On Sun, May 04, 2014 at 01:18:50PM +0200, Pablo Neira Ayuso wrote: > On Sat, May 03, 2014 at 03:14:04AM +0400, Vasily Averin wrote: > > Defrag user check in ip_expire was not updated after adding support for > > "conntrack zones" > > I think this bug manifests as a RFC violation, as the router will send > the icmp time exceeeded message when using conntrack zones. Just would > like to confirm this, so we can include it in the patch description. > Thanks. @David: If no objection, I'll pick this patch given that it's a netfilter bug. I will also append to the patch description the comment above for the record. > > Signed-off-by: Vasily Averin <vvs@xxxxxxxxxx> > > --- > > net/ipv4/ip_fragment.c | 5 +++-- > > 1 files changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c > > index c10a3ce..ed32313 100644 > > --- a/net/ipv4/ip_fragment.c > > +++ b/net/ipv4/ip_fragment.c > > @@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg) > > * "Fragment Reassembly Timeout" message, per RFC792. > > */ > > if (qp->user == IP_DEFRAG_AF_PACKET || > > - (qp->user == IP_DEFRAG_CONNTRACK_IN && > > - skb_rtable(head)->rt_type != RTN_LOCAL)) > > + ((qp->user >= IP_DEFRAG_CONNTRACK_IN) && > > + (qp->user <= __IP_DEFRAG_CONNTRACK_IN_END) && > > + (skb_rtable(head)->rt_type != RTN_LOCAL))) > > goto out_rcu_unlock; > > > > > > -- > > 1.7.5.4 > > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
