Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=130e7a83d7ec8c5c673225e0fa8ea37b1ed507a5
Commit:     130e7a83d7ec8c5c673225e0fa8ea37b1ed507a5
Parent:     e2a3123fbe58da9fd3f35cd242087896ace6049f
Author:     Yasuyuki Kozakai <[EMAIL PROTECTED]>
AuthorDate: Sat Jul 14 20:45:41 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Sat Jul 14 20:45:41 2007 -0700

    [NETFILTER]: nf_conntrack: Don't track locally generated special ICMP error
    
    The conntrack assigned to locally generated ICMP error is usually the one
    assigned to the original packet which has caused the error. But if
    the original packet is handled as invalid by nf_conntrack, no conntrack
    is assigned to the original packet. Then nf_ct_attach() cannot assign
    any conntrack to the ICMP error packet. In that case the current
    nf_conntrack_icmp assigns appropriate conntrack to it. But the current
    code mistakes the direction of the packet. As a result, NAT code mistakes
    the address to be mangled.
    
    To fix the bug, this changes nf_conntrack_icmp not to assign conntrack
    to such ICMP error. Actually no address is necessary to be mangled
    in this case.
    
    Spotted by Jordan Russell.
    
    Signed-off-by: Yasuyuki Kozakai <[EMAIL PROTECTED]>
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c |   22 +++++-----------------
 1 files changed, 5 insertions(+), 17 deletions(-)

diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c 
b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index b8b7999..f965733 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -165,25 +165,13 @@ icmp_error_message(struct sk_buff *skb,
 
        h = nf_conntrack_find_get(&innertuple);
        if (!h) {
-               /* Locally generated ICMPs will match inverted if they
-                  haven't been SNAT'ed yet */
-               /* FIXME: NAT code has to handle half-done double NAT --RR */
-               if (hooknum == NF_IP_LOCAL_OUT)
-                       h = nf_conntrack_find_get(&origtuple);
-
-               if (!h) {
-                       pr_debug("icmp_error_message: no match\n");
-                       return -NF_ACCEPT;
-               }
-
-               /* Reverse direction from that found */
-               if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY)
-                       *ctinfo += IP_CT_IS_REPLY;
-       } else {
-               if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY)
-                       *ctinfo += IP_CT_IS_REPLY;
+               pr_debug("icmp_error_message: no match\n");
+               return -NF_ACCEPT;
        }
 
+       if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY)
+               *ctinfo += IP_CT_IS_REPLY;
+
        /* Update skb to refer to this connection */
        skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
        skb->nfctinfo = *ctinfo;
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to