diff options
author | Patrick McHardy <kaber@trash.net> | 2005-09-06 15:09:43 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-09-06 15:09:43 -0700 |
commit | 03486a4f838c55481317fca5ac2e7d12550a4fb7 (patch) | |
tree | 9c5e5cd835102d67198e5fd1c6756f3b0de65a2c /include | |
parent | 31c913e7fd48000163a88cfe10383fd3be20910e (diff) | |
download | talos-op-linux-03486a4f838c55481317fca5ac2e7d12550a4fb7.tar.gz talos-op-linux-03486a4f838c55481317fca5ac2e7d12550a4fb7.zip |
[NETFILTER]: Handle NAT module load race
When the NAT module is loaded when connections are already confirmed
it must not change their tuples anymore. This is especially important
with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will
refuse to remove an entry from a list when it can not be found on
the list, so when a changed tuple hashes to a new bucket the entry
is kept in the list until and after the conntrack is freed.
Allocate the exact conntrack tuple for NAT for already confirmed
connections or drop them if that fails.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter_ipv4/ip_nat_rule.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv4/ip_nat_rule.h b/include/linux/netfilter_ipv4/ip_nat_rule.h index fecd2a06dcd8..73b9552e6a89 100644 --- a/include/linux/netfilter_ipv4/ip_nat_rule.h +++ b/include/linux/netfilter_ipv4/ip_nat_rule.h @@ -19,5 +19,10 @@ extern unsigned int alloc_null_binding(struct ip_conntrack *conntrack, struct ip_nat_info *info, unsigned int hooknum); + +extern unsigned int +alloc_null_binding_confirmed(struct ip_conntrack *conntrack, + struct ip_nat_info *info, + unsigned int hooknum); #endif #endif /* _IP_NAT_RULE_H */ |