diff options
author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2009-11-06 00:43:42 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-12-08 10:22:33 -0800 |
commit | 325786e848323cd6c3e658886448ceafda09bf86 (patch) | |
tree | c140e36b879670c86bcd95a7100b7cf1b5f3f39f /drivers/net/dummy.c | |
parent | 636addb566d468fe7159e678d4c0d195dc77707d (diff) |
netfilter: nf_nat: fix NAT issue in 2.6.30.4+
commit f9dd09c7f7199685601d75882447a6598be8a3e0 upstream.
Vitezslav Samel discovered that since 2.6.30.4+ active FTP can not work
over NAT. The "cause" of the problem was a fix of unacknowledged data
detection with NAT (commit a3a9f79e361e864f0e9d75ebe2a0cb43d17c4272).
However, actually, that fix uncovered a long standing bug in TCP conntrack:
when NAT was enabled, we simply updated the max of the right edge of
the segments we have seen (td_end), by the offset NAT produced with
changing IP/port in the data. However, we did not update the other parameter
(td_maxend) which is affected by the NAT offset. Thus that could drift
away from the correct value and thus resulted breaking active FTP.
The patch below fixes the issue by *not* updating the conntrack parameters
from NAT, but instead taking into account the NAT offsets in conntrack in a
consistent way. (Updating from NAT would be more harder and expensive because
it'd need to re-calculate parameters we already calculated in conntrack.)
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/net/dummy.c')
0 files changed, 0 insertions, 0 deletions