Patrick McHardy wrote:
Pablo Neira Ayuso wrote:
The combination of NAT and helpers may produce TCP sequence adjustments.
In failover setups, this information needs to be replicated in order to
achieve a successful recovery of mangled, related connections. This
patch is particularly useful for conntrackd, see:
+ /* NAT sequence adjustment */
+ IPCT_NATSEQADJ_BIT = 13,
+ IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
You don't seem to be using this bit for anything.
Hm, I think I did.
@@ -191,6 +192,8 @@ nf_nat_mangle_tcp_packet(struct sk_buff
/* Tell TCP window tracking about seq change */
nf_conntrack_tcp_update(skb, ip_hdrlen(skb),
ct, CTINFO2DIR(ctinfo));
+
+ nf_conntrack_event_cache(IPCT_NATSEQADJ, skb);
Here we cache the NAT sequence adjustment event.
===================================================================
--- net-2.6.git.orig/net/netfilter/nf_conntrack_netlink.c 2007-11-25 19:08:18.000000000 +0100
+++ net-2.6.git/net/netfilter/nf_conntrack_netlink.c 2007-12-08 21:42:31.000000000 +0100
@@ -424,6 +474,10 @@ static int ctnetlink_conntrack_event(str
(ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0))
goto nla_put_failure;
+
+ if (events & IPCT_NATSEQADJ &&
+ ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
+ goto nla_put_failure;
And here we dump it.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
