List Info

Thread: : Netfilter fixes
: Netfilter fixes
country flaguser name
Switzerland		 2007-09-09 17:20:38 
Hi Dave,

these patches fix an incorrect warning message in IPv4
connection tracking
and the module unload deadlock notices by Neil Horman.

Please apply, thanks.


 include/linux/netfilter.h                      |    5 +--
 net/bridge/netfilter/ebtables.c                |    1 +
 net/ipv4/ipvs/ip_vs_ctl.c                      |    1 +
 net/ipv4/netfilter/arp_tables.c                |    1 +
 net/ipv4/netfilter/ip_tables.c                 |    1 +
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   11
++----
 net/ipv6/netfilter/ip6_tables.c                |    1 +
 net/netfilter/nf_sockopt.c                     |   36
+++++++----------------
 8 files changed, 22 insertions(+), 35 deletions(-)

Neil Horman (1):
      [NETFILTER]: Fix/improve deadlock condition on module
removal netfilter

Patrick McHardy (1):
      [NETFILTER]: nf_conntrack_ipv4: fix "Frag of
proto ..." messages
: nf_conntrack_ipv4: fix "Frag of proto ..." messages
country flaguser name
Switzerland		 2007-09-09 17:20:39 
[NETFILTER]: nf_conntrack_ipv4: fix "Frag of proto
..." messages

Since we're now using a generic tuple decoding function in
ICMP
connection tracking, ipv4_get_l4proto() might get called
with a
fragmented packet from within an ICMP error. Remove the
error
message we used to print when this happens.

Signed-off-by: Patrick McHardy <kabertrash.net>

---
commit 0fb0ffa355d0db63cf6f9dda9958c91e4bc7c859
tree 72c9853b112c17840ae9437e23888257dd3236ac
parent b21010ed6498391c0f359f2a89c907533fe07fec
author Patrick McHardy <kabertrash.net> Mon, 10 Sep
2007 00:13:16 +0200
committer Patrick McHardy <kabertrash.net> Mon, 10 Sep
2007 00:13:16 +0200

 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   10
+++-------
 1 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index d9b5177..53cb177 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
 -87,14
+87,10  static int ipv4_get_l4proto(const struct sk_buff
*skb, unsigned int nhoff,
 	if (iph == NULL)
 		return -NF_DROP;
 
-	/* Never happen */
-	if (iph->frag_off & htons(IP_OFFSET)) {
-		if (net_ratelimit()) {
-			printk(KERN_ERR "ipv4_get_l4proto: Frag of proto
%un",
-			iph->protocol);
-		}
+	/* Conntrack defragments packets, we might still see
fragments
+	 * inside ICMP packets though. */
+	if (iph->frag_off & htons(IP_OFFSET))
 		return -NF_DROP;
-	}
 
 	*dataoff = nhoff + (iph->ihl << 2);
 	*protonum = iph->protocol;
: Fix/improve deadlock condition on module removal netfilter
country flaguser name
Switzerland		 2007-09-09 17:20:41 

  


  

    
  

  
  
   
     
    

  

    Re: : nf_conntrack_ipv4: fix "Frag
of proto ..." messages
  


  

     country flaguser name
United States		
     2007-09-11 04:27:33
  


  

    
From: Patrick McHardy <kabertrash.net>
Date: Mon, 10 Sep 2007 00:20:39 +0200 (MEST)

> [NETFILTER]: nf_conntrack_ipv4: fix "Frag of proto
..." messages
> 
> Since we're now using a generic tuple decoding function
in ICMP
> connection tracking, ipv4_get_l4proto() might get
called with a
> fragmented packet from within an ICMP error. Remove the
error
> message we used to print when this happens.
> 
> Signed-off-by: Patrick McHardy <kabertrash.net>

Applied, thanks.




  


  

    
  

  
  
   
     
    

  

    Re: : Fix/improve deadlock condition on
module removal netfilter
  


  

     country flaguser name
United States		
     2007-09-11 04:29:03
  


  

    
From: Patrick McHardy <kabertrash.net>
Date: Mon, 10 Sep 2007 00:20:41 +0200 (MEST)

> [NETFILTER]: Fix/improve deadlock condition on module
removal netfilter

Applied, thanks.




  


  

    
  

  
  
   
     
    






 [1-5]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )