- fix a pretty fundamental bug in how context IDs are associated with

  connections. In the loopback case, you need to associate each loopback
  connection with two contexts, the original sender's and the original
  receiver's (or, equivalently, the replying sender's, which is why you
  see !dir in the NF_IP_LOCAL_IN case). In the common case (sending from
  a local process to a remote machine), the code need only refer to the
  original sender's context ID.

diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index 1ba82b4..a325de5 100644 (file)
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -209,7 +209,7 @@ struct ip_conntrack
 #endif /* CONFIG_IP_NF_NAT_NEEDED */
 
        /* VServer context id */
-       xid_t xid;
+       xid_t xid[IP_CT_DIR_MAX];
 
 };