[NETFILTER 00/03]: Netfilter fixes

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three netfilter fixes for 2.6.20, fixing a problem with ICMP
translation in the new nf_nat code and two bugs in the new PPTP helper port
breaking NAT of PPTP connections.

Please apply, thanks.


 net/ipv4/netfilter/Makefile       |   20 ++++++++++----------
 net/ipv4/netfilter/nf_nat_pptp.c  |    4 ++--
 net/netfilter/nf_conntrack_pptp.c |    2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)

Patrick McHardy:
      [NETFILTER]: nf_nat: fix ICMP translation with statically linked conntrack
      [NETFILTER]: nf_nat_pptp: fix expectation removal
      [NETFILTER]: nf_conntrack_pptp: fix NAT setup of expected GRE connections

[NETFILTER 01/03]: nf_nat: fix ICMP translation with statically linked conntrack

[Patrick McHardy]

[NETFILTER]: nf_nat: fix ICMP translation with statically linked conntrack

When nf_nat/nf_conntrack_ipv4 are linked statically, nf_nat is initialized
before nf_conntrack_ipv4, which makes the nf_ct_l3proto_find_get(AF_INET)
call during nf_nat initialization return the generic l3proto instead of
the AF_INET specific one. This breaks ICMP error translation since the
generic protocol always initializes the IPs in the tuple to 0.

Change the linking order and put nf_conntrack_ipv4 first.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 7093c7d9fd00eff7cc3edba17fc8f8e1e6644da7
tree 26626579bb6e50d89602a81b181261a047d0f451
parent eef40519c526f6446a0bf8ecc666af30f2eb5bfa
author Patrick McHardy <kaber@trash.net> Wed, 24 Jan 2007 21:02:56 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 25 Jan 2007 01:17:14 +0100

 net/ipv4/netfilter/Makefile |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 15e741a..16d177b 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -4,6 +4,14 @@ #
 
 # objects for the standalone - connection tracking / NAT
 ip_conntrack-objs	:= ip_conntrack_standalone.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o
+# objects for l3 independent conntrack
+nf_conntrack_ipv4-objs  :=  nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o
+ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y)
+ifeq ($(CONFIG_PROC_FS),y)
+nf_conntrack_ipv4-objs	+= nf_conntrack_l3proto_ipv4_compat.o
+endif
+endif
+
 ip_nat-objs	:= ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o
 nf_nat-objs	:= nf_nat_core.o nf_nat_helper.o nf_nat_proto_unknown.o nf_nat_proto_tcp.o nf_nat_proto_udp.o nf_nat_proto_icmp.o
 ifneq ($(CONFIG_NF_NAT),)
@@ -20,6 +28,8 @@ ip_nat_h323-objs := ip_nat_helper_h323.o
 
 # connection tracking
 obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
+obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o
+
 obj-$(CONFIG_IP_NF_NAT) += ip_nat.o
 obj-$(CONFIG_NF_NAT) += nf_nat.o
 
@@ -106,13 +116,3 @@ obj-$(CONFIG_IP_NF_ARPFILTER) += arptabl
 
 obj-$(CONFIG_IP_NF_QUEUE) += ip_queue.o
 
-# objects for l3 independent conntrack
-nf_conntrack_ipv4-objs  :=  nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o
-ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y)
-ifeq ($(CONFIG_PROC_FS),y)
-nf_conntrack_ipv4-objs	+= nf_conntrack_l3proto_ipv4_compat.o
-endif
-endif
-
-# l3 independent conntrack
-obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o

[NETFILTER 02/03]: nf_nat_pptp: fix expectation removal

[Patrick McHardy]

[NETFILTER]: nf_nat_pptp: fix expectation removal

When removing the expectation for the opposite direction, the PPTP NAT
helper initializes the tuple for lookup with the addresses of the
opposite direction, which makes the lookup fail.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 3cb4aaf49a15b7dd30fe3ef882fa22f0255a3679
tree f5e8179acac4065f5e5917007e6a0e6d9343cc30
parent 7093c7d9fd00eff7cc3edba17fc8f8e1e6644da7
author Patrick McHardy <kaber@trash.net> Wed, 24 Jan 2007 21:05:28 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 25 Jan 2007 01:17:16 +0100

 net/ipv4/netfilter/nf_nat_pptp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
index 0ae45b7..5df4fca 100644
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -72,9 +72,9 @@ static void pptp_nat_expected(struct nf_
 		DEBUGP("we are PAC->PNS\n");
 		/* build tuple for PNS->PAC */
 		t.src.l3num = AF_INET;
-		t.src.u3.ip = master->tuplehash[exp->dir].tuple.src.u3.ip;
+		t.src.u3.ip = master->tuplehash[!exp->dir].tuple.src.u3.ip;
 		t.src.u.gre.key = nat_pptp_info->pns_call_id;
-		t.dst.u3.ip = master->tuplehash[exp->dir].tuple.dst.u3.ip;
+		t.dst.u3.ip = master->tuplehash[!exp->dir].tuple.dst.u3.ip;
 		t.dst.u.gre.key = nat_pptp_info->pac_call_id;
 		t.dst.protonum = IPPROTO_GRE;
 	}

[NETFILTER 03/03]: nf_conntrack_pptp: fix NAT setup of expected GRE connections

[Patrick McHardy]

[NETFILTER]: nf_conntrack_pptp: fix NAT setup of expected GRE connections

When an expected connection arrives, the NAT helper should be called to
set up NAT similar to the master connection. The PPTP conntrack helper
incorrectly checks whether the _expected_ connection has NAT setup before
calling the NAT helper (which is never the case), instead of checkeing
whether the _master_ connection is NATed.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 279422af9b3aa7a2646f6a0c73d2add4aa43e77b
tree 50be0d46d88950d02ccd409c949d550b1c759adc
parent 3cb4aaf49a15b7dd30fe3ef882fa22f0255a3679
author Patrick McHardy <kaber@trash.net> Wed, 24 Jan 2007 21:08:09 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 25 Jan 2007 01:17:16 +0100

 net/netfilter/nf_conntrack_pptp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index f0ff00e..c59df3b 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -113,7 +113,7 @@ static void pptp_expectfn(struct nf_conn
 
 	rcu_read_lock();
 	nf_nat_pptp_expectfn = rcu_dereference(nf_nat_pptp_hook_expectfn);
-	if (nf_nat_pptp_expectfn && ct->status & IPS_NAT_MASK)
+	if (nf_nat_pptp_expectfn && ct->master->status & IPS_NAT_MASK)
 		nf_nat_pptp_expectfn(ct, exp);
 	else {
 		struct nf_conntrack_tuple inv_t;

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 25 Jan 2007 01:21:56 +0100 (MET)

> following are three netfilter fixes for 2.6.20, fixing a problem with ICMP
> translation in the new nf_nat code and two bugs in the new PPTP helper port
> breaking NAT of PPTP connections.
> 
> Please apply, thanks.

All applied, thanks a lot Patrick.

Re: [NETFILTER 00/03]: Netfilter fixes

[Jorge Bastos]

David,
I have kernel 2.6.20-rc6 and i can't make pptp connections, only 2.6.20-rc5 
with the patch patrick provided me.
In wich version did you apply this?

Jorge



----- Original Message ----- 
From: "David Miller" <davem@davemloft.net>
To: <kaber@trash.net>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Friday, January 26, 2007 9:08 AM
Subject: Re: [NETFILTER 00/03]: Netfilter fixes


> From: Patrick McHardy <kaber@trash.net>
> Date: Thu, 25 Jan 2007 01:21:56 +0100 (MET)
>
>> following are three netfilter fixes for 2.6.20, fixing a problem with 
>> ICMP
>> translation in the new nf_nat code and two bugs in the new PPTP helper 
>> port
>> breaking NAT of PPTP connections.
>>
>> Please apply, thanks.
>
> All applied, thanks a lot Patrick.
>
>