[PATCH 2.6] LOCAL_OUT Nat fix #1

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 2.6] LOCAL_OUT Nat fix #1
@ 2003-10-02 16:15 Harald Welte
  2003-10-03  6:16 ` David S. Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Harald Welte @ 2003-10-02 16:15 UTC (permalink / raw)
  To: David Miller; +Cc: Netfilter Development Mailinglist


[-- Attachment #1.1: Type: text/plain, Size: 1071 bytes --]

Hi Davem!

Please apply the following patch to your 2.6 tree, thanks


Author: Harald Welte <laforge@netfilter.org>
Status: Pending for kernel inclusion

D: the 25_natcore-nohelper.patch (incorporated in 2.4.22) did actually make
D: things not better.  If a NAT rule was matched, num_manips can still be 0.
D: However, some helpers (like PPTP) need to _always mangle the packets,
D: even if there is no NAT mapping for a particular connection.
D: On the other hand, as soon as CONFIG_IP_NF_LOCAL_NAT was disabled,
D: we did end up half-mangling local (non-NAT'ed) connections.  This patch
D: removes the LOCAL_OUT hook from the NAT core unless CONFIG_IP_NF_NAT_LOCAL
D: is enabled.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #1.2: 83_nolocalout.patch --]
[-- Type: text/plain, Size: 3131 bytes --]

diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.0-test6-ctsysctl/net/ipv4/netfilter/ip_nat_core.c linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_core.c
--- linux-2.6.0-test6-ctsysctl/net/ipv4/netfilter/ip_nat_core.c	2003-09-28 02:50:10.000000000 +0200
+++ linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_core.c	2003-10-02 18:24:44.000000000 +0200
@@ -761,11 +761,6 @@
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	int proto = (*pskb)->nh.iph->protocol;
 
-	/* Skip everything and don't call helpers if there are no
-	 * manips for this connection */
-	if (info->num_manips == 0)
-		return NF_ACCEPT;
-
 	/* Need nat lock to protect against modification, but neither
 	   conntrack (referenced) and helper (deleted with
 	   synchronize_bh()) can vanish. */
diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.0-test6-ctsysctl/net/ipv4/netfilter/ip_nat_standalone.c linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_standalone.c
--- linux-2.6.0-test6-ctsysctl/net/ipv4/netfilter/ip_nat_standalone.c	2003-09-28 02:50:39.000000000 +0200
+++ linux-2.6.0-test6-localnat/net/ipv4/netfilter/ip_nat_standalone.c	2003-10-02 18:26:02.000000000 +0200
@@ -199,6 +199,7 @@
 	return ip_nat_fn(hooknum, pskb, in, out, okfn);
 }
 
+#ifdef CONFIG_IP_NF_NAT_LOCAL
 static unsigned int
 ip_nat_local_fn(unsigned int hooknum,
 		struct sk_buff **pskb,
@@ -224,6 +225,7 @@
 		return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
 	return ret;
 }
+#endif
 
 /* We must be after connection tracking and before packet filtering. */
 
@@ -245,6 +247,7 @@
 	.priority	= NF_IP_PRI_NAT_SRC,
 };
 
+#ifdef CONFIG_IP_NF_NAT_LOCAL
 /* Before packet filtering, change destination */
 static struct nf_hook_ops ip_nat_local_out_ops = {
 	.hook		= ip_nat_local_fn,
@@ -254,7 +257,7 @@
 	.priority	= NF_IP_PRI_NAT_DST,
 };
 
-#ifdef CONFIG_IP_NF_NAT_LOCAL
+/* After packet filtering, change source for reply packets of LOCAL_OUT DNAT */
 static struct nf_hook_ops ip_nat_local_in_ops = {
 	.hook		= ip_nat_fn,
 	.owner		= THIS_MODULE,
@@ -324,12 +327,12 @@
 		printk("ip_nat_init: can't register out hook.\n");
 		goto cleanup_inops;
 	}
+#ifdef CONFIG_IP_NF_NAT_LOCAL
 	ret = nf_register_hook(&ip_nat_local_out_ops);
 	if (ret < 0) {
 		printk("ip_nat_init: can't register local out hook.\n");
 		goto cleanup_outops;
 	}
-#ifdef CONFIG_IP_NF_NAT_LOCAL
 	ret = nf_register_hook(&ip_nat_local_in_ops);
 	if (ret < 0) {
 		printk("ip_nat_init: can't register local in hook.\n");
@@ -342,9 +345,9 @@
 #ifdef CONFIG_IP_NF_NAT_LOCAL
 	nf_unregister_hook(&ip_nat_local_in_ops);
  cleanup_localoutops:
-#endif
 	nf_unregister_hook(&ip_nat_local_out_ops);
  cleanup_outops:
+#endif
 	nf_unregister_hook(&ip_nat_out_ops);
  cleanup_inops:
 	nf_unregister_hook(&ip_nat_in_ops);

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH 2.6] LOCAL_OUT Nat fix #1
  2003-10-02 16:15 [PATCH 2.6] LOCAL_OUT Nat fix #1 Harald Welte
@ 2003-10-03  6:16 ` David S. Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David S. Miller @ 2003-10-03  6:16 UTC (permalink / raw)
  To: Harald Welte; +Cc: netfilter-devel

On Thu, 2 Oct 2003 18:15:28 +0200
Harald Welte <laforge@netfilter.org> wrote:

> Please apply the following patch to your 2.6 tree, thanks

Applied, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2003-10-03  6:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-02 16:15 [PATCH 2.6] LOCAL_OUT Nat fix #1 Harald Welte
2003-10-03  6:16 ` David S. Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.