| To: | David Miller <davem@xxxxxxxxxx>, Steve Hill <steve@xxxxxxxxxxxx> |
|---|---|
| Subject: | [PATCH] fix netfilter refcounting [was Re: Conntrack leak (2.6.2rc2)] |
| From: | Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> |
| Date: | Tue, 3 Feb 2004 18:43:38 +0100 (CET) |
| Cc: | <netdev@xxxxxxxxxxx>, <netfilter-devel@xxxxxxxxxxxxxxxxxxx> |
| In-reply-to: | <Pine.LNX.4.33.0402031629150.11737-100000@blackhole.kfki.hu> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
Hi Dave,
Steve Hill reported a conntrack leakage in 2.6.2-rc2 when nat is enabled
and the system forwards fragmented packets. It turned out that an
nf_conntrack_put was missing from ip_copy_metadata:
--- a/net/ipv4/ip_output.c 2004-01-09 08:00:12.000000000 +0100
+++ t/net/ipv4/ip_output.c 2004-02-03 18:15:07.000000000 +0100
@@ -414,6 +414,7 @@
to->nfmark = from->nfmark;
to->nfcache = from->nfcache;
/* Connection association is same as pre-frag packet */
+ nf_conntrack_put(to->nfct);
to->nfct = from->nfct;
nf_conntrack_get(to->nfct);
#ifdef CONFIG_BRIDGE_NETFILTER
Please apply the patch.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH] fix netfilter refcounting [was Re: Conntrack leak (2.6.2rc2)], David S. Miller |
|---|---|
| Next by Date: | Re: SCTP sockopt discrepancy between 2.4 and 2.6., Sridhar Samudrala |
| Previous by Thread: | Re: Conntrack leak (2.6.2rc2), Jozsef Kadlecsik |
| Next by Thread: | Re: [PATCH] fix netfilter refcounting [was Re: Conntrack leak (2.6.2rc2)], David S. Miller |
| Indexes: | [Date] [Thread] [Top] [All Lists] |