rejects/netfilter-connection-tracking.patch - pub/scm/linux/kernel/git/warthog9/stable-queue - Git at Google

 From stable-bounces@linux.kernel.org  Tue Jun 28 16:07:25 2005
 Date: Tue, 28 Jun 2005 16:06:39 -0700 (PDT)
 Message-Id: <20050628.160639.130608735.davem@davemloft.net>
 To: stable@kernel.org
 From: "David S. Miller" <davem@davemloft.net>
 Subject: [NETFILTER]: Fix connection tracking bug in 2.6.12

 In 2.6.12 we started dropping the conntrack reference when a packet
 leaves the IP layer. This broke connection tracking on a bridge,
 because bridge-netfilter defers calling some NF_IP_* hooks to the bridge
 layer for locally generated packets going out a bridge, where the
 conntrack reference is no longer available. This patch keeps the
 reference in this case as a temporary solution, long term we will
 remove the defered hook calling. No attempt is made to drop the
 reference in the bridge-code when it is no longer needed, tc actions
 could already have sent the packet anywhere.

 Signed-off-by: Patrick McHardy <kaber@trash.net>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Chris Wright <chrisw@osdl.org>
 ---

 Index: linux-2.6.12.y/net/bridge/br_netfilter.c
 ===================================================================
 --- linux-2.6.12.y.orig/net/bridge/br_netfilter.c
 +++ linux-2.6.12.y/net/bridge/br_netfilter.c
 @@ -882,7 +882,7 @@ static unsigned int ip_sabotage_out(unsi
  		 * doesn't use the bridge parent of the indev by using
  		 * the BRNF_DONT_TAKE_PARENT mask. */
  		if (hook == NF_IP_FORWARD && nf_bridge->physindev == NULL) {
 -			nf_bridge->mask &= BRNF_DONT_TAKE_PARENT;
 +			nf_bridge->mask |= BRNF_DONT_TAKE_PARENT;
  			nf_bridge->physindev = (struct net_device *)in;
  		}
  #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
 Index: linux-2.6.12.y/net/ipv4/ip_output.c
 ===================================================================
 --- linux-2.6.12.y.orig/net/ipv4/ip_output.c
 +++ linux-2.6.12.y/net/ipv4/ip_output.c
 @@ -196,7 +196,13 @@ static inline int ip_finish_output2(stru
  	nf_debug_ip_finish_output2(skb);
  #endif /*CONFIG_NETFILTER_DEBUG*/

 -	nf_reset(skb);
 +#ifdef CONFIG_BRIDGE_NETFILTER
 +	/* bridge-netfilter defers calling some IP hooks to the bridge layer
 +	 * and still needs the conntrack reference.
 +	 */
 +	if (skb->nf_bridge == NULL)
 +#endif
 +		nf_reset(skb);

  	if (hh) {
  		int hh_alen;
	From stable-bounces@linux.kernel.org Tue Jun 28 16:07:25 2005
	Date: Tue, 28 Jun 2005 16:06:39 -0700 (PDT)
	Message-Id: <20050628.160639.130608735.davem@davemloft.net>
	To: stable@kernel.org
	From: "David S. Miller" <davem@davemloft.net>
	Subject: [NETFILTER]: Fix connection tracking bug in 2.6.12

	In 2.6.12 we started dropping the conntrack reference when a packet
	leaves the IP layer. This broke connection tracking on a bridge,
	because bridge-netfilter defers calling some NF_IP_* hooks to the bridge
	layer for locally generated packets going out a bridge, where the
	conntrack reference is no longer available. This patch keeps the
	reference in this case as a temporary solution, long term we will
	remove the defered hook calling. No attempt is made to drop the
	reference in the bridge-code when it is no longer needed, tc actions
	could already have sent the packet anywhere.

	Signed-off-by: Patrick McHardy <kaber@trash.net>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Chris Wright <chrisw@osdl.org>
	---

	Index: linux-2.6.12.y/net/bridge/br_netfilter.c
	===================================================================
	--- linux-2.6.12.y.orig/net/bridge/br_netfilter.c
	+++ linux-2.6.12.y/net/bridge/br_netfilter.c
	@@ -882,7 +882,7 @@ static unsigned int ip_sabotage_out(unsi
	* doesn't use the bridge parent of the indev by using
	* the BRNF_DONT_TAKE_PARENT mask. */
	if (hook == NF_IP_FORWARD && nf_bridge->physindev == NULL) {
	- nf_bridge->mask &= BRNF_DONT_TAKE_PARENT;
	+ nf_bridge->mask \|= BRNF_DONT_TAKE_PARENT;
	nf_bridge->physindev = (struct net_device *)in;
	}
	#if defined(CONFIG_VLAN_8021Q) \|\| defined(CONFIG_VLAN_8021Q_MODULE)
	Index: linux-2.6.12.y/net/ipv4/ip_output.c
	===================================================================
	--- linux-2.6.12.y.orig/net/ipv4/ip_output.c
	+++ linux-2.6.12.y/net/ipv4/ip_output.c
	@@ -196,7 +196,13 @@ static inline int ip_finish_output2(stru
	nf_debug_ip_finish_output2(skb);
	#endif /CONFIG_NETFILTER_DEBUG/

	- nf_reset(skb);
	+#ifdef CONFIG_BRIDGE_NETFILTER
	+ /* bridge-netfilter defers calling some IP hooks to the bridge layer
	+ * and still needs the conntrack reference.
	+ */
	+ if (skb->nf_bridge == NULL)
	+#endif
	+ nf_reset(skb);

	if (hh) {
	int hh_alen;