aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2009-05-28 15:52:18 +0000
committerFelix Fietkau <nbd@openwrt.org>2009-05-28 15:52:18 +0000
commit6f45d1a0d344d996d5b835de590e1479d9e441bb (patch)
treeedcb85085b67a40705a4e1f6b9b620ca973aafd1
parent9f34823a8a50d0bb877e64b987f1abe37f192689 (diff)
downloadmaster-187ad058-6f45d1a0d344d996d5b835de590e1479d9e441bb.tar.gz
master-187ad058-6f45d1a0d344d996d5b835de590e1479d9e441bb.tar.bz2
master-187ad058-6f45d1a0d344d996d5b835de590e1479d9e441bb.zip
brcm-2.4: fix conntrack structure inconsistency with iptables, which can cause problems with port matching/forwarding and protocol matching
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@16141 3c298f89-4303-0410-b956-a3cf2f4a3e73
-rw-r--r--target/linux/generic-2.4/patches/626-netfilter_conntrack_fix.patch49
1 files changed, 49 insertions, 0 deletions
diff --git a/target/linux/generic-2.4/patches/626-netfilter_conntrack_fix.patch b/target/linux/generic-2.4/patches/626-netfilter_conntrack_fix.patch
new file mode 100644
index 0000000000..865df8d9ee
--- /dev/null
+++ b/target/linux/generic-2.4/patches/626-netfilter_conntrack_fix.patch
@@ -0,0 +1,49 @@
+--- a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
++++ b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
+@@ -68,6 +68,35 @@ struct ip_conntrack_tuple
+ } dst;
+ };
+
++/* This is exposed to userspace, so remains frozen in time. */
++struct ip_conntrack_old_tuple
++{
++ struct ip_conntrack_manip src;
++
++ /* These are the parts of the tuple which are fixed. */
++ struct {
++ u_int32_t ip;
++ union {
++ /* Add other protocols here. */
++ u_int16_t all;
++
++ struct {
++ u_int16_t port;
++ } tcp;
++ struct {
++ u_int16_t port;
++ } udp;
++ struct {
++ u_int8_t type, code;
++ } icmp;
++ } u;
++
++ /* The protocol. */
++ u_int16_t protonum;
++ } dst;
++};
++
++
+ /* This is optimized opposed to a memset of the whole structure. Everything we
+ * really care about is the source/destination unions */
+ #define IP_CT_TUPLE_U_BLANK(tuple) \
+--- a/include/linux/netfilter_ipv4/ipt_conntrack.h
++++ b/include/linux/netfilter_ipv4/ipt_conntrack.h
+@@ -25,7 +25,7 @@ struct ipt_conntrack_info
+ {
+ unsigned int statemask, statusmask;
+
+- struct ip_conntrack_tuple tuple[IP_CT_DIR_MAX];
++ struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
+ struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
+
+ unsigned long expires_min, expires_max;