On 30/05/11 17:01, Menyhart Zoltan wrote:
> Pablo Neira Ayuso wrote:
>
>> Please, would you give a try to this patch?
>>
>> Thanks!
>
> Have you got a patch for the 2.6.32, please, because this section does
> not apply:
>
> diff --git a/net/netfilter/nf_conntrack_core.c
> b/net/netfilter/nf_conntrack_core.c
> index 2e1c11f..9421fe4 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -922,6 +922,9 @@ nf_conntrack_in(struct net *net, u_int8_t pf,
> unsigned int hooknum,
> ret = -ret;
> goto out;
> }
> + /* ICMP[v6] protocol trackers may assign one conntrack. */
> + if (skb->nfct)
> + goto out;
> }
>
> ct = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum,
>
> Thanks,
Sorry, no patch for 2.6.32. But I appreciate if you can add that chuck
by yourself, it's quite easy:
785 if (l4proto->error != NULL) {
786 ret = l4proto->error(net, skb, dataoff, &ctinfo, pf,
hooknum);
787 if (ret <= 0) {
788 NF_CT_STAT_INC_ATOMIC(net, error);
789 NF_CT_STAT_INC_ATOMIC(net, invalid);
790 return -ret;
791 }
add it here.
792 }
And test it, of course.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
