On Sun, Aug 07, 2005 at 08:42:56PM +0200, Patrick McHardy wrote: > Harald Welte wrote: > > On Sun, Aug 07, 2005 at 05:18:06PM +0200, Harald Welte wrote: > > > >>The following trivial patch was confirmed to solve the problem. Patrick > >>also has no objections, so please apply this to mainline. > > > > Please hold it back for another minute. I'm still puzzled by this > > problem. I can neither reproduce it nor understand how the code could > > end up in a state where it would try to do NAT on untracked connections. > > The conntrack reference is manually attached to locally generated ICMP > errors and icmp_reply_translation() doesn't check if NAT mappings have > been set up but simply replaces IP/port by what is stored in the > untracked conntrack entry, which is all 0's.
ah, manually attached references, I forgot about them. Looking at the latest traces Vladimir sent me, there is another case, too. Dave: Please go ahead and apply the patch (attached again for reference) -- - Harald Welte <[EMAIL PROTECTED]> http://gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)
[NETFILTER] don't try to do any NAT on untracked connections
With the introduction of 'rustynat' in 2.6.11, the old tricks of preventing
NAT of 'untracked' connections (e.g. NOTRACK target in 'raw' table) are no
longer sufficient. The ip_conntrack_untracked.status |= IPS_NAT_DONE_MASK
effectively prevents iteration of the 'nat' table, but doesn't prevent
nat_packet() to be executed. Since nr_manips is gone in 'rustynat',
nat_packet() now implicitly thinks that it has to do NAT on the packet.
This patch fixes that problem by explicitly checking for
ip_conntrack_untracked in ip_nat_fn().
Signed-off-by: Harald Welte <[EMAIL PROTECTED]>
---
commit c16fd4ffed6349d0888cd97a75d04394dac42021
tree b4f0e73c7c36f3a52b23593c40f1f49353ba67e3
parent 4d08142e287f852db3f4bfd614f2d73521bd7f07
author Harald Welte <[EMAIL PROTECTED]> Sa, 06 Aug 2005 18:11:00 +0200
committer Harald Welte <[EMAIL PROTECTED]> Sa, 06 Aug 2005 18:11:00 +0200
net/ipv4/netfilter/ip_nat_standalone.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c
b/net/ipv4/netfilter/ip_nat_standalone.c
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -100,6 +100,10 @@ ip_nat_fn(unsigned int hooknum,
return NF_ACCEPT;
}
+ /* Don't try to NAT if this packet is not conntracked */
+ if (ct == &ip_conntrack_untracked)
+ return NF_ACCEPT;
+
switch (ctinfo) {
case IP_CT_RELATED:
case IP_CT_RELATED+IP_CT_IS_REPLY:
pgpZw1QpGS0hb.pgp
Description: PGP signature
