This is a note to let you know that I've just added the patch titled
netfilter: nf_conntrack: fix rt_gateway checks for H.323 helper
to the 3.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
netfilter-nf_conntrack-fix-rt_gateway-checks-for-h.323-helper.patch
and it can be found in the queue-3.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From bbb5823cf742a7e955f35c7d891e4e936944c33a Mon Sep 17 00:00:00 2001
From: Julian Anastasov <[email protected]>
Date: Tue, 9 Oct 2012 13:00:47 +0000
Subject: netfilter: nf_conntrack: fix rt_gateway checks for H.323 helper
From: Julian Anastasov <[email protected]>
commit bbb5823cf742a7e955f35c7d891e4e936944c33a upstream.
After the change "Adjust semantics of rt->rt_gateway"
(commit f8126f1d51) we should properly match the nexthop when
destinations are directly connected because rt_gateway can be 0.
The rt_gateway checks in H.323 helper try to avoid the creation
of an unnecessary expectation in this call-forwarding case:
http://people.netfilter.org/zhaojingmin/h323_conntrack_nat_helper/#_Toc133598073
However, the existing code fails to avoid that in many cases,
see this thread:
http://marc.info/?l=linux-netdev&m=135043175028620&w=2
It seems it is not trivial to know from the kernel if two hosts
have to go through the firewall to communicate each other, which
is the main point of the call-forwarding filter code to avoid
creating unnecessary expectations.
So this patch just gets things the way they were as before
commit f8126f1d51.
Signed-off-by: Julian Anastasov <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/netfilter/nf_conntrack_h323_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -733,7 +733,8 @@ static int callforward_do_filter(const u
flowi4_to_flowi(&fl1), false)) {
if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
flowi4_to_flowi(&fl2), false)) {
- if (rt1->rt_gateway == rt2->rt_gateway &&
+ if (rt_nexthop(rt1, fl1.daddr) ==
+ rt_nexthop(rt2, fl2.daddr) &&
rt1->dst.dev == rt2->dst.dev)
ret = 1;
dst_release(&rt2->dst);
Patches currently in stable-queue which might be from [email protected] are
queue-3.6/netfilter-xt_tee-don-t-use-destination-address-found-in-header.patch
queue-3.6/netfilter-nf_conntrack-fix-rt_gateway-checks-for-h.323-helper.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
