linux/net/ipv4/netfilter
Yasuyuki Kozakai 130e7a83d7 [NETFILTER]: nf_conntrack: Don't track locally generated special ICMP error
The conntrack assigned to locally generated ICMP error is usually the one
assigned to the original packet which has caused the error. But if
the original packet is handled as invalid by nf_conntrack, no conntrack
is assigned to the original packet. Then nf_ct_attach() cannot assign
any conntrack to the ICMP error packet. In that case the current
nf_conntrack_icmp assigns appropriate conntrack to it. But the current
code mistakes the direction of the packet. As a result, NAT code mistakes
the address to be mangled.

To fix the bug, this changes nf_conntrack_icmp not to assign conntrack
to such ICMP error. Actually no address is necessary to be mangled
in this case.

Spotted by Jordan Russell.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-14 20:45:41 -07:00
..
arp_tables.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
arpt_mangle.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
arptable_filter.c [NETFILTER]: Clean up table initialization 2007-05-10 23:47:43 -07:00
ip_queue.c [NETLINK]: Switch cb_lock spinlock to mutex and allow to override it 2007-04-25 22:29:03 -07:00
ip_tables.c [NETFILTER] net/ipv4/netfilter/ip_tables.c: lower printk severity 2007-07-10 22:18:53 -07:00
ipt_addrtype.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
ipt_ah.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
ipt_CLUSTERIP.c [NET]: Make all initialized struct seq_operations const. 2007-07-10 23:07:31 -07:00
ipt_ecn.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
ipt_ECN.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
ipt_iprange.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
ipt_LOG.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
ipt_MASQUERADE.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
ipt_NETMAP.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
ipt_owner.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
ipt_recent.c [NET]: Make all initialized struct seq_operations const. 2007-07-10 23:07:31 -07:00
ipt_REDIRECT.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
ipt_REJECT.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
ipt_SAME.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
ipt_tos.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
ipt_TOS.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
ipt_ttl.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
ipt_TTL.c [NETFILTER]: x_tables: mark matches and targets __read_mostly 2007-07-10 22:17:15 -07:00
ipt_ULOG.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
iptable_filter.c [NETFILTER]: iptable_{filter,mangle}: more descriptive "happy cracking" message 2007-05-10 23:47:59 -07:00
iptable_mangle.c [NETFILTER]: iptable_{filter,mangle}: more descriptive "happy cracking" message 2007-05-10 23:47:59 -07:00
iptable_raw.c [NETFILTER]: iptable_raw: ignore short packets sent by SOCK_RAW sockets 2007-05-10 23:47:59 -07:00
Kconfig [NETFILTER]: ipt_SAME: add to feature-removal-schedule 2007-07-10 22:18:16 -07:00
Makefile [NETFILTER]: Remove IPv4 only connection tracking/NAT 2007-04-25 22:25:34 -07:00
nf_conntrack_l3proto_ipv4_compat.c [NET]: Make all initialized struct seq_operations const. 2007-07-10 23:07:31 -07:00
nf_conntrack_l3proto_ipv4.c [NETFILTER]: nf_conntrack: make l3proto->prepare() generic and renames it 2007-07-14 20:44:50 -07:00
nf_conntrack_proto_icmp.c [NETFILTER]: nf_conntrack: Don't track locally generated special ICMP error 2007-07-14 20:45:41 -07:00
nf_nat_amanda.c [NETFILTER]: nf_conntrack_expect: function naming unification 2007-07-10 22:17:53 -07:00
nf_nat_core.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_ftp.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_h323.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_helper.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_irc.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_pptp.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_proto_gre.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_proto_icmp.c [NETFILTER]: nf_conntrack/nf_nat: fix incorrect config ifdefs 2007-03-05 13:25:19 -08:00
nf_nat_proto_tcp.c [NETFILTER]: nf_conntrack/nf_nat: fix incorrect config ifdefs 2007-03-05 13:25:19 -08:00
nf_nat_proto_udp.c [NETFILTER]: nf_conntrack/nf_nat: fix incorrect config ifdefs 2007-03-05 13:25:19 -08:00
nf_nat_proto_unknown.c [NETFILTER]: Add NAT support for nf_conntrack 2006-12-02 22:07:13 -08:00
nf_nat_rule.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_sip.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_snmp_basic.c [NETFILTER]: nf_conntrack: reduce masks to a subset of tuples 2007-07-10 22:17:55 -07:00
nf_nat_standalone.c [NETFILTER]: Convert DEBUGP to pr_debug 2007-07-10 22:18:20 -07:00
nf_nat_tftp.c [NETFILTER]: nf_conntrack_expect: function naming unification 2007-07-10 22:17:53 -07:00