diff options
author | Patrick McHardy <kaber@trash.net> | 2005-04-24 18:41:38 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-04-24 18:41:38 -0700 |
commit | e281e3ac2b6c294d672034909883e7bb9e649ac7 (patch) | |
tree | 0a7a13aa6ecaddf030a8ec5deecce87ee424aae7 /include | |
parent | 8e293ada7d6aaee43dd56a8077b83577dd108667 (diff) | |
download | op-kernel-dev-e281e3ac2b6c294d672034909883e7bb9e649ac7.zip op-kernel-dev-e281e3ac2b6c294d672034909883e7bb9e649ac7.tar.gz |
[NETFILTER]: Fix NAT sequence number adjustment
The NAT changes in 2.6.11 changed the position where helpers
are called and perform packet mangling. Before 2.6.11, a NAT
helper was called before the packet was NATed and had its
sequence number adjusted. Since 2.6.11, the helpers get packets
with already adjusted sequence numbers.
This breaks sequence number adjustment, adjust_tcp_sequence()
needs the original sequence number to determine whether
a packet was a retransmission and to store it for further
corrections. It can't be reconstructed without more information
than available, so this patch restores the old order by
calling helpers from a new conntrack hook two priorities
below ip_conntrack_confirm() and adjusting the sequence number
from a new NAT hook one priority below ip_conntrack_confirm().
Tracked down by Phil Oester <kernel@linuxace.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter_ipv4.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h index c9bacf9..9e57500 100644 --- a/include/linux/netfilter_ipv4.h +++ b/include/linux/netfilter_ipv4.h @@ -62,6 +62,9 @@ enum nf_ip_hook_priorities { NF_IP_PRI_FILTER = 0, NF_IP_PRI_NAT_SRC = 100, NF_IP_PRI_SELINUX_LAST = 225, + NF_IP_PRI_CONNTRACK_HELPER = INT_MAX - 2, + NF_IP_PRI_NAT_SEQ_ADJUST = INT_MAX - 1, + NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, NF_IP_PRI_LAST = INT_MAX, }; |