rpms/kernel/FC-4 linux-2.6.12-net-conntrack-bridge-fix.patch, NONE, 1.1 kernel-2.6.spec, 1.1394, 1.1395

[fedora-cvs-commits redhat com]

Author: davej

Update of /cvs/dist/rpms/kernel/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv3581

Modified Files:
	kernel-2.6.spec 
Added Files:
	linux-2.6.12-net-conntrack-bridge-fix.patch 
Log Message:
Fix connection tracking bug with bridging. (#162438)



linux-2.6.12-net-conntrack-bridge-fix.patch:
 bridge/br_netfilter.c |    2 +-
 ipv4/ip_output.c      |    8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

--- NEW FILE linux-2.6.12-net-conntrack-bridge-fix.patch ---
diff-tree 9666dae51013b064e7d77fc36b5cee98dd167ed5 (from bcd61272db5e643b6d9c01c9d5085b914d9f19df)
Author: Patrick McHardy <kaber trash net>
Date:   Tue Jun 28 16:04:44 2005 -0700

    [NETFILTER]: Fix connection tracking bug in 2.6.12
    
    In 2.6.12 we started dropping the conntrack reference when a packet
    leaves the IP layer. This broke connection tracking on a bridge,
    because bridge-netfilter defers calling some NF_IP_* hooks to the bridge
    layer for locally generated packets going out a bridge, where the
    conntrack reference is no longer available. This patch keeps the
    reference in this case as a temporary solution, long term we will
    remove the defered hook calling. No attempt is made to drop the
    reference in the bridge-code when it is no longer needed, tc actions
    could already have sent the packet anywhere.
    
    Signed-off-by: Patrick McHardy <kaber trash net>
    Signed-off-by: David S. Miller <davem davemloft net>

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -844,7 +844,7 @@ static unsigned int ip_sabotage_out(unsi
 		 * doesn't use the bridge parent of the indev by using
 		 * the BRNF_DONT_TAKE_PARENT mask. */
 		if (hook == NF_IP_FORWARD && nf_bridge->physindev == NULL) {
-			nf_bridge->mask &= BRNF_DONT_TAKE_PARENT;
+			nf_bridge->mask |= BRNF_DONT_TAKE_PARENT;
 			nf_bridge->physindev = (struct net_device *)in;
 		}
 #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -188,7 +188,13 @@ static inline int ip_finish_output2(stru
 		skb = skb2;
 	}
 
-	nf_reset(skb);
+#ifdef CONFIG_BRIDGE_NETFILTER
+	/* bridge-netfilter defers calling some IP hooks to the bridge layer
+	 * and still needs the conntrack reference.
+	 */
+	if (skb->nf_bridge == NULL)
+#endif
+		nf_reset(skb);
 
 	if (hh) {
 		int hh_alen;


Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-4/kernel-2.6.spec,v
retrieving revision 1.1394
retrieving revision 1.1395
diff -u -r1.1394 -r1.1395
--- kernel-2.6.spec	12 Jul 2005 20:53:12 -0000	1.1394
+++ kernel-2.6.spec	13 Jul 2005 01:52:37 -0000	1.1395
@@ -307,6 +307,7 @@
 Patch1301: linux-2.6.12-net-sundance-ip100A.patch
 Patch1302: linux-2.6.12-net-make-orinoco-suck-less.patch
 Patch1304: linux-2.6.12-net-atm-lanai-nodev-rmmod.patch
+Patch1305: linux-2.6.12-net-conntrack-bridge-fix.patch
 
 # USB bits
 Patch1400: linux-2.6.12-usb-old_scheme_first.patch
@@ -729,6 +730,8 @@
 %patch1302 -p1
 # Fix rmmod lanai
 %patch1304 -p1
+# Fix connection tracking bug with bridging.
+%patch1305 -p1
 
 # USB Bits.
 # Enable both old and new style USB initialisation.
@@ -1266,6 +1269,7 @@
 - Fix up several reports of CD's causing crashes.
 - Make -p port arg of rpc.nfsd work.
 - Work around a usbmon deficiency.
+- Fix connection tracking bug with bridging. (#162438)
 
 * Mon Jul 11 2005 Dave Jones <davej redhat com>
 - Fix up locking in piix IDE driver whilst tuning chipset.