* [PATCH 2.6]: Prevent NAT from seeing fragments
@ 2005-02-18 0:23 Patrick McHardy
2005-02-24 4:10 ` David S. Miller
0 siblings, 1 reply; 2+ messages in thread
From: Patrick McHardy @ 2005-02-18 0:23 UTC (permalink / raw)
To: David S. Miller; +Cc: Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 322 bytes --]
This patch fixes another fragment handling problem, on loopback NAT might
get to see fragments because conntrack skips defragmentation for already
seen traffic. It just meant as a temporary solution for 2.6.11, in 2.6.12
we would prefer to skip refragmentation for loopback if it doesn't cause
problems.
Regards
Patrick
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1755 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2005/02/18 01:11:06+01:00 kaber@coreworks.de
# [NETFILTER]: Prevent NAT from seeing fragments
#
# The path for loopback is:
# LOCAL_OUT: conntrack defrags
# POST_ROUTING: conntrack refrags
# PRE_ROUTING: skip conntrack defrag because skb->nfct != NULL
# PRE_ROUTING: NAT gets hit by fragments
#
# Always defrag on loopback if NAT is compiled in.
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
# Acked-by: Rusty Russel <rusty@rustcorp.com.au>
#
# net/ipv4/netfilter/ip_conntrack_standalone.c
# 2005/02/18 01:10:55+01:00 kaber@coreworks.de +2 -0
# [NETFILTER]: Prevent NAT from seeing fragments
#
# The path for loopback is:
# LOCAL_OUT: conntrack defrags
# POST_ROUTING: conntrack refrags
# PRE_ROUTING: skip conntrack defrag because skb->nfct != NULL
# PRE_ROUTING: NAT gets hit by fragments
#
# Always defrag on loopback if NAT is compiled in.
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
# Acked-by: Rusty Russel <rusty@rustcorp.com.au>
#
diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-18 01:15:36 +01:00
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-02-18 01:15:36 +01:00
@@ -384,10 +384,12 @@
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
+#if !defined(CONFIG_IP_NF_NAT) && !defined(CONFIG_IP_NF_NAT_MODULE)
/* Previously seen (loopback)? Ignore. Do this before
fragment check. */
if ((*pskb)->nfct)
return NF_ACCEPT;
+#endif
/* Gather fragments. */
if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH 2.6]: Prevent NAT from seeing fragments
2005-02-18 0:23 [PATCH 2.6]: Prevent NAT from seeing fragments Patrick McHardy
@ 2005-02-24 4:10 ` David S. Miller
0 siblings, 0 replies; 2+ messages in thread
From: David S. Miller @ 2005-02-24 4:10 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Fri, 18 Feb 2005 01:23:44 +0100
Patrick McHardy <kaber@trash.net> wrote:
> This patch fixes another fragment handling problem, on loopback NAT might
> get to see fragments because conntrack skips defragmentation for already
> seen traffic. It just meant as a temporary solution for 2.6.11, in 2.6.12
> we would prefer to skip refragmentation for loopback if it doesn't cause
> problems.
Applied for 2.6.11, thanks Patrick.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-02-24 4:10 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-18 0:23 [PATCH 2.6]: Prevent NAT from seeing fragments Patrick McHardy
2005-02-24 4:10 ` David S. Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.