Linus, please apply (finished dredging old bug reports).
This brings us completely in sync with all known bugs which will be
resolved for 2.4, bar one ftp problem. Anything else can wait for
2.4.1/2.5, unless some showstoppers come up.
Contains these multi-line fixes:
o Extra implicit NAT (ssh fix) (Rusty)
o Local NAT fix (Rusty)
No-brainers:
o Warning about NAT interference (Alexey)
o depmod fix for compat modules (Rusty)
o kfree_skb fixes (Arnaldo Carvalho de Melo)
o compile warning fix for ipt_LOG.c (Rusty)
o 16-bit xchg removed (for non-x86) (Rusty)
Passes testsuite with flying colors on my SMP test box, so if it's
broken after this, expect it to be broken in 2.4.
Thanks,
Rusty.
--- linux-2.4.0-test7-7/Documentation/Configure.help Thu Aug 24 16:36:55 2000
+++ working-2.4.0-test7-7/Documentation/Configure.help Thu Aug 24 19:15:20 2000
@@ -1944,6 +1944,9 @@
Full NAT
CONFIG_IP_NF_NAT
+ Do not select "Y", if you are not sure that you will use this.
+ It may affect performance and system robustness negatively.
+
The Full NAT option allows masquerading, port forwarding and other
forms of full Network Address Port Translation. It is controlled by
the `nat' table in iptables: see the man page for iptables(8).
diff -urN -X /tmp/filezRIWiT --minimal
linux-2.4.0-test7-7/net/ipv4/netfilter/ip_fw_compat.c
working-2.4.0-test7-7/net/ipv4/netfilter/ip_fw_compat.c
--- linux-2.4.0-test7-7/net/ipv4/netfilter/ip_fw_compat.c Wed Aug 23
18:12:54 2000
+++ working-2.4.0-test7-7/net/ipv4/netfilter/ip_fw_compat.c Wed Aug 23
19:00:33 2000
@@ -15,6 +15,10 @@
#include <linux/netfilter_ipv4/ip_conntrack.h>
#include <linux/netfilter_ipv4/ip_conntrack_core.h>
+/* Theoretically, we could one day use 2.4 helpers, but for now it
+ just confuses depmod --RR */
+EXPORT_NO_SYMBOLS;
+
static struct firewall_ops *fwops;
/* From ip_fw_compat_redir.c */
diff -urN -X /tmp/filezRIWiT --minimal
linux-2.4.0-test7-7/net/ipv4/netfilter/ip_nat_core.c
working-2.4.0-test7-7/net/ipv4/netfilter/ip_nat_core.c
--- linux-2.4.0-test7-7/net/ipv4/netfilter/ip_nat_core.c Wed Aug 23
18:14:12 2000
+++ working-2.4.0-test7-7/net/ipv4/netfilter/ip_nat_core.c Thu Aug 24
17:50:48 2000
@@ -438,8 +438,27 @@
conntrack));
ret = 1;
goto clear_fulls;
+ } else if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) {
+ /* Try implicit source NAT; protocol
+ may be able to play with ports to
+ make it unique. */
+ struct ip_nat_range r
+ = { IP_NAT_RANGE_MAP_IPS,
+ tuple->src.ip, tuple->src.ip,
+ { 0 }, { 0 } };
+ DEBUGP("Trying implicit mapping\n");
+ if (proto->unique_tuple(tuple, &r,
+ IP_NAT_MANIP_SRC,
+ conntrack)) {
+ /* Must be unique. */
+ IP_NF_ASSERT(!ip_nat_used_tuple
+ (tuple, conntrack));
+ ret = 1;
+ goto clear_fulls;
+ }
}
- DEBUGP("Protocol can't get unique tuple.\n");
+ DEBUGP("Protocol can't get unique tuple %u.\n",
+ hooknum);
}
/* Eliminate that from range, and try again. */
@@ -466,10 +485,11 @@
}
/* Where to manip the reply packets (will be reverse manip). */
+/* FIXME: really should use LOCAL_IN hook for replies to LOCAL_OUT --RR */
static unsigned int opposite_hook[NF_IP_NUMHOOKS]
= { [NF_IP_PRE_ROUTING] = NF_IP_POST_ROUTING,
[NF_IP_POST_ROUTING] = NF_IP_PRE_ROUTING,
- [NF_IP_LOCAL_OUT] = NF_IP_POST_ROUTING
+ [NF_IP_LOCAL_OUT] = NF_IP_PRE_ROUTING
};
unsigned int
@@ -704,6 +724,16 @@
struct ip_nat_helper *helper;
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+ /* Cosmetic: don't want to see mangled packets in SOCK_PACKET
+ sockets (not for TCP code: expects sk != NULL) */
+ if (info->num_manips && !(*pskb)->sk && skb_cloned(*pskb)) {
+ struct sk_buff *new = skb_copy(*pskb, GFP_ATOMIC);
+ if (!new)
+ return NF_DROP;
+ kfree_skb(*pskb);
+ *pskb = new;
+ }
+
/* Need nat lock to protect against modification, but neither
conntrack (referenced) and helper (deleted with
synchronize_bh()) can vanish. */
@@ -736,6 +766,14 @@
} else return NF_ACCEPT;
}
+/* For local ICMPs (LOCAL_OUT), we need to do POST_ROUTING manips
+ here, otherwise they won't get done --RR */
+static unsigned int icmp_hook[NF_IP_NUMHOOKS]
+= { [NF_IP_PRE_ROUTING] = NF_IP_POST_ROUTING,
+ [NF_IP_POST_ROUTING] = NF_IP_PRE_ROUTING,
+ [NF_IP_LOCAL_OUT] = NF_IP_POST_ROUTING
+};
+
unsigned int
icmp_reply_translation(struct sk_buff *skb,
struct ip_conntrack *conntrack,
@@ -793,7 +831,7 @@
packet, except it was never src/dst reversed, so
where we would normally apply a dst manip, we apply
a src, and vice versa. */
- if (info->manips[i].hooknum == opposite_hook[hooknum]) {
+ if (info->manips[i].hooknum == icmp_hook[hooknum]) {
DEBUGP("icmp_reply: inner %s -> %u.%u.%u.%u %u\n",
info->manips[i].maniptype == IP_NAT_MANIP_SRC
? "DST" : "SRC",
diff -urN -X /tmp/filezRIWiT --minimal
linux-2.4.0-test7-7/net/ipv4/netfilter/ip_queue.c
working-2.4.0-test7-7/net/ipv4/netfilter/ip_queue.c
--- linux-2.4.0-test7-7/net/ipv4/netfilter/ip_queue.c Wed Aug 23 18:14:12 2000
+++ working-2.4.0-test7-7/net/ipv4/netfilter/ip_queue.c Wed Aug 23 19:03:00 2000
@@ -414,7 +414,7 @@
return skb;
nlmsg_failure:
if (skb)
- kfree(skb);
+ kfree_skb(skb);
*errp = 0;
printk(KERN_ERR "ip_queue: error creating netlink message\n");
return NULL;
diff -urN -X /tmp/filezRIWiT --minimal
linux-2.4.0-test7-7/net/ipv4/netfilter/ip_tables.c
working-2.4.0-test7-7/net/ipv4/netfilter/ip_tables.c
--- linux-2.4.0-test7-7/net/ipv4/netfilter/ip_tables.c Wed Aug 23 18:12:54 2000
+++ working-2.4.0-test7-7/net/ipv4/netfilter/ip_tables.c Wed Aug 23
19:03:39 2000
@@ -89,10 +89,8 @@
unsigned int hook_entry[NF_IP_NUMHOOKS];
unsigned int underflow[NF_IP_NUMHOOKS];
- char padding[SMP_ALIGN((NF_IP_NUMHOOKS*2+2)*sizeof(unsigned int))];
-
/* ipt_entry tables: one per CPU */
- char entries[0];
+ char entries[0] __attribute__((aligned(SMP_CACHE_BYTES)));
};
static LIST_HEAD(ipt_target);
@@ -1359,7 +1357,7 @@
int ret;
struct ipt_table_info *newinfo;
static struct ipt_table_info bootstrap
- = { 0, 0, { 0 }, { 0 }, { }, { } };
+ = { 0, 0, { 0 }, { 0 }, { } };
MOD_INC_USE_COUNT;
newinfo = vmalloc(sizeof(struct ipt_table_info)
diff -urN -X /tmp/filezRIWiT --minimal
linux-2.4.0-test7-7/net/ipv4/netfilter/ipt_LOG.c
working-2.4.0-test7-7/net/ipv4/netfilter/ipt_LOG.c
--- linux-2.4.0-test7-7/net/ipv4/netfilter/ipt_LOG.c Wed Aug 23 18:14:12 2000
+++ working-2.4.0-test7-7/net/ipv4/netfilter/ipt_LOG.c Thu Aug 24 14:01:54 2000
@@ -288,7 +288,8 @@
if (in && !out) {
/* MAC logging for input chain only. */
printk("MAC=");
- if ((*pskb)->dev && (*pskb)->dev->hard_header_len &&
(*pskb)->mac.raw != iph) {
+ if ((*pskb)->dev && (*pskb)->dev->hard_header_len
+ && (*pskb)->mac.raw != (unsigned char *)iph) {
int i;
unsigned char *p = (*pskb)->mac.raw;
for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
diff -urN -X /tmp/filezRIWiT --minimal
linux-2.4.0-test7-7/net/ipv4/netfilter/ipt_MIRROR.c
working-2.4.0-test7-7/net/ipv4/netfilter/ipt_MIRROR.c
--- linux-2.4.0-test7-7/net/ipv4/netfilter/ipt_MIRROR.c Tue Jul 11 12:08:17 2000
+++ working-2.4.0-test7-7/net/ipv4/netfilter/ipt_MIRROR.c Wed Aug 23
19:03:00 2000
@@ -89,7 +89,7 @@
dst->neighbour->output(skb);
else {
printk(KERN_DEBUG "khm in MIRROR\n");
- kfree(skb);
+ kfree_skb(skb);
}
}
diff -urN -X /tmp/filezRIWiT --minimal
linux-2.4.0-test7-7/net/ipv4/netfilter/ipt_REJECT.c
working-2.4.0-test7-7/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.0-test7-7/net/ipv4/netfilter/ipt_REJECT.c Wed Aug 23 18:14:12 2000
+++ working-2.4.0-test7-7/net/ipv4/netfilter/ipt_REJECT.c Wed Aug 23
19:03:32 2000
@@ -27,6 +27,7 @@
struct tcphdr *otcph, *tcph;
struct rtable *rt;
unsigned int otcplen;
+ u_int16_t tmp;
int needs_ack;
/* IP header checks: fragment, too short. */
@@ -64,8 +65,11 @@
tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
+ /* Swap source and dest */
nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr);
- tcph->source = xchg(&tcph->dest, tcph->source);
+ tmp = tcph->source;
+ tcph->source = tcph->dest;
+ tcph->dest = tmp;
/* Truncate to length (no data) */
tcph->doff = sizeof(struct tcphdr)/4;
--
Hacking time.
|