lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 19 Jan 2011 08:03:48 +0800
From:	Changli Gao <xiaosuo@...il.com>
To:	Patrick McHardy <kaber@...sh.net>
Cc:	"David S. Miller" <davem@...emloft.net>,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH resend] netfilter: place in source hash after SNAT is done

On Tue, Jan 18, 2011 at 10:17 PM, Patrick McHardy <kaber@...sh.net> wrote:
>>  net/ipv4/netfilter/nf_nat_core.c |   18 +++++++++++-------
>>  1 file changed, 11 insertions(+), 7 deletions(-)
>> diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
>> index c04787c..51ce55a 100644
>> --- a/net/ipv4/netfilter/nf_nat_core.c
>> +++ b/net/ipv4/netfilter/nf_nat_core.c
>> @@ -221,7 +221,14 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
>>          manips not an issue.  */
>>       if (maniptype == IP_NAT_MANIP_SRC &&
>>           !(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) {
>> -             if (find_appropriate_src(net, zone, orig_tuple, tuple, range)) {
>> +             /* try the original tuple first */
>
> This doesn't seem to be related to the hashing change. Please describe
> the intention behind this change.

Currently, we add the ct at the head of the corresponding bucket of
the source hash table after DNAT is done, so when we do SNAT, the
original ct will be tried first. This change is used to keep this
behavior.


>
>> +             if (in_range(orig_tuple, range)) {
>> +                     if (!nf_nat_used_tuple(orig_tuple, ct)) {
>> +                             *tuple = *orig_tuple;
>> +                             return;
>> +                     }
>> +             } else if (find_appropriate_src(net, zone, orig_tuple, tuple,
>> +                        range)) {
>>                       pr_debug("get_unique_tuple: Found current src map\n");
>>                       if (!nf_nat_used_tuple(tuple, ct))
>>                               return;
>
>
>



-- 
Regards,
Changli Gao(xiaosuo@...il.com)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ