Re: status of ipchains in 2.6?
From: Martin Josefsson
Date: Tue Oct 28 2003 - 13:24:53 EST
On Tue, 2003-10-28 at 02:27, David Mosberger wrote:
> I recently discovered that ipchains is rather broken. I noticed the
> problem on ia64, but suspect that it's likely to affect all 64-bit
> platforms (if not 32-bit platforms). A more detailed description of
> the problem I'm seeing is here:
>
> http://tinyurl.com/sm9d
>
> Unlike ipchains, iptables works perfectly fine, so perhaps we just
> need to update Kconfig to discourage ipchains on ia64 (and/or other
> 64-bit platforms)?
Please try this patch that just got included in linus tree.
ChangeSet 1.1360, 2003/10/27 00:01:25-08:00, rusty@xxxxxxxxxxxxxxx
[NETFILTER]: Fix ipchains oops in NAT
We updated ip_nat_setup_info to set the initialized flag and call
place_in_hashes, but *didn't* change the call in ip_fw_compat_masq.c
which also calls place_in_hashes() itself (again!). Result: corrupt
list, and next thing which lands in the same hash bucket goes boom.
Thanks to Andy Polyakov for chasing this down.
# This patch includes the following deltas:
# ChangeSet 1.1359 -> 1.1360
# net/ipv4/netfilter/ip_fw_compat_masq.c 1.11 -> 1.12
#
ip_fw_compat_masq.c | 3 ---
1 files changed, 3 deletions(-)
diff -Nru a/net/ipv4/netfilter/ip_fw_compat_masq.c b/net/ipv4/netfilter/ip_fw_compat_masq.c
--- a/net/ipv4/netfilter/ip_fw_compat_masq.c Mon Oct 27 12:07:33 2003
+++ b/net/ipv4/netfilter/ip_fw_compat_masq.c Mon Oct 27 12:07:33 2003
@@ -91,9 +91,6 @@
WRITE_UNLOCK(&ip_nat_lock);
return ret;
}
-
- place_in_hashes(ct, info);
- info->initialized = 1;
} else
DEBUGP("Masquerading already done on this conn.\n");
WRITE_UNLOCK(&ip_nat_lock);
--
/Martin
Attachment:
signature.asc
Description: This is a digitally signed message part