fedora-cvs-commits@redhat.com
[Top] [All Lists]

rpms/kernel/FC-4 linux-2.6-net-nat-pmtu.patch, NONE, 1.1 kernel-2.6.spec

Subject: rpms/kernel/FC-4 linux-2.6-net-nat-pmtu.patch, NONE, 1.1 kernel-2.6.spec, 1.1600, 1.1601
From:
Date: Fri, 17 Feb 2006 13:52:53 -0500
Author: davej

Update of /cvs/dist/rpms/kernel/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv20998

Modified Files:
        kernel-2.6.spec 
Added Files:
        linux-2.6-net-nat-pmtu.patch 
Log Message:
fix nat pmtu bug


linux-2.6-net-nat-pmtu.patch:
 ip_nat_core.c |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

--- NEW FILE linux-2.6-net-nat-pmtu.patch ---

----- Forwarded message from Patrick McHardy <kaber@xxxxxxxxx> -----

Patrick McHardy wrote:
> Al Viro wrote:
> 
>>At which point we have the following:
>>      source: 10.1.1.5
>>      target: YYY.YYY.YYY.YYY
>>      quoted target: XXX.XXX.XXX.XXX
>>
>>Guess how many intermediate routers are going to be unhappy with the source
>>of that packet...  And unlike the "Me Og.  Me see ICMP.  Me drop ICMP" case,
>>they actually have a point.  For other kinds of ICMP errors it wouldn't be
>>a big deal; however, with code 4 it gives PMTUD blackholes.
> 
> 
> That case should actually be handled, at least there's a big comment in
> icmp_reply_translation() in ip_nat_core.c. I can't spot the error right
> now, but I'm going to look into it.

I found the problem, the source address is only changed if it equals
the source of the connection, which doesn't make much sense for ICMP
frag. required messages. With this patch ICMP errors should always
be NATed the same way as original connection, please try if it helps.

diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index c1a6146..1741d55 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -434,6 +434,7 @@ int ip_nat_icmp_reply_translation(struct
        } *inside;
        struct ip_conntrack_tuple inner, target;
        int hdrlen = (*pskb)->nh.iph->ihl * 4;
+       unsigned long statusbit;
 
        if (!skb_make_writable(pskb, hdrlen + sizeof(*inside)))
                return 0;
@@ -495,17 +496,16 @@ int ip_nat_icmp_reply_translation(struct
 
        /* Change outer to look the reply to an incoming packet
         * (proto 0 means don't invert per-proto part). */
+       if (manip == IP_NAT_MANIP_SRC)
+               statusbit = IPS_SRC_NAT;
+       else
+               statusbit = IPS_DST_NAT;
+
+       /* Invert if this is reply dir. */
+       if (dir == IP_CT_DIR_REPLY)
+               statusbit ^= IPS_NAT_MASK;
 
-       /* Obviously, we need to NAT destination IP, but source IP
-          should be NAT'ed only if it is from a NAT'd host.
-
-          Explanation: some people use NAT for anonymizing.  Also,
-          CERT recommends dropping all packets from private IP
-          addresses (although ICMP errors from internal links with
-          such addresses are not too uncommon, as Alan Cox points
-          out) */
-       if (manip != IP_NAT_MANIP_SRC
-           || ((*pskb)->nh.iph->saddr == ct->tuplehash[dir].tuple.src.ip)) {
+       if (ct->status & statusbit) {
                invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
                if (!manip_pkt(0, pskb, 0, &target, manip))
                        return 0;




Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-4/kernel-2.6.spec,v
retrieving revision 1.1600
retrieving revision 1.1601
diff -u -r1.1600 -r1.1601
--- kernel-2.6.spec     16 Feb 2006 18:39:57 -0000      1.1600
+++ kernel-2.6.spec     17 Feb 2006 18:52:50 -0000      1.1601
@@ -352,6 +352,7 @@
 Patch1810: linux-2.6-pwc-powerup-by-default.patch
 Patch1820: linux-2.6-net-acenic-use-after-free.patch
 Patch1830: linux-2.6-smsc-ircc2-pnp.patch
+Patch1840: linux-2.6-net-nat-pmtu.patch
 Patch1860: linux-2.6-posix-timers-sched_time-accumulation.patch
 Patch1870: linux-2.6-usb-find-interface.patch
 Patch1880: linux-2.6-i2c-it87-reboot.patch
@@ -793,6 +794,8 @@
 %patch1820 -p1
 # PNP support for smsc-ircc2
 %patch1830 -p1
+# Fix PMTU breakage with NAT
+%patch1840 -p1
 # Fix posix-cpu-timers sched_time accumulation
 %patch1860 -p1
 # Fix idiocy in usb_find_interface()
@@ -1275,6 +1278,9 @@
 %endif
 
 %changelog
+* Fri Feb 16 2006 Dave Jones <davej@xxxxxxxxxx>
+- Fix PMTU NAT bug.
+
 * Fri Feb 16 2006 John W. Linville <linville@xxxxxxxxxx>
 - Set ipw2200 hwcrypto option to 0 to avoid firmware restarts.
 

-- 
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits

<Prev in Thread] Current Thread [Next in Thread>
  • rpms/kernel/FC-4 linux-2.6-net-nat-pmtu.patch, NONE, 1.1 kernel-2.6.spec, 1.1600, 1.1601, fedora-cvs-commits <=