From: Chris Wright <chrisw@osdl.org>
Date: Tue, 28 Jun 2005 23:36:11 +0000 (-0700)
Subject: Add netfilter connection tracking fix from Patrick (via DaveM)
X-Git-Tag: v2.6.12.2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9aaf5aa7c4e4b8309997d2b433bf7464280799eb;p=thirdparty%2Fkernel%2Fstable-queue.git

Add netfilter connection tracking fix from Patrick (via DaveM)
---

diff --git a/queue/netfilter-connection-tracking.patch b/queue/netfilter-connection-tracking.patch
new file mode 100644
index 00000000000..77843604cf9
--- /dev/null
+++ b/queue/netfilter-connection-tracking.patch
@@ -0,0 +1,54 @@
+From stable-bounces@linux.kernel.org  Tue Jun 28 16:07:25 2005
+Date: Tue, 28 Jun 2005 16:06:39 -0700 (PDT)
+Message-Id: <20050628.160639.130608735.davem@davemloft.net>
+To: stable@kernel.org
+From: "David S. Miller" <davem@davemloft.net>
+Subject: [NETFILTER]: Fix connection tracking bug in 2.6.12
+
+In 2.6.12 we started dropping the conntrack reference when a packet
+leaves the IP layer. This broke connection tracking on a bridge,
+because bridge-netfilter defers calling some NF_IP_* hooks to the bridge
+layer for locally generated packets going out a bridge, where the
+conntrack reference is no longer available. This patch keeps the
+reference in this case as a temporary solution, long term we will
+remove the defered hook calling. No attempt is made to drop the
+reference in the bridge-code when it is no longer needed, tc actions
+could already have sent the packet anywhere.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+Index: linux-2.6.12.y/net/bridge/br_netfilter.c
+===================================================================
+--- linux-2.6.12.y.orig/net/bridge/br_netfilter.c
++++ linux-2.6.12.y/net/bridge/br_netfilter.c
+@@ -882,7 +882,7 @@ static unsigned int ip_sabotage_out(unsi
+ 		 * doesn't use the bridge parent of the indev by using
+ 		 * the BRNF_DONT_TAKE_PARENT mask. */
+ 		if (hook == NF_IP_FORWARD && nf_bridge->physindev == NULL) {
+-			nf_bridge->mask &= BRNF_DONT_TAKE_PARENT;
++			nf_bridge->mask |= BRNF_DONT_TAKE_PARENT;
+ 			nf_bridge->physindev = (struct net_device *)in;
+ 		}
+ #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
+Index: linux-2.6.12.y/net/ipv4/ip_output.c
+===================================================================
+--- linux-2.6.12.y.orig/net/ipv4/ip_output.c
++++ linux-2.6.12.y/net/ipv4/ip_output.c
+@@ -196,7 +196,13 @@ static inline int ip_finish_output2(stru
+ 	nf_debug_ip_finish_output2(skb);
+ #endif /*CONFIG_NETFILTER_DEBUG*/
+ 
+-	nf_reset(skb);
++#ifdef CONFIG_BRIDGE_NETFILTER
++	/* bridge-netfilter defers calling some IP hooks to the bridge layer
++	 * and still needs the conntrack reference.
++	 */
++	if (skb->nf_bridge == NULL)
++#endif
++		nf_reset(skb);
+ 
+ 	if (hh) {
+ 		int hh_alen;
diff --git a/queue/series b/queue/series
new file mode 100644
index 00000000000..ab8ba34ed25
--- /dev/null
+++ b/queue/series
@@ -0,0 +1 @@
+netfilter-connection-tracking.patch