remove nat pptp conntracking patch

Patch 603-netfilter_nat_pptp.patch appears to be the cause of the longstanding brcm-2.4 dnat off-by-one port forwarding bug. Months of testing builds with this patch removed have not been able to reproduce the issue. The 603 patch is rather large and we (the OpenWrt developers) have not been able to isolate the cause of the bug within the patch. The number of people have actually use pptp nat conntracking is far less than number of people that use port forwarding and as a result we must drop this patch to ensure proper behavior for the majority of users. SVN-Revision: 17552
15 years ago · 7c6ce66330
parent 29666ffa21
commit 7c6ce66330
5 changed files with 125 additions and 2563 deletions
--- a/target/linux/generic-2.4/patches/603-netfilter_nat_pptp.patch
+++ b/target/linux/generic-2.4/patches/603-netfilter_nat_pptp.patch
--- a/target/linux/generic-2.4/patches/606-netfilter_NETMAP.patch
+++ b/target/linux/generic-2.4/patches/606-netfilter_NETMAP.patch
@ -1,6 +1,8 @@
--- a/Documentation/Configure.help
-+++ b/Documentation/Configure.help
-@@ -3086,6 +3086,17 @@ CONFIG_IP_NF_TARGET_REDIRECT
+Index: linux-2.4.37.5/Documentation/Configure.help
+===================================================================
+--- linux-2.4.37.5.orig/Documentation/Configure.help	2009-09-03 00:09:38.000000000 -0700
+++ linux-2.4.37.5/Documentation/Configure.help	2009-09-03 00:12:30.000000000 -0700
+@@ -3086,6 +3086,17 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
@ -18,18 +20,22 @@
 Packet mangling
 CONFIG_IP_NF_MANGLE
   This option adds a `mangle' table to iptables: see the man page for
--- a/net/ipv4/netfilter/Config.in
-+++ b/net/ipv4/netfilter/Config.in
-@@ -65,6 +65,7 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; 
+Index: linux-2.4.37.5/net/ipv4/netfilter/Config.in
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/Config.in	2009-09-03 00:09:38.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/Config.in	2009-09-03 00:14:38.000000000 -0700
+@@ -63,6 +63,7 @@
       define_bool CONFIG_IP_NF_NAT_NEEDED y
       dep_tristate '    MASQUERADE target support' CONFIG_IP_NF_TARGET_MASQUERADE $CONFIG_IP_NF_NAT
       dep_tristate '    REDIRECT target support' CONFIG_IP_NF_TARGET_REDIRECT $CONFIG_IP_NF_NAT
 +      dep_tristate '    NETMAP target support' CONFIG_IP_NF_TARGET_NETMAP $CONFIG_IP_NF_NAT
-       if [ "$CONFIG_IP_NF_PPTP" = "m" ]; then
-         define_tristate CONFIG_IP_NF_NAT_PPTP m
+       if [ "$CONFIG_IP_NF_AMANDA" = "m" ]; then
+         define_tristate CONFIG_IP_NF_NAT_AMANDA m
       else
--- /dev/null
-+++ b/net/ipv4/netfilter/ipt_NETMAP.c
+Index: linux-2.4.37.5/net/ipv4/netfilter/ipt_NETMAP.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.4.37.5/net/ipv4/netfilter/ipt_NETMAP.c	2009-09-03 00:12:30.000000000 -0700
@@ -0,0 +1,112 @@
 +/* NETMAP - static NAT mapping of IP network addresses (1:1).
 +   The mapping can be applied to source (POSTROUTING),
@ -143,9 +149,11 @@
 +
 +module_init(init);
 +module_exit(fini);
--- a/net/ipv4/netfilter/Makefile
-+++ b/net/ipv4/netfilter/Makefile
-@@ -108,6 +108,7 @@ obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_D
+Index: linux-2.4.37.5/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/Makefile	2009-09-03 00:09:38.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/Makefile	2009-09-03 00:12:30.000000000 -0700
+@@ -99,6 +99,7 @@
 obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
 obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
--- a/target/linux/generic-2.4/patches/610-netfilter_connbytes.patch
+++ b/target/linux/generic-2.4/patches/610-netfilter_connbytes.patch
@ -1,17 +1,21 @@
--- a/net/ipv4/netfilter/Config.in
-+++ b/net/ipv4/netfilter/Config.in
-@@ -11,6 +11,8 @@ if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ];
+Index: linux-2.4.37.5/net/ipv4/netfilter/Config.in
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/Config.in	2009-09-03 00:17:38.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/Config.in	2009-09-03 00:25:34.000000000 -0700
+@@ -11,6 +11,8 @@
   dep_tristate '  Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
   dep_tristate '  TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
   dep_tristate '  IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
 +  dep_tristate '  Connection tracking flow accounting' CONFIG_IP_NF_CT_ACCT $CONFIG_IP_NF_CONNTRACK
 +  dep_tristate '  Connection byte counter support' CONFIG_IP_NF_MATCH_CONNBYTES $CONFIG_IP_NF_CT_ACCT $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
-   dep_tristate '  GRE protocol support' CONFIG_IP_NF_CT_PROTO_GRE $CONFIG_IP_NF_CONNTRACK
-   dep_tristate '   PPTP protocol support' CONFIG_IP_NF_PPTP $CONFIG_IP_NF_CT_PROTO_GRE
 fi
--- a/net/ipv4/netfilter/Makefile
-+++ b/net/ipv4/netfilter/Makefile
-@@ -106,6 +106,7 @@ obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_
+ 
+ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+Index: linux-2.4.37.5/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/Makefile	2009-09-03 00:17:38.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/Makefile	2009-09-03 00:17:57.000000000 -0700
+@@ -97,6 +97,7 @@
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
 obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
@ -19,9 +23,11 @@
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
 obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
--- a/net/ipv4/netfilter/ip_conntrack_amanda.c
-+++ b/net/ipv4/netfilter/ip_conntrack_amanda.c
-@@ -75,7 +75,7 @@ static int help(const struct iphdr *iph,
+Index: linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_amanda.c
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/ip_conntrack_amanda.c	2009-08-13 15:04:00.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_amanda.c	2009-09-03 00:17:57.000000000 -0700
+@@ -75,7 +75,7 @@
 
 	/* increase the UDP timeout of the master connection as replies from
 	 * Amanda clients to the server can be quite delayed */
@ -30,9 +36,11 @@
 	
 	/* Search for "CONNECT " string */
 	do {
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
-+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
-@@ -211,7 +211,7 @@ static int tcp_packet(struct ip_conntrac
+Index: linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2009-08-13 15:04:00.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2009-09-03 00:17:57.000000000 -0700
+@@ -211,7 +211,7 @@
 			set_bit(IPS_ASSURED_BIT, &conntrack->status);
 
 		WRITE_UNLOCK(&tcp_lock);
@ -41,9 +49,11 @@
 	}
 
 	return NF_ACCEPT;
--- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c
-+++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
-@@ -47,16 +47,16 @@ static unsigned int udp_print_conntrack(
+Index: linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_proto_udp.c
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/ip_conntrack_proto_udp.c	2009-08-13 15:04:00.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_proto_udp.c	2009-09-03 00:17:57.000000000 -0700
+@@ -47,16 +47,16 @@
 /* Returns verdict for packet, and may modify conntracktype */
 static int udp_packet(struct ip_conntrack *conntrack,
 		      struct iphdr *iph, size_t len,
@ -63,9 +73,11 @@
 
 	return NF_ACCEPT;
 }
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
-+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
-@@ -79,6 +79,18 @@ print_expect(char *buffer, const struct 
+Index: linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_standalone.c
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/ip_conntrack_standalone.c	2009-09-03 00:17:18.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_standalone.c	2009-09-03 00:17:57.000000000 -0700
+@@ -79,6 +79,18 @@
 	return len;
 }
 
@ -84,7 +96,7 @@
 static unsigned int
 print_conntrack(char *buffer, struct ip_conntrack *conntrack)
 {
-@@ -98,11 +110,15 @@ print_conntrack(char *buffer, struct ip_
+@@ -98,11 +110,15 @@
 	len += print_tuple(buffer + len,
 			   &conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
 			   proto);
@ -100,7 +112,7 @@
 	if (test_bit(IPS_ASSURED_BIT, &conntrack->status))
 		len += sprintf(buffer + len, "[ASSURED] ");
 	len += sprintf(buffer + len, "use=%u ",
-@@ -481,7 +497,7 @@ EXPORT_SYMBOL(ip_conntrack_get);
+@@ -481,7 +497,7 @@
 EXPORT_SYMBOL(ip_conntrack_helper_register);
 EXPORT_SYMBOL(ip_conntrack_helper_unregister);
 EXPORT_SYMBOL(ip_ct_iterate_cleanup);
@ -109,9 +121,11 @@
 EXPORT_SYMBOL(ip_ct_find_proto);
 EXPORT_SYMBOL(__ip_ct_find_proto);
 EXPORT_SYMBOL(ip_ct_find_helper);
--- a/net/ipv4/netfilter/ip_conntrack_proto_generic.c
-+++ b/net/ipv4/netfilter/ip_conntrack_proto_generic.c
-@@ -41,9 +41,9 @@ static unsigned int generic_print_conntr
+Index: linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_proto_generic.c
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/ip_conntrack_proto_generic.c	2009-08-13 15:04:00.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_proto_generic.c	2009-09-03 00:17:57.000000000 -0700
+@@ -41,9 +41,9 @@
 /* Returns verdict for packet, or -1 for invalid. */
 static int established(struct ip_conntrack *conntrack,
 		       struct iphdr *iph, size_t len,
@ -123,9 +137,11 @@
 	return NF_ACCEPT;
 }
 
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
-+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
-@@ -82,7 +82,7 @@ static int icmp_packet(struct ip_conntra
+Index: linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/ip_conntrack_proto_icmp.c	2009-08-13 15:04:00.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_proto_icmp.c	2009-09-03 00:17:57.000000000 -0700
+@@ -82,7 +82,7 @@
 			ct->timeout.function((unsigned long)ct);
 	} else {
 		atomic_inc(&ct->proto.icmp.count);
@ -134,9 +150,11 @@
 	}
 
 	return NF_ACCEPT;
--- a/net/ipv4/netfilter/ip_conntrack_core.c
-+++ b/net/ipv4/netfilter/ip_conntrack_core.c
-@@ -1196,22 +1196,40 @@ void ip_conntrack_helper_unregister(stru
+Index: linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_core.c
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/ip_conntrack_core.c	2009-09-03 00:17:18.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_core.c	2009-09-03 00:17:57.000000000 -0700
+@@ -1193,22 +1193,40 @@
 
 	MOD_DEC_USE_COUNT;
 }
@ -180,9 +198,11 @@
 	}
 	WRITE_UNLOCK(&ip_conntrack_lock);
 }
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
-+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
-@@ -164,6 +164,12 @@ struct ip_conntrack_expect
+Index: linux-2.4.37.5/include/linux/netfilter_ipv4/ip_conntrack.h
+===================================================================
+--- linux-2.4.37.5.orig/include/linux/netfilter_ipv4/ip_conntrack.h	2009-09-03 00:17:18.000000000 -0700
+++ linux-2.4.37.5/include/linux/netfilter_ipv4/ip_conntrack.h	2009-09-03 00:17:57.000000000 -0700
+@@ -156,6 +156,12 @@
 	union ip_conntrack_expect_help help;
 };
 
@ -195,7 +215,7 @@
 struct ip_conntrack_helper;
 
 struct ip_conntrack
-@@ -181,6 +187,12 @@ struct ip_conntrack
+@@ -173,6 +179,12 @@
 	/* Timer function; drops refcnt when it goes off. */
 	struct timer_list timeout;
 
@ -208,7 +228,7 @@
 	/* If we're expecting another related connection, this will be
            in expected linked list */
 	struct list_head sibling_list;
-@@ -264,8 +276,10 @@ extern int invert_tuplepr(struct ip_conn
+@@ -256,8 +268,10 @@
 			  const struct ip_conntrack_tuple *orig);
 
 /* Refresh conntrack for this many jiffies */
@ -221,8 +241,10 @@
 
 /* These are for NAT.  Icky. */
 /* Call me when a conntrack is destroyed. */
--- /dev/null
-+++ b/net/ipv4/netfilter/ipt_connbytes.c
+Index: linux-2.4.37.5/net/ipv4/netfilter/ipt_connbytes.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.4.37.5/net/ipv4/netfilter/ipt_connbytes.c	2009-09-03 00:17:57.000000000 -0700
@@ -0,0 +1,163 @@
 +/* Kernel module to match connection tracking byte counter.
 + * GPL (C) 2002 Martin Devera (devik@cdi.cz).
@ -387,8 +409,10 @@
 +module_init(init);
 +module_exit(fini);
 +MODULE_LICENSE("GPL");
--- /dev/null
-+++ b/include/linux/netfilter_ipv4/ipt_connbytes.h
+Index: linux-2.4.37.5/include/linux/netfilter_ipv4/ipt_connbytes.h
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.4.37.5/include/linux/netfilter_ipv4/ipt_connbytes.h	2009-09-03 00:17:57.000000000 -0700
@@ -0,0 +1,25 @@
 +#ifndef _IPT_CONNBYTES_H
 +#define _IPT_CONNBYTES_H
@ -415,25 +439,3 @@
 +};
 +
 +#endif
--- a/net/ipv4/netfilter/ip_conntrack_proto_gre.c
-+++ b/net/ipv4/netfilter/ip_conntrack_proto_gre.c
-@@ -237,16 +237,16 @@ static unsigned int gre_print_conntrack(
- /* Returns verdict for packet, and may modify conntrack */
- static int gre_packet(struct ip_conntrack *ct,
- 		      struct iphdr *iph, size_t len,
-		      enum ip_conntrack_info conntrackinfo)
-+		      enum ip_conntrack_info ctinfo)
- {
- 	/* If we've seen traffic both ways, this is a GRE connection.
- 	 * Extend timeout. */
- 	if (ct->status & IPS_SEEN_REPLY) {
-		ip_ct_refresh_acct(ct, ct->proto.gre.stream_timeout);
-+		ip_ct_refresh_acct(ct, ctinfo, iph, ct->proto.gre.stream_timeout);
- 		/* Also, more likely to be important, and not a probe. */
- 		set_bit(IPS_ASSURED_BIT, &ct->status);
- 	} else
-		ip_ct_refresh_acct(ct, ct->proto.gre.timeout);
-+		ip_ct_refresh_acct(ct, ctinfo, iph, ct->proto.gre.timeout);
- 	
- 	return NF_ACCEPT;
- }
--- a/target/linux/generic-2.4/patches/613-netfilter_nat_h323.patch
+++ b/target/linux/generic-2.4/patches/613-netfilter_nat_h323.patch
@ -1,14 +1,16 @@
--- a/net/ipv4/netfilter/Config.in
-+++ b/net/ipv4/netfilter/Config.in
-@@ -15,6 +15,7 @@ if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ];
+Index: linux-2.4.37.5/net/ipv4/netfilter/Config.in
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/Config.in	2009-09-03 01:07:45.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/Config.in	2009-09-03 01:30:37.000000000 -0700
+@@ -13,6 +13,7 @@
+   dep_tristate '  IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
+   dep_tristate '  Connection tracking flow accounting' CONFIG_IP_NF_CT_ACCT $CONFIG_IP_NF_CONNTRACK
   dep_tristate '  Connection byte counter support' CONFIG_IP_NF_MATCH_CONNBYTES $CONFIG_IP_NF_CT_ACCT $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
-   dep_tristate '  GRE protocol support' CONFIG_IP_NF_CT_PROTO_GRE $CONFIG_IP_NF_CONNTRACK
-   dep_tristate '   PPTP protocol support' CONFIG_IP_NF_PPTP $CONFIG_IP_NF_CT_PROTO_GRE
 +  dep_tristate '  H.323 (netmeeting) support' CONFIG_IP_NF_H323 $CONFIG_IP_NF_CONNTRACK
 fi
 
 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
-@@ -110,6 +111,13 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; 
+@@ -94,6 +95,13 @@
           define_tristate CONFIG_IP_NF_NAT_AMANDA $CONFIG_IP_NF_NAT
         fi
       fi
@ -22,29 +24,32 @@
       if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
         dep_tristate '    Basic SNMP-ALG support (EXPERIMENTAL)' CONFIG_IP_NF_NAT_SNMP_BASIC $CONFIG_IP_NF_NAT
       fi
--- a/net/ipv4/netfilter/Makefile
-+++ b/net/ipv4/netfilter/Makefile
-@@ -53,6 +53,10 @@ obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack
- ifdef CONFIG_IP_NF_NAT_PPTP
- 	export-objs += ip_conntrack_pptp.o
+Index: linux-2.4.37.5/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.4.37.5.orig/net/ipv4/netfilter/Makefile	2009-09-03 01:07:45.000000000 -0700
+++ linux-2.4.37.5/net/ipv4/netfilter/Makefile	2009-09-03 01:31:13.000000000 -0700
+@@ -47,12 +47,17 @@
+ ifdef CONFIG_IP_NF_IRC
+ 	export-objs += ip_conntrack_irc.o
 endif
 +obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o
 +ifdef CONFIG_IP_NF_NAT_H323
 +       export-objs += ip_conntrack_h323.o
 +endif
 
- 
 # NAT helpers 
-@@ -62,6 +66,7 @@ obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ft
+ obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o
+ obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o
+ obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o
 obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o
- obj-$(CONFIG_IP_NF_NAT_PROTO_GRE) += ip_nat_proto_gre.o
- obj-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp.o
 +obj-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323.o
 
 # generic IP tables 
 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
--- /dev/null
-+++ b/net/ipv4/netfilter/ip_conntrack_h323.c
+Index: linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_h323.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.4.37.5/net/ipv4/netfilter/ip_conntrack_h323.c	2009-09-03 01:16:29.000000000 -0700
@@ -0,0 +1,302 @@
 +/* 
 + * H.323 'brute force' extension for H.323 connection tracking. 
@ -348,8 +353,10 @@
 +
 +module_init(init);
 +module_exit(fini);
--- /dev/null
-+++ b/net/ipv4/netfilter/ip_nat_h323.c
+Index: linux-2.4.37.5/net/ipv4/netfilter/ip_nat_h323.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.4.37.5/net/ipv4/netfilter/ip_nat_h323.c	2009-09-03 01:16:29.000000000 -0700
@@ -0,0 +1,403 @@
 +/* 
 + * H.323 'brute force' extension for NAT alteration. 
@ -754,34 +761,38 @@
 +
 +module_init(init);
 +module_exit(fini);
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
-+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
-@@ -71,6 +71,7 @@ union ip_conntrack_expect_proto {
+Index: linux-2.4.37.5/include/linux/netfilter_ipv4/ip_conntrack.h
+===================================================================
+--- linux-2.4.37.5.orig/include/linux/netfilter_ipv4/ip_conntrack.h	2009-09-03 00:17:57.000000000 -0700
+++ linux-2.4.37.5/include/linux/netfilter_ipv4/ip_conntrack.h	2009-09-03 01:28:53.000000000 -0700
+@@ -67,6 +67,7 @@
+ 
 #include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
 #include <linux/netfilter_ipv4/ip_conntrack_irc.h>
- #include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
 +#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
 
 /* per expectation: application helper private data */
 union ip_conntrack_expect_help {
-@@ -79,6 +80,7 @@ union ip_conntrack_expect_help {
+@@ -74,6 +75,7 @@
+ 	struct ip_ct_amanda_expect exp_amanda_info;
 	struct ip_ct_ftp_expect exp_ftp_info;
 	struct ip_ct_irc_expect exp_irc_info;
- 	struct ip_ct_pptp_expect exp_pptp_info;
 +	struct ip_ct_h225_expect exp_h225_info;
 
 #ifdef CONFIG_IP_NF_NAT_NEEDED
 	union {
-@@ -93,6 +95,7 @@ union ip_conntrack_help {
+@@ -87,6 +89,7 @@
+ 	/* insert conntrack helper private data (master) here */
 	struct ip_ct_ftp_master ct_ftp_info;
 	struct ip_ct_irc_master ct_irc_info;
- 	struct ip_ct_pptp_master ct_pptp_info;
 +	struct ip_ct_h225_master ct_h225_info;
 };
 
 #ifdef CONFIG_IP_NF_NAT_NEEDED
--- /dev/null
-+++ b/include/linux/netfilter_ipv4/ip_conntrack_h323.h
+Index: linux-2.4.37.5/include/linux/netfilter_ipv4/ip_conntrack_h323.h
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.4.37.5/include/linux/netfilter_ipv4/ip_conntrack_h323.h	2009-09-03 01:16:29.000000000 -0700
@@ -0,0 +1,30 @@
 +#ifndef _IP_CONNTRACK_H323_H
 +#define _IP_CONNTRACK_H323_H
--- a/target/linux/generic-2.4/patches/625-netfilter_nat_pptp_fix.patch
+++ b/target/linux/generic-2.4/patches/625-netfilter_nat_pptp_fix.patch
@ -1,53 +0,0 @@
--- a/net/ipv4/netfilter/ip_conntrack_pptp.c
-+++ b/net/ipv4/netfilter/ip_conntrack_pptp.c
-@@ -134,12 +134,11 @@ static int pptp_expectfn(struct ip_connt
- }
- 
- /* timeout GRE data connections */
-static int pptp_timeout_related(struct ip_conntrack *ct)
-+static int pptp_timeout_related(struct ip_conntrack *ct, const struct iphdr *iph)
- {
- 	struct list_head *cur_item, *next;
- 	struct ip_conntrack_expect *exp;
- 	enum ip_conntrack_info ctinfo;
-	struct iphdr *iph;
- 
- 	/* FIXME: do we have to lock something ? */
- 	for (cur_item = ct->sibling_list.next;
-@@ -245,7 +244,8 @@ pptp_inbound_pkt(struct tcphdr *tcph,
- 		 struct pptp_pkt_hdr *pptph, 
- 		 size_t datalen,
- 		 struct ip_conntrack *ct,
-		 enum ip_conntrack_info ctinfo)
-+		 enum ip_conntrack_info ctinfo,
-+		 const struct iphdr *iph)
- {
- 	struct PptpControlHeader *ctlh;
-         union pptp_ctrl_union pptpReq;
-@@ -377,7 +377,7 @@ pptp_inbound_pkt(struct tcphdr *tcph,
- 		info->cstate = PPTP_CALL_NONE;
- 
- 		/* untrack this call id, unexpect GRE packets */
-		pptp_timeout_related(ct);
-+		pptp_timeout_related(ct, iph);
- 		break;
- 
- 	case PPTP_WAN_ERROR_NOTIFY:
-@@ -539,7 +539,7 @@ conntrack_pptp_help(const struct iphdr *
- 		info->cstate = PPTP_CALL_NONE;
- 
- 		/* untrack this call id, unexpect GRE packets */
-		pptp_timeout_related(ct);
-+		pptp_timeout_related(ct, iph);
- 	}
- 
- 
-@@ -571,7 +571,7 @@ conntrack_pptp_help(const struct iphdr *
- 		ret = pptp_outbound_pkt(tcph, pptph, datalen, ct, ctinfo);
- 	else
- 		/* server -> client (PAC -> PNS) */
-		ret = pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo);
-+		ret = pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo, iph);
- 	DEBUGP("sstate: %d->%d, cstate: %d->%d\n",
- 		oldsstate, info->sstate, oldcstate, info->cstate);
- 	UNLOCK_BH(&ip_pptp_lock);