[PATCH] fixes for 2.4.1

Tue, 23 Jan 2001 22:05:57 -0800 

These are the only netfilter bug-fixes pending for 2.4.1:
        o Rename enum to avoid IPv4/IPv6 clash
        o Fix NAT overlap case.
        o Fix obscure masquerade-breaks fwmark routing problem.
        o Fix mangle align problem (for non-x86).

There are also some feature enhancements pending, but they can wait
for 2.4.2 (dropped table, adjustable hash sizes, multi-port FTP).

Cheers,
Rusty.
--
Premature optmztion is rt of all evl. --DK

--- working-2.4.0-test13-3/include/linux/netfilter_ipv6.h.~1~   Tue May 23 02:50:55 
2000
+++ working-2.4.0-test13-3/include/linux/netfilter_ipv6.h       Tue Jan  2 10:27:51 
+2001
@@ -54,7 +54,7 @@
 #define NF_IP6_NUMHOOKS                5
 
 
-enum nf_ip_hook_priorities {
+enum nf_ip6_hook_priorities {
        NF_IP6_PRI_FIRST = INT_MIN,
        NF_IP6_PRI_CONNTRACK = -200,
        NF_IP6_PRI_MANGLE = -150,
diff -urN -I \$.*\$ -X /tmp/kerndiff.QgcCTD --minimal 
linux-2.4.1-pre10/net/ipv4/netfilter/ip_nat_core.c 
working-2.4.1-pre10/net/ipv4/netfilter/ip_nat_core.c
--- linux-2.4.1-pre10/net/ipv4/netfilter/ip_nat_core.c  Fri Aug 11 05:35:15 2000
+++ working-2.4.1-pre10/net/ipv4/netfilter/ip_nat_core.c        Wed Jan 24 17:16:07 
+2001
@@ -438,8 +438,27 @@
                                                                conntrack));
                                ret = 1;
                                goto clear_fulls;
+                       } else if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) {
+                               /* Try implicit source NAT; protocol
+                                   may be able to play with ports to
+                                   make it unique. */
+                               struct ip_nat_range r
+                                       = { IP_NAT_RANGE_MAP_IPS, 
+                                           tuple->src.ip, tuple->src.ip,
+                                           { 0 }, { 0 } };
+                               DEBUGP("Trying implicit mapping\n");
+                               if (proto->unique_tuple(tuple, &r,
+                                                       IP_NAT_MANIP_SRC,
+                                                       conntrack)) {
+                                       /* Must be unique. */
+                                       IP_NF_ASSERT(!ip_nat_used_tuple
+                                                    (tuple, conntrack));
+                                       ret = 1;
+                                       goto clear_fulls;
+                               }
                        }
-                       DEBUGP("Protocol can't get unique tuple.\n");
+                       DEBUGP("Protocol can't get unique tuple %u.\n",
+                              hooknum);
                }
 
                /* Eliminate that from range, and try again. */
diff -urN -I \$.*\$ -X /tmp/kerndiff.QgcCTD --minimal 
linux-2.4.1-pre10/net/ipv4/netfilter/ipt_MASQUERADE.c 
working-2.4.1-pre10/net/ipv4/netfilter/ipt_MASQUERADE.c
--- linux-2.4.1-pre10/net/ipv4/netfilter/ipt_MASQUERADE.c       Fri Aug 11 05:35:15 
2000
+++ working-2.4.1-pre10/net/ipv4/netfilter/ipt_MASQUERADE.c     Wed Jan 24 17:15:58 
+2001
@@ -68,6 +68,7 @@
        struct ip_nat_multi_range newrange;
        u_int32_t newsrc;
        struct rtable *rt;
+       struct rt_key key;
 
        IP_NF_ASSERT(hooknum == NF_IP_POST_ROUTING);
 
@@ -82,10 +83,14 @@
 
        mr = targinfo;
 
-       if (ip_route_output(&rt, (*pskb)->nh.iph->daddr,
-                           0,
-                           RT_TOS((*pskb)->nh.iph->tos)|RTO_CONN,
-                           out->ifindex) != 0) {
+       key.dst = (*pskb)->nh.iph->daddr;
+       key.src = 0; /* Unknown: that's what we're trying to establish */
+       key.tos = RT_TOS((*pskb)->nh.iph->tos)|RTO_CONN;
+       key.oif = out->ifindex;
+#ifdef CONFIG_IP_ROUTE_FWMARK
+       key.fwmark = (*pskb)->nfmark;
+#endif
+       if (ip_route_output_key(&rt, &key) != 0) {
                /* Shouldn't happen */
                printk("MASQUERADE: No route: Rusty's brain broke!\n");
                return NF_DROP;
diff -urN -I \$.*\$ -X /tmp/kerndiff.QgcCTD --minimal 
linux-2.4.1-pre10/net/ipv4/netfilter/iptable_mangle.c 
working-2.4.1-pre10/net/ipv4/netfilter/iptable_mangle.c
--- linux-2.4.1-pre10/net/ipv4/netfilter/iptable_mangle.c       Sat Sep 16 15:37:23 
2000
+++ working-2.4.1-pre10/net/ipv4/netfilter/iptable_mangle.c     Wed Jan 24 17:16:15 
+2001
@@ -53,7 +53,7 @@
                sizeof(struct ipt_entry),
                sizeof(struct ipt_standard),
                0, { 0, 0 }, { } },
-             { { { { sizeof(struct ipt_standard_target), "" } }, { } },
+             { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
                -NF_ACCEPT - 1 } },
            /* LOCAL_OUT */
            { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
@@ -61,7 +61,7 @@
                sizeof(struct ipt_entry),
                sizeof(struct ipt_standard),
                0, { 0, 0 }, { } },
-             { { { { sizeof(struct ipt_standard_target), "" } }, { } },
+             { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
                -NF_ACCEPT - 1 } }
     },
     /* ERROR */
@@ -70,7 +70,7 @@
        sizeof(struct ipt_entry),
        sizeof(struct ipt_error),
        0, { 0, 0 }, { } },
-      { { { { sizeof(struct ipt_error_target), IPT_ERROR_TARGET } },
+      { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
          { } },
        "ERROR"
       }
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/

Reply via email to