renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-26 22:24:09 +08:00
Code

[NETFILTER]: Use conntrack information to determine if packet was NATed

Browse Source 
Preparation for IPsec support for NAT:
Use conntrack information instead of saving the saving and comparing the
addresses to determine if a packet was NATed and needs to be rerouted to
make it easier to extend the key.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy 2006-01-06 23:05:17 -08:00 committed by David S. Miller
parent 3e3850e989
commit 4e8e9de7c2
1 changed files with 19 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
net/ipv4/netfilter/ip_nat_standalone.c
View File

@ -162,18 +162,20 @@ ip_nat_in(unsigned int hooknum,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
u_int32_t saddr, daddr; struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
unsigned int ret; unsigned int ret;
saddr = (*pskb)->nh.iph->saddr;
daddr = (*pskb)->nh.iph->daddr;
ret = ip_nat_fn(hooknum, pskb, in, out, okfn); ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
if (ret != NF_DROP && ret != NF_STOLEN if (ret != NF_DROP && ret != NF_STOLEN
&& ((*pskb)->nh.iph->saddr != saddr && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
|| (*pskb)->nh.iph->daddr != daddr)) { enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
dst_release((*pskb)->dst);
(*pskb)->dst = NULL; if (ct->tuplehash[dir].tuple.src.ip !=
ct->tuplehash[!dir].tuple.dst.ip) {
dst_release((*pskb)->dst);
(*pskb)->dst = NULL;
}
} }
return ret; return ret;
} }
@ -200,7 +202,8 @@ ip_nat_local_fn(unsigned int hooknum,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
u_int32_t saddr, daddr; struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
unsigned int ret; unsigned int ret;
/* root is playing with raw sockets. */ /* root is playing with raw sockets. */
@ -208,14 +211,15 @@ ip_nat_local_fn(unsigned int hooknum,
|| (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr))
return NF_ACCEPT; return NF_ACCEPT;
saddr = (*pskb)->nh.iph->saddr;
daddr = (*pskb)->nh.iph->daddr;
ret = ip_nat_fn(hooknum, pskb, in, out, okfn); ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
if (ret != NF_DROP && ret != NF_STOLEN if (ret != NF_DROP && ret != NF_STOLEN
&& ((*pskb)->nh.iph->saddr != saddr && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
|| (*pskb)->nh.iph->daddr != daddr)) enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
if (ct->tuplehash[dir].tuple.dst.ip !=
ct->tuplehash[!dir].tuple.src.ip)
return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
}
return ret; return ret;
} }