Commit 130e7a83 authored Jul 14, 2007 by Yasuyuki Kozakai Committed by David S. Miller Jul 14, 2007

[NETFILTER]: nf_conntrack: Don't track locally generated special ICMP error



The conntrack assigned to locally generated ICMP error is usually the one
assigned to the original packet which has caused the error. But if
the original packet is handled as invalid by nf_conntrack, no conntrack
is assigned to the original packet. Then nf_ct_attach() cannot assign
any conntrack to the ICMP error packet. In that case the current
nf_conntrack_icmp assigns appropriate conntrack to it. But the current
code mistakes the direction of the packet. As a result, NAT code mistakes
the address to be mangled.

To fix the bug, this changes nf_conntrack_icmp not to assign conntrack
to such ICMP error. Actually no address is necessary to be mangled
in this case.

Spotted by Jordan Russell.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent e2a3123f

net/ipv4/netfilter/nf_conntrack_proto_icmp.c

+5 −17

Original line number	Diff line number	Diff line
		@@ -164,25 +164,13 @@ icmp_error_message(struct sk_buff *skb,
		*ctinfo = IP_CT_RELATED;

		h = nf_conntrack_find_get(&innertuple);
		if (!h) {
		/* Locally generated ICMPs will match inverted if they
		haven't been SNAT'ed yet */
		/* FIXME: NAT code has to handle half-done double NAT --RR */
		if (hooknum == NF_IP_LOCAL_OUT)
		h = nf_conntrack_find_get(&origtuple);

		if (!h) {
		pr_debug("icmp_error_message: no match\n");
		return -NF_ACCEPT;
		}

		/* Reverse direction from that found */
		if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY)
		*ctinfo += IP_CT_IS_REPLY;
		} else {
		if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY)
		*ctinfo += IP_CT_IS_REPLY;
		}

		/* Update skb to refer to this connection */
		skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;