|
|
Author: davej
Update of /cvs/dist/rpms/kernel/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv20998
Modified Files:
kernel-2.6.spec
Added Files:
linux-2.6-net-nat-pmtu.patch
Log Message:
fix nat pmtu bug
linux-2.6-net-nat-pmtu.patch:
ip_nat_core.c | 20 ++++++++++----------
1 files changed, 10 insertions(+), 10 deletions(-)
--- NEW FILE linux-2.6-net-nat-pmtu.patch ---
----- Forwarded message from Patrick McHardy <kaber@xxxxxxxxx> -----
Patrick McHardy wrote:
> Al Viro wrote:
>
>>At which point we have the following:
>> source: 10.1.1.5
>> target: YYY.YYY.YYY.YYY
>> quoted target: XXX.XXX.XXX.XXX
>>
>>Guess how many intermediate routers are going to be unhappy with the source
>>of that packet... And unlike the "Me Og. Me see ICMP. Me drop ICMP" case,
>>they actually have a point. For other kinds of ICMP errors it wouldn't be
>>a big deal; however, with code 4 it gives PMTUD blackholes.
>
>
> That case should actually be handled, at least there's a big comment in
> icmp_reply_translation() in ip_nat_core.c. I can't spot the error right
> now, but I'm going to look into it.
I found the problem, the source address is only changed if it equals
the source of the connection, which doesn't make much sense for ICMP
frag. required messages. With this patch ICMP errors should always
be NATed the same way as original connection, please try if it helps.
diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index c1a6146..1741d55 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -434,6 +434,7 @@ int ip_nat_icmp_reply_translation(struct
} *inside;
struct ip_conntrack_tuple inner, target;
int hdrlen = (*pskb)->nh.iph->ihl * 4;
+ unsigned long statusbit;
if (!skb_make_writable(pskb, hdrlen + sizeof(*inside)))
return 0;
@@ -495,17 +496,16 @@ int ip_nat_icmp_reply_translation(struct
/* Change outer to look the reply to an incoming packet
* (proto 0 means don't invert per-proto part). */
+ if (manip == IP_NAT_MANIP_SRC)
+ statusbit = IPS_SRC_NAT;
+ else
+ statusbit = IPS_DST_NAT;
+
+ /* Invert if this is reply dir. */
+ if (dir == IP_CT_DIR_REPLY)
+ statusbit ^= IPS_NAT_MASK;
- /* Obviously, we need to NAT destination IP, but source IP
- should be NAT'ed only if it is from a NAT'd host.
-
- Explanation: some people use NAT for anonymizing. Also,
- CERT recommends dropping all packets from private IP
- addresses (although ICMP errors from internal links with
- such addresses are not too uncommon, as Alan Cox points
- out) */
- if (manip != IP_NAT_MANIP_SRC
- || ((*pskb)->nh.iph->saddr == ct->tuplehash[dir].tuple.src.ip)) {
+ if (ct->status & statusbit) {
invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
if (!manip_pkt(0, pskb, 0, &target, manip))
return 0;
Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-4/kernel-2.6.spec,v
retrieving revision 1.1600
retrieving revision 1.1601
diff -u -r1.1600 -r1.1601
--- kernel-2.6.spec 16 Feb 2006 18:39:57 -0000 1.1600
+++ kernel-2.6.spec 17 Feb 2006 18:52:50 -0000 1.1601
@@ -352,6 +352,7 @@
Patch1810: linux-2.6-pwc-powerup-by-default.patch
Patch1820: linux-2.6-net-acenic-use-after-free.patch
Patch1830: linux-2.6-smsc-ircc2-pnp.patch
+Patch1840: linux-2.6-net-nat-pmtu.patch
Patch1860: linux-2.6-posix-timers-sched_time-accumulation.patch
Patch1870: linux-2.6-usb-find-interface.patch
Patch1880: linux-2.6-i2c-it87-reboot.patch
@@ -793,6 +794,8 @@
%patch1820 -p1
# PNP support for smsc-ircc2
%patch1830 -p1
+# Fix PMTU breakage with NAT
+%patch1840 -p1
# Fix posix-cpu-timers sched_time accumulation
%patch1860 -p1
# Fix idiocy in usb_find_interface()
@@ -1275,6 +1278,9 @@
%endif
%changelog
+* Fri Feb 16 2006 Dave Jones <davej@xxxxxxxxxx>
+- Fix PMTU NAT bug.
+
* Fri Feb 16 2006 John W. Linville <linville@xxxxxxxxxx>
- Set ipw2200 hwcrypto option to 0 to avoid firmware restarts.
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|