Displaying 13 results from an estimated 13 matches for "ip_conntrack_core".
2003 Aug 02
0
[SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS
...is_confirmed(struct ip_conntrack *ct)
{
- return ct->tuplehash[IP_CT_DIR_ORIGINAL].list.next !=3D NULL;
+ return test_bit(IPS_CONFIRMED_BIT, &ct->status);
}
=20
extern unsigned int ip_conntrack_htable_size;
diff -urN --exclude-from=3Ddiff.exclude linux-2.4.20-base/net/ipv4/netfilte=
r/ip_conntrack_core.c linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_core=
=2Ec
--- linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_core.c Tue Feb 18 17:=
08:21 2003
+++ linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_core.c Fri Feb 21 17:0=
1:39 2003
@@ -292,9 +292,6 @@
{
DEBUGP("clean_from_lists(%p)\n&q...
2003 Mar 03
0
[Bug 59] New: sparc64 conntrack issue with expecting related connections, FTP
...Priority: P2
Component: connection tracking
AssignedTo: laforge@netfilter.org
ReportedBy: laforge@netfilter.org
CC: netfilter-buglog@lists.netfilter.org
From: "Chris Poon" <Chris.Poon@TELUS.COM>
After running a kernel with debugging on ip_conntrack_core.c, I can see that it
doesn't find a match in the expected connections list, but the print out
suggests that the expectation for the related connection is set correctly. That
points me to two scenarios:
1) the related connection entry was not found in the expectation...
2006 Jul 25
0
[Bug 495] New: Netfilter Connection Tracking Race Condition in Kernel 2.4.x
...seful starting point for a fix.
Fix
We decided to eliminate the race by having subsequent packets with the
same conntrack tuple join the conntrack context of the first packet
instead of creating a new conntrack context for each of them. Here's
the patch:
--- linux-2.4.32/net/ipv4/netfilter/ip_conntrack_core.c.orig 2005-04-03
18:42:20.000000000 -0700
+++ linux-2.4.32/net/ipv4/netfilter/ip_conntrack_core.c 2006-07-24
13:23:25.000000000 -0700
@@ -777,6 +777,14 @@
/* look for tuple match */
h = ip_conntrack_find_get(&tuple, NULL);
if (!h) {
+ READ_LOCK(&ip_conntrack_lock);
+ h = LIST_FIND(...
2002 Aug 23
0
Re: ip_conntrack_lock not readlocked (fwd)
...support is disabled
> together with iptables-1.2.6a ( all compiled by myself).
> I applied patches to netfilter using POM.
which patches?
> The following messages are seen in my log-file
> ASSERT: ip_nat_core.c: 743 &ip_conntrack_lock not readlocked
> ASSERT:ip_conntrack_core.c: 973 &ip_conntrack_lock readlocked
how often do you see them? Do they have always the same line number?
Could you send me a grep on all ''ASSERT:'' entries in your syslog?
What kind of machine are you running?
> Thanks for your help
> Albrecht
--
Live long an...
2003 Apr 21
1
[Bug 64] Conntrack-Table is not cleared on inferface down using target MASQUERADE
...s my fault to use a automatic build
system and not check it... In the end the patch didn't apply in its whole and I didn't
discover it, because the build system just went on.
Here is the error:
patching file include/linux/netfilter_ipv4/ip_conntrack.h
patching file net/ipv4/netfilter/ip_conntrack_core.c
patching file net/ipv4/netfilter/ip_conntrack_proto_tcp.c
Hunk #1 FAILED at 192.
1 out of 1 hunk FAILED -- saving rejects to file
net/ipv4/netfilter/ip_conntrack_proto_tcp.c.rej
patching file net/ipv4/netfilter/ip_conntrack_proto_udp.c
patching file net/ipv4/netfilter/ip_conntrack_standalon...
2006 Jan 30
0
conntrack event/hook when ''expected'' connection terminates ?
...handles the termination
of ''expected'' connection; handling in the case when ''expected''
connection arrived, then terminates (In my conntrack module,
I need to specially handle the event of termination termination
of ''expected'' connection.)
In ip_conntrack_core.c, I can''t find the call chain of deallocation
of ''expectation'' after termination of ''expected'' connection.
Deallocation must happen somewhere, but I don''t see any hooks
related to termination of ''expected'' connection.
Or ma...
2005 Oct 04
0
IMQ and nfcache
...void *targinfo,
void *userdata)
{
struct ipt_imq_info *mr = (struct ipt_imq_info*)targinfo;
(*pskb)->imq_flags = mr->todev | IMQ_F_ENQUEUE;
(*pskb)->nfcache |= NFC_ALTERED;
return IPT_CONTINUE;
}
I found that in places like ip_conntrack_core.c and ip_nat_core.c,
nfcache references have just being removed.
Tk in advance for any help.
Cheers...
--------------------------------------------------------------------
Andre D. Correa, CISSP | Visite meus projetos pessoais:
andre.correa (at) pobox.com | Visit my personal projec...
2003 Feb 03
0
[Bug 39] New: can't execute 'make modules'
...`/usr/src/linux-2.4.19/net/ipv4/netfilter'
make[2]: Se elimina la dependencia circular
/usr/src/linux-2.4.19/include/linux/netfilter_ipv4/ip_conntrack_helper.h <-
/usr/src/linux-2.4.19/include/linux/netfilter_ipv4/ip_conntrack.h.
ld -m elf_i386 -r -o ip_conntrack.o ip_conntrack_standalone.o
ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o
ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o
ld -m elf_i386 -r -o iptable_nat.o ip_nat_standalone.o ip_nat_rule.o
ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o
ip_nat_proto_udp.o ip_nat_proto_icmp.o
gcc -D__KERN...
2002 Jan 20
0
[ANNOUNCE] Bug in kernel == 2.4.10 causing netfilter problem
...static __inline__ void list_del(struct list_head *entry)
> {
> __list_del(entry->prev, entry->next);
> + entry->next =3D entry->prev =3D 0;
> }
> =20
> /**
This change breaks an assumption made by the netfilter connection tracking
code in linux/net/ipv4/netfilter/ip_conntrack_core.c:
> static void
> clean_from_lists(struct ip_conntrack *ct)
> {
> MUST_BE_WRITE_LOCKED(&ip_conntrack_lock);
> /* Remove from both hash lists: must not NULL out next ptrs,
> otherwise we'll look unconfirmed. Fortunately, LIST_DELETE
>...
2007 Apr 18
5
[Bridge] Any way of knowing a packet's been defragmented
...etfilter.h 2004-08-04 22:47:49.000000000 +0200
@@ -24,6 +24,7 @@
<= 0x2000 is used for protocol-flags. */
#define NFC_UNKNOWN 0x4000
#define NFC_ALTERED 0x8000
+#define NFC_DEFRAGMENTED 0x10000
#ifdef __KERNEL__
#include <linux/config.h>
--- linux-2.6.8-rc2-bk9/net/ipv4/netfilter/ip_conntrack_core.c.old 2004-08-04 22:46:32.000000000 +0200
+++ linux-2.6.8-rc2-bk9/net/ipv4/netfilter/ip_conntrack_core.c 2004-08-04 22:48:20.000000000 +0200
@@ -1212,7 +1212,7 @@ ip_ct_gather_frags(struct sk_buff *skb)
}
ip_send_check(skb->nh.iph);
- skb->nfcache |= NFC_ALTERED;
+ skb->nfcache |= NF...
2005 Aug 15
11
Hardware Configuration Ideas
Hey guys,
I am planning to buy some components for a Linux router that will handle the
Internet access of 200 computers (includes tc shaping) and some inter
sub-network routing (at least 100MBps per eth - and there are 3 eth cards).
I was thinking of a:
Pentium 4 - 3GHz
256 or 512MB RAM
Network Cards.
Now - I wonder what is more important: the processor speed or the amount of
RAM.
And can you
2004 Apr 19
16
Firewall sizing guidelines?
I have just completed the installation of a new firewall running
Shorewall 1.4 on Mandrake 9.2 for our campus network. It appears to
be running fairly well so far, but is generating significantly more log
entries than our previous linux 2.0.x firewall...
Our previous firewall enjoyed more than 6 years of 24/7 operation with
no downtime before we finally decided it needed more horsepower, and
2006 Feb 24
2
r56 - trunk/debian
...nux-2.6.12-xen/net/ipv4/ip_sockglue.c 2006-02-17 00:45:18.235521137 +0100
++++ linux-2.6.12-xen/net/ipv4/ip_sockglue.c 2006-02-25 00:12:33.777993342 +0100
@@ -848,6 +848,9 @@ mc_msf_out:
case IP_IPSEC_POLICY:
@@ -103812,7 +103815,7 @@
diff -Nurp pristine-linux-2.6.12/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.12-xen/net/ipv4/netfilter/ip_conntrack_core.c
--- pristine-linux-2.6.12/net/ipv4/netfilter/ip_conntrack_core.c 2005-06-17 21:48:29.000000000 +0200
-+++ linux-2.6.12-xen/net/ipv4/netfilter/ip_conntrack_core.c 2006-02-17 00:45:18.236520984 +0100
++++ linux-2.6.12-xen/net/ipv4/netfilter/i...