[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Droping untracked packet

> Apr  9 00:03:20 dino kernel: NAT: 0 dropping untracked packet c688a860 1 y.y.y.y -> x.x.x.x

This seems to me like the problems I was having with icmp packages being
dropped when using mtr, Rusty Russell has been arround this weekend and he
has produced a patch to solve this, even though he hasn't tested the code
yet I have, and seems to work ok, once tested properly it should go into the
main netfilter code. The patch is this one I'm including next, in case you
want to try it:

diff -urN -I \$.*\$ -X /tmp/kerndiff.pDw0T6 --minimal linux-2.4.3-official/include/linux/netfilter_ipv4/ip_conntrack.h working-2.4.3-icmp-fix/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.4.3-official/include/linux/netfilter_ipv4/ip_conntrack.h	Fri Mar  9 10:45:18 2001
+++ working-2.4.3-icmp-fix/include/linux/netfilter_ipv4/ip_conntrack.h	Sun Apr  8 02:29:47 2001
@@ -32,6 +32,7 @@
 #include <linux/types.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
+#include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
 
 #ifdef CONFIG_NF_DEBUG
 #define IP_NF_ASSERT(x)							\
@@ -124,6 +125,7 @@
 
 	union {
 		struct ip_ct_tcp tcp;
+		struct ip_ct_icmp icmp;
 	} proto;
 
 	union {
diff -urN -I \$.*\$ -X /tmp/kerndiff.pDw0T6 --minimal linux-2.4.3-official/include/linux/netfilter_ipv4/ip_conntrack_icmp.h working-2.4.3-icmp-fix/include/linux/netfilter_ipv4/ip_conntrack_icmp.h
--- linux-2.4.3-official/include/linux/netfilter_ipv4/ip_conntrack_icmp.h	Thu Jan  1 10:00:00 1970
+++ working-2.4.3-icmp-fix/include/linux/netfilter_ipv4/ip_conntrack_icmp.h	Sun Apr  8 02:29:47 2001
@@ -0,0 +1,11 @@
+#ifndef _IP_CONNTRACK_ICMP_H
+#define _IP_CONNTRACK_ICMP_H
+/* ICMP tracking. */
+#include <asm/atomic.h>
+
+struct ip_ct_icmp
+{
+	/* Optimization: when number in == number out, forget immediately. */
+	atomic_t count;
+};
+#endif /* _IP_CONNTRACK_ICMP_H */
diff -urN -I \$.*\$ -X /tmp/kerndiff.pDw0T6 --minimal linux-2.4.3-official/net/ipv4/netfilter/ip_conntrack_proto_icmp.c working-2.4.3-icmp-fix/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
--- linux-2.4.3-official/net/ipv4/netfilter/ip_conntrack_proto_icmp.c	Sat Apr 15 02:37:57 2000
+++ working-2.4.3-icmp-fix/net/ipv4/netfilter/ip_conntrack_proto_icmp.c	Sun Apr  8 02:03:44 2001
@@ -72,15 +72,18 @@
 		       struct iphdr *iph, size_t len,
 		       enum ip_conntrack_info ctinfo)
 {
-	/* FIXME: Should keep count of orig - reply packets: if == 0,
-           destroy --RR */
-	/* Delete connection immediately on reply: won't actually
-           vanish as we still have skb */
+	/* Try to delete connection immediately after all replies:
+           won't actually vanish as we still have skb, and del_timer
+           means this will only run once even if count hits zero twice
+           (theoretically possible with SMP) */
 	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
-		if (del_timer(&ct->timeout))
+		if (atomic_dec_and_test(&ct->proto.icmp.count)
+		    && del_timer(&ct->timeout))
 			ct->timeout.function((unsigned long)ct);
-	} else
+	} else {
+		atomic_inc(&ct->proto.icmp.count);
 		ip_ct_refresh(ct, ICMP_TIMEOUT);
+	}
 
 	return NF_ACCEPT;
 }
@@ -103,6 +106,7 @@
 		DUMP_TUPLE(&conntrack->tuplehash[0].tuple);
 		return 0;
 	}
+	atomic_set(&conntrack->proto.icmp.count, 1);
 	return ICMP_TIMEOUT;
 }

Hope it helps!

Regards...
-- 
Manty/BestiaTester -> http://manty.net
Reply to: