diff options
author | Felix Fietkau <nbd@openwrt.org> | 2009-05-28 15:52:18 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2009-05-28 15:52:18 +0000 |
commit | 6f45d1a0d344d996d5b835de590e1479d9e441bb (patch) | |
tree | edcb85085b67a40705a4e1f6b9b620ca973aafd1 | |
parent | 9f34823a8a50d0bb877e64b987f1abe37f192689 (diff) | |
download | master-187ad058-6f45d1a0d344d996d5b835de590e1479d9e441bb.tar.gz master-187ad058-6f45d1a0d344d996d5b835de590e1479d9e441bb.tar.bz2 master-187ad058-6f45d1a0d344d996d5b835de590e1479d9e441bb.zip |
brcm-2.4: fix conntrack structure inconsistency with iptables, which can cause problems with port matching/forwarding and protocol matching
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@16141 3c298f89-4303-0410-b956-a3cf2f4a3e73
-rw-r--r-- | target/linux/generic-2.4/patches/626-netfilter_conntrack_fix.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/target/linux/generic-2.4/patches/626-netfilter_conntrack_fix.patch b/target/linux/generic-2.4/patches/626-netfilter_conntrack_fix.patch new file mode 100644 index 0000000000..865df8d9ee --- /dev/null +++ b/target/linux/generic-2.4/patches/626-netfilter_conntrack_fix.patch @@ -0,0 +1,49 @@ +--- a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h ++++ b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h +@@ -68,6 +68,35 @@ struct ip_conntrack_tuple + } dst; + }; + ++/* This is exposed to userspace, so remains frozen in time. */ ++struct ip_conntrack_old_tuple ++{ ++ struct ip_conntrack_manip src; ++ ++ /* These are the parts of the tuple which are fixed. */ ++ struct { ++ u_int32_t ip; ++ union { ++ /* Add other protocols here. */ ++ u_int16_t all; ++ ++ struct { ++ u_int16_t port; ++ } tcp; ++ struct { ++ u_int16_t port; ++ } udp; ++ struct { ++ u_int8_t type, code; ++ } icmp; ++ } u; ++ ++ /* The protocol. */ ++ u_int16_t protonum; ++ } dst; ++}; ++ ++ + /* This is optimized opposed to a memset of the whole structure. Everything we + * really care about is the source/destination unions */ + #define IP_CT_TUPLE_U_BLANK(tuple) \ +--- a/include/linux/netfilter_ipv4/ipt_conntrack.h ++++ b/include/linux/netfilter_ipv4/ipt_conntrack.h +@@ -25,7 +25,7 @@ struct ipt_conntrack_info + { + unsigned int statemask, statusmask; + +- struct ip_conntrack_tuple tuple[IP_CT_DIR_MAX]; ++ struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; + struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; + + unsigned long expires_min, expires_max; |