If a connection attempt fails with an ICMP unreachable message, I have
to know that it has seen related packets. ICMP errors don't get their
own conntrack and setting SEEN_REPLY would be bad, as it is used for
other purposes.
This patch introduces a new status flag SEEN_RELATED. It is set for the
master conntrack if an ICMP error or another related packet is seen.
--- linux-2.6.25.4.orig/include/linux/netfilter/nf_conntrack_common.h 2008-05-20 21:05:41.000000000 +0100
+++ linux-2.6.25.4/include/linux/netfilter/nf_conntrack_common.h 2008-05-21 14:01:59.000000000 +0100
@@ -73,6 +73,10 @@
/* Connection has fixed timeout. */
IPS_FIXED_TIMEOUT_BIT = 10,
IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
+ /* Master connection has seen a related packet */
+ IPS_SEEN_RELATED_BIT = 11,
+ IPS_SEEN_RELATED = (1 << IPS_SEEN_RELATED_BIT),
};
/* Connection tracking event bits */
--- linux-2.6.25.4.orig/net/netfilter/nf_conntrack_core.c 2008-05-20 21:05:06.000000000 +0100
+++ linux-2.6.25.4/net/netfilter/nf_conntrack_core.c 2008-05-21 14:12:42.000000000 +0100
@@ -619,6 +619,7 @@
struct nf_conntrack_l3proto *l3proto,
struct nf_conntrack_l4proto *l4proto,
int *set_reply,
+ int *set_related,
enum ip_conntrack_info *ctinfo)
{
struct nf_conntrack_tuple tuple;
@@ -657,6 +658,8 @@
pr_debug("nf_conntrack_in: related packet for %p\n",
ct);
*ctinfo = IP_CT_RELATED;
+ /* Please set related bit of master if this packet OK */
+ *set_related = 1;
} else {
pr_debug("nf_conntrack_in: new packet for %p\n", ct);
*ctinfo = IP_CT_NEW;
@@ -678,6 +681,7 @@
unsigned int dataoff;
u_int8_t protonum;
int set_reply = 0;
+ int set_related = 0;
int ret;
/* Previously seen (loopback or untracked)? Ignore. */
@@ -710,7 +714,7 @@
}
ct = resolve_normal_ct(skb, dataoff, pf, protonum, l3proto, l4proto,
- &set_reply, &ctinfo);
+ &set_reply, &set_related, &ctinfo);
if (!ct) {
/* Not valid part of a connection */
NF_CT_STAT_INC_ATOMIC(invalid);
@@ -736,7 +740,9 @@
return -ret;
}
- if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
+ if ((set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
+ || (set_related && !test_and_set_bit(
+ IPS_SEEN_RELATED_BIT, &ct->master->status)))
nf_conntrack_event_cache(IPCT_STATUS, skb);
return ret;
--- linux-2.6.25.4.orig/net/ipv4/netfilter/nf_conntrack_proto_icmp.c 2008-05-21 17:16:46.000000000 +0100
+++ linux-2.6.25.4/net/ipv4/netfilter/nf_conntrack_proto_icmp.c 2008-05-21 17:12:03.000000000 +0100
@@ -132,6 +132,7 @@
struct nf_conntrack_tuple innertuple, origtuple;
const struct nf_conntrack_l4proto *innerproto;
const struct nf_conntrack_tuple_hash *h;
+ struct nf_conn *ct;
NF_CT_ASSERT(skb->nfct == NULL);
@@ -163,6 +164,9 @@
return -NF_ACCEPT;
}
+ ct = nf_ct_tuplehash_to_ctrack(h);
+ set_bit(IPS_SEEN_RELATED_BIT, &ct->status);
+
if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY)
*ctinfo += IP_CT_IS_REPLY;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
