aboutsummaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2009-11-06 03:43:42 -0500
committerDavid S. Miller <davem@davemloft.net>2009-11-06 03:43:42 -0500
commitf9dd09c7f7199685601d75882447a6598be8a3e0 (patch)
tree98ab4a75ec6c74cdb4aa807c491002ba33de56c5 /include/net
parentf5209b4446d185cc95f46363f8043a743530c15a (diff)
netfilter: nf_nat: fix NAT issue in 2.6.30.4+
Vitezslav Samel discovered that since 2.6.30.4+ active FTP can not work over NAT. The "cause" of the problem was a fix of unacknowledged data detection with NAT (commit a3a9f79e361e864f0e9d75ebe2a0cb43d17c4272). However, actually, that fix uncovered a long standing bug in TCP conntrack: when NAT was enabled, we simply updated the max of the right edge of the segments we have seen (td_end), by the offset NAT produced with changing IP/port in the data. However, we did not update the other parameter (td_maxend) which is affected by the NAT offset. Thus that could drift away from the correct value and thus resulted breaking active FTP. The patch below fixes the issue by *not* updating the conntrack parameters from NAT, but instead taking into account the NAT offsets in conntrack in a consistent way. (Updating from NAT would be more harder and expensive because it'd need to re-calculate parameters we already calculated in conntrack.) Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/netfilter/nf_conntrack.h8
-rw-r--r--include/net/netfilter/nf_nat_helper.h4
2 files changed, 7 insertions, 5 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index cbdd6284996d..5cf7270e3ffc 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -255,11 +255,9 @@ static inline bool nf_ct_kill(struct nf_conn *ct)
255} 255}
256 256
257/* These are for NAT. Icky. */ 257/* These are for NAT. Icky. */
258/* Update TCP window tracking data when NAT mangles the packet */ 258extern s16 (*nf_ct_nat_offset)(const struct nf_conn *ct,
259extern void nf_conntrack_tcp_update(const struct sk_buff *skb, 259 enum ip_conntrack_dir dir,
260 unsigned int dataoff, 260 u32 seq);
261 struct nf_conn *ct, int dir,
262 s16 offset);
263 261
264/* Fake conntrack entry for untracked connections */ 262/* Fake conntrack entry for untracked connections */
265extern struct nf_conn nf_conntrack_untracked; 263extern struct nf_conn nf_conntrack_untracked;
diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h
index 237a961f40e1..4222220920a5 100644
--- a/include/net/netfilter/nf_nat_helper.h
+++ b/include/net/netfilter/nf_nat_helper.h
@@ -32,4 +32,8 @@ extern int (*nf_nat_seq_adjust_hook)(struct sk_buff *skb,
32 * to port ct->master->saved_proto. */ 32 * to port ct->master->saved_proto. */
33extern void nf_nat_follow_master(struct nf_conn *ct, 33extern void nf_nat_follow_master(struct nf_conn *ct,
34 struct nf_conntrack_expect *this); 34 struct nf_conntrack_expect *this);
35
36extern s16 nf_nat_get_offset(const struct nf_conn *ct,
37 enum ip_conntrack_dir dir,
38 u32 seq);
35#endif 39#endif