linux-stable-rt/net/ipv4/netfilter
Jozsef Kadlecsik f9dd09c7f7 netfilter: nf_nat: fix NAT issue in 2.6.30.4+
Vitezslav Samel discovered that since 2.6.30.4+ active FTP can not work
over NAT. The "cause" of the problem was a fix of unacknowledged data
detection with NAT (commit a3a9f79e36).
However, actually, that fix uncovered a long standing bug in TCP conntrack:
when NAT was enabled, we simply updated the max of the right edge of
the segments we have seen (td_end), by the offset NAT produced with
changing IP/port in the data. However, we did not update the other parameter
(td_maxend) which is affected by the NAT offset. Thus that could drift
away from the correct value and thus resulted breaking active FTP.

The patch below fixes the issue by *not* updating the conntrack parameters
from NAT, but instead taking into account the NAT offsets in conntrack in a
consistent way. (Updating from NAT would be more harder and expensive because
it'd need to re-calculate parameters we already calculated in conntrack.)

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-11-06 00:43:42 -08:00
..
Kconfig
Makefile
arp_tables.c netfilter: xtables: mark initial tables constant 2009-08-24 14:56:30 +02:00
arpt_mangle.c
arptable_filter.c netfilter: xtables: mark initial tables constant 2009-08-24 14:56:30 +02:00
ip_queue.c
ip_tables.c netfilter: xtables: mark initial tables constant 2009-08-24 14:56:30 +02:00
ipt_CLUSTERIP.c
ipt_ECN.c
ipt_LOG.c
ipt_MASQUERADE.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-06-11 16:00:49 +02:00
ipt_NETMAP.c
ipt_REDIRECT.c
ipt_REJECT.c
ipt_ULOG.c
ipt_addrtype.c
ipt_ah.c
ipt_ecn.c
iptable_filter.c netfilter: xtables: mark initial tables constant 2009-08-24 14:56:30 +02:00
iptable_mangle.c netfilter: xtables: mark initial tables constant 2009-08-24 14:56:30 +02:00
iptable_raw.c netfilter: xtables: mark initial tables constant 2009-08-24 14:56:30 +02:00
iptable_security.c netfilter: xtables: mark initial tables constant 2009-08-24 14:56:30 +02:00
nf_conntrack_l3proto_ipv4.c netfilter: nf_conntrack: log packets dropped by helpers 2009-08-25 15:33:08 +02:00
nf_conntrack_l3proto_ipv4_compat.c
nf_conntrack_proto_icmp.c netfilter: nf_ct_icmp: keep the ICMP ct entries longer 2009-06-08 15:53:43 +02:00
nf_defrag_ipv4.c
nf_nat_amanda.c
nf_nat_core.c netfilter: nf_nat: fix NAT issue in 2.6.30.4+ 2009-11-06 00:43:42 -08:00
nf_nat_ftp.c
nf_nat_h323.c
nf_nat_helper.c netfilter: nf_nat: fix NAT issue in 2.6.30.4+ 2009-11-06 00:43:42 -08:00
nf_nat_irc.c
nf_nat_pptp.c
nf_nat_proto_common.c
nf_nat_proto_dccp.c
nf_nat_proto_gre.c
nf_nat_proto_icmp.c
nf_nat_proto_sctp.c netfilter: Fix extra semi-colon in skb_walk_frags() changes. 2009-06-09 18:05:28 -07:00
nf_nat_proto_tcp.c
nf_nat_proto_udp.c
nf_nat_proto_udplite.c
nf_nat_proto_unknown.c
nf_nat_rule.c netfilter: xtables: mark initial tables constant 2009-08-24 14:56:30 +02:00
nf_nat_sip.c
nf_nat_snmp_basic.c
nf_nat_standalone.c netfilter: xtables: switch hook PFs to nfproto 2009-08-10 13:35:21 +02:00
nf_nat_tftp.c