Re: [PATCH] update raw patch in POM

[Pablo Neira <pablo@eurodev.net>]

Roberto Nibali wrote:
>>You've killed the new version of ip_ct_gather_frags available in 2.4.31:
> 
> 
> http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/raw/linux-2.4.patch?rev=3692&view=markup
> 
> 
>>-    /* Gather fragments. */
>>-    if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
>>-        *pskb = ip_ct_gather_frags(*pskb,
>>-                                   hooknum == NF_IP_PRE_ROUTING ?
>>-                                   IP_DEFRAG_CONNTRACK_IN :
>>-                                   IP_DEFRAG_CONNTRACK_OUT);
>>-        if (!*pskb)
>>-            return NF_STOLEN;
>>-    }
>>
>>but you've replaced it with the old one, that goes in ip_conntrack_defrag:
>>
>>+    /* Gather fragments. */
>>+    if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
>>+        *pskb = ip_ct_gather_frags(*pskb);
>>+        if (!*pskb)
>>+            return NF_STOLEN;
>>+    }
> 
> 
> The patch in POM then is kind of misleading.

Instead I would say it's too old. It isn't misleading for a kernel 
2.4.22 but it's simply too old to apply against a 2.4.31 ;).

>>-------- missing hunk ----------------
>>diff -urN --exclude-from=/usr/src/diff.exclude
>>linux-2.4.22-log/include/linux/netfilter_ipv4/ip_conntrack.h
>>linux-2.4.22-raw/include/linux/netfilter_ipv4/ip_conntrack.h
>>--- linux-2.4.22-log/include/linux/netfilter_ipv4/ip_conntrack.h
>>2003-09-17 17:14:54.000000000 +0200
>>+++ linux-2.4.22-raw/include/linux/netfilter_ipv4/ip_conntrack.h
>>2003-09-28 14:22:09.000000000 +0200
>>@@ -250,6 +250,9 @@
>> /* Call me when a conntrack is destroyed. */
>> extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
>>
>>+/* Fake conntrack entry for untracked connections */
>>+extern struct ip_conntrack ip_conntrack_untracked;
>>+
>> extern int ip_ct_no_defrag;
>> /* Returns new sk_buff, or NULL */
>> struct sk_buff *
>> ip_ct_gather_frags(struct sk_buff *skb);
>>------- end of missing hunk ---------------
> 
> 
> Thanks, I'll try that.
> 
> 
>>Those will fix compilation. No big changes has gone into 2.4/netfilter
>>since quite some time, anyway I would need to check this more in deep to
>>make sure that everything works like a charm. Re-post a new patch and
>>I'll have a look at it again.
> 
> 
> I'll see if I can give it a spin. Unfortunately the POM mechanism (mainly the
> malfunctioning runme tool) makes it very hard for us here to extract patches.

I think that has been discussed several times. Well, POM is a repository 
of testing, unstable, unfinished stuff and sometimes (like Jozsef's raw 
table) already submitted, all those contributed by people. Every patch 
applies cleanly to a _specific_ kernel version, if not-so-many changes 
went into that part of code, it will surely apply to further versions, 
else it won't apply cleanly as it's your case. In any case, keeping the 
whole POM patch tree up to date implies a lot of work.

> I need to know how it should be done correctly though. I'm a bit opposed to
> ripping out the fragment below from the kernel:
> 
> 
>>-    if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
>>-        *pskb = ip_ct_gather_frags(*pskb,
>>-                                   hooknum == NF_IP_PRE_ROUTING ?
>>-                                   IP_DEFRAG_CONNTRACK_IN :
>>-                                   IP_DEFRAG_CONNTRACK_OUT);
>>-        if (!*pskb)
>>-            return NF_STOLEN;
>>-    }
> 
> 
> I my opinion the part above should stay and the POM patch adapted.

yes, you have to replace the old call to ip_ct_gather_frags, which has 
just one parameter, with the new one here above.

> Thank you very much for your help. BTW, I haven't forgotten about the nfnetlink
> backport thing, it's just stalled here internally due to different priorities.

fine, let me know whenever you need it.

--
Pablo