Re: Fw: Problems with nf_nat_ftp.ko and nf_conntrack_ftp.ko in 2.6.22.6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>----- Oorspronkelijk bericht -----
>Van: Patrick McHardy [mailto:kaber@xxxxxxxxx]
>Verzonden: woensdag, november 7, 2007 11:33 AM
>Aan: 'ron lai'
>CC: netfilter@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, 'Bart De Schuymer'
>Onderwerp: Re: Fw: Problems with nf_nat_ftp.ko and nf_conntrack_ftp.ko in 2.6.22.6
>
>Patrick McHardy wrote:
>I can reproduce this with forwarding between two bridges.
>The reason is that skb->nf_bridge still contains the data
>from the first bridge and so br_netfilter thinks this is
>a bridged packet. I don't know how this is supposed to work,
>but it seems to me that on packets going out a bridge device
>this should be reset in case it originates from a different
>bridge (actually I think it should be reset unconditionally
>but that would probably break bridged DNAT).
>
>Bart, what do you think about changing this:

(sorry for the webmail mess)
I think that would work. It shouldn't be reset unconditionally at that point since we allow IP dnating of bridged packets (bridged-and-DNAT'ed case). Another solution I think is this:
in br_nf_post_routing():
change
if (!nf_bridge)
to
if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED_DNAT))

This regression was introduced when the ip_out sabotage stuff was removed. br_nf_post_routing should now only consider bridged IP packets.

cheers,
Bart



-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux