Re: ICMP broken in 2.6.13-rc5

Sat, 06 Aug 2005 11:08:03 -0700 

On Sat, Aug 06, 2005 at 04:58:46PM +0200, Patrick McHardy wrote:
> Harald Welte wrote:
> >On Sat, Aug 06, 2005 at 02:08:15AM +0400, Vladimir B. Savkin wrote:
> >
> >>I found that it really is NOTRACK who cause? bogus ICMP errors.
> 
> Good work tracking this down. I've seen reports of this before, but
> never found the reason.
> 
> >Well, this means that your ICMP errors need to be NAT'ed but they
> >cannot, since the original connection causing the ICMP error did not go
> >through connection tracking.
> >
> >Your not-correctly-NATed ICMP packets are the logical result of this
> >configuration.
> >
> >Use of NOTRACK in combination with NAT is _extremely_ dangerous, and
> >unless you understand it's full implications, I would not recommend
> >combining the two.
> >
> >So it seems your use of NOTRACK is invalid in this setup - and thus like
> >a configuration problem.
> 
> I disagree, NAT already ignores untracked connections in most places,
> just icmp_reply_translation is missing.
> 
> Vladimir, can you please test the attached patch?

No success, looks that with this patch no ICMP replies are generated (*),
no matter whether there exist any NOTRACK rules.

(*) I only tested that no replies were received by the client (broken
tracepath) and that there were no bogus packets on loopback.

> diff --git a/net/ipv4/netfilter/ip_nat_core.c 
> b/net/ipv4/netfilter/ip_nat_core.c
> --- a/net/ipv4/netfilter/ip_nat_core.c
> +++ b/net/ipv4/netfilter/ip_nat_core.c
> @@ -430,6 +430,19 @@ int icmp_reply_translation(struct sk_buf
>       } *inside;
>       struct ip_conntrack_tuple inner, target;
>       int hdrlen = (*pskb)->nh.iph->ihl * 4;
> +     unsigned long statusbit;
> +
> +     if (manip == IP_NAT_MANIP_SRC)
> +             statusbit = IPS_SRC_NAT;
> +     else
> +             statusbit = IPS_DST_NAT;
> +
> +     /* Invert if this is reply dir. */
> +     if (dir == IP_CT_DIR_REPLY)
> +             statusbit ^= IPS_NAT_MASK;
> +
> +     if (!(ct->status & statusbit))
> +             return 0;
>  
>       if (!skb_make_writable(pskb, hdrlen + sizeof(*inside)))
>               return 0;

~
:wq
                                        With best regards, 
                                           Vladimir Savkin. 

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to