10

I favour the second option, but if you disagree I'm also fine
with double-checking the fifth patch and putting it in 2.6.10.

Regards
Patrick

Re: [PATCH 2.6 0/5]: NAT fixes

[David S. Miller]

On Mon, 29 Nov 2004 06:26:35 +0100
Patrick McHardy <kaber@trash.net> wrote:

> So we have three options:
> 1. revert the patch that introduced the latest bug
> 2. live with the bug in 2.6.10 and put the patches in 2.6.11
> 3. have me double-check the fifth patch and put it in 2.6.10
> 
> I favour the second option, but if you disagree I'm also fine
> with double-checking the fifth patch and putting it in 2.6.10.

I think the second option works for me too.  I'll merge it into
my tree tomorrow.

Thanks Patrick.