From: Chris Wright <chrisw@sous-sol.org>
Date: Wed, 11 Jan 2006 07:29:57 +0000 (-0800)
Subject: add ebtables fix for 2.6.14 queue as well
X-Git-Tag: v2.6.14.7~30
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=89c3149841d9603820ed7ef255416779a4df816c;p=thirdparty%2Fkernel%2Fstable-queue.git

add ebtables fix for 2.6.14 queue as well
---

diff --git a/queue-2.6.14/fix-bridge-netfilter-matching-ip-fragments.patch b/queue-2.6.14/fix-bridge-netfilter-matching-ip-fragments.patch
new file mode 100644
index 00000000000..8c8a463a0c9
--- /dev/null
+++ b/queue-2.6.14/fix-bridge-netfilter-matching-ip-fragments.patch
@@ -0,0 +1,35 @@
+From stable-bounces@linux.kernel.org  Tue Jan 10 13:19:27 2006
+Date: Tue, 10 Jan 2006 13:13:45 -0800 (PST)
+Message-Id: <20060110.131345.37717560.davem@davemloft.net>
+To: stable@kernel.org
+From: "David S. Miller" <davem@davemloft.net>
+Subject: [EBTABLES] Don't match tcp/udp source/destination port for IP fragments
+
+From: Bart De Schuymer <bdschuym@pandora.be>
+
+Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/bridge/netfilter/ebt_ip.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- linux-2.6.14.6.orig/net/bridge/netfilter/ebt_ip.c
++++ linux-2.6.14.6/net/bridge/netfilter/ebt_ip.c
+@@ -15,6 +15,7 @@
+ #include <linux/netfilter_bridge/ebtables.h>
+ #include <linux/netfilter_bridge/ebt_ip.h>
+ #include <linux/ip.h>
++#include <net/ip.h>
+ #include <linux/in.h>
+ #include <linux/module.h>
+ 
+@@ -51,6 +52,8 @@ static int ebt_filter_ip(const struct sk
+ 		if (!(info->bitmask & EBT_IP_DPORT) &&
+ 		    !(info->bitmask & EBT_IP_SPORT))
+ 			return EBT_MATCH;
++		if (ntohs(ih->frag_off) & IP_OFFSET)
++			return EBT_NOMATCH;
+ 		pptr = skb_header_pointer(skb, ih->ihl*4,
+ 					  sizeof(_ports), &_ports);
+ 		if (pptr == NULL)
diff --git a/queue-2.6.14/series b/queue-2.6.14/series
index 1c75cd65f74..433a07ccb55 100644
--- a/queue-2.6.14/series
+++ b/queue-2.6.14/series
@@ -1 +1,2 @@
 setting-irq-affinity-is-broken-in-ia32-with-MSI-enabled.patch
+fix-bridge-netfilter-matching-ip-fragments.patch