From: Patrick McHardy <kaber@trash.net>
To: David S. Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, netfilter-devel@lists.netfilter.org,
Patrick McHardy <kaber@trash.net>
Subject: [NETFILTER 06/10]: Use conntrack information to determine if packet was NATed
Date: Sat, 7 Jan 2006 02:09:39 +0100 (MET) [thread overview]
Message-ID: <20060107010903.8712.43394.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20060107010855.8712.68786.sendpatchset@localhost.localdomain>
[NETFILTER]: Use conntrack information to determine if packet was NATed
Preparation for IPsec support for NAT:
Use conntrack information instead of saving the saving and comparing the
addresses to determine if a packet was NATed and needs to be rerouted to
make it easier to extend the key.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 3ba04601534a6f050fb695c92ddc62d403078cc6
tree 01e3981c9fae596a30f0ce815f9695f71417724b
parent d923d6ec05f49c2b746a7e8c6d0a71f3bcc35b4e
author Patrick McHardy <kaber@trash.net> Sat, 07 Jan 2006 01:02:59 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 07 Jan 2006 01:02:59 +0100
net/ipv4/netfilter/ip_nat_standalone.c | 34 ++++++++++++++++++--------------
1 files changed, 19 insertions(+), 15 deletions(-)
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index f04111f..1bb5089 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -162,18 +162,20 @@ ip_nat_in(unsigned int hooknum,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- u_int32_t saddr, daddr;
+ struct ip_conntrack *ct;
+ enum ip_conntrack_info ctinfo;
unsigned int ret;
- saddr = (*pskb)->nh.iph->saddr;
- daddr = (*pskb)->nh.iph->daddr;
-
ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
if (ret != NF_DROP && ret != NF_STOLEN
- && ((*pskb)->nh.iph->saddr != saddr
- || (*pskb)->nh.iph->daddr != daddr)) {
- dst_release((*pskb)->dst);
- (*pskb)->dst = NULL;
+ && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
+ enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+
+ if (ct->tuplehash[dir].tuple.src.ip !=
+ ct->tuplehash[!dir].tuple.dst.ip) {
+ dst_release((*pskb)->dst);
+ (*pskb)->dst = NULL;
+ }
}
return ret;
}
@@ -200,7 +202,8 @@ ip_nat_local_fn(unsigned int hooknum,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- u_int32_t saddr, daddr;
+ struct ip_conntrack *ct;
+ enum ip_conntrack_info ctinfo;
unsigned int ret;
/* root is playing with raw sockets. */
@@ -208,14 +211,15 @@ ip_nat_local_fn(unsigned int hooknum,
|| (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr))
return NF_ACCEPT;
- saddr = (*pskb)->nh.iph->saddr;
- daddr = (*pskb)->nh.iph->daddr;
-
ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
if (ret != NF_DROP && ret != NF_STOLEN
- && ((*pskb)->nh.iph->saddr != saddr
- || (*pskb)->nh.iph->daddr != daddr))
- return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+ && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
+ enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+
+ if (ct->tuplehash[dir].tuple.dst.ip !=
+ ct->tuplehash[!dir].tuple.src.ip)
+ return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+ }
return ret;
}
next prev parent reply other threads:[~2006-01-07 1:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-07 1:09 [NETFILTER 00/10]: Netfilter IPsec support Patrick McHardy
2006-01-07 1:09 ` [XFRM 01/10]: Netfilter IPsec output hooks Patrick McHardy
2006-01-07 1:09 ` [IPV6 02/10]: Move nextheader offset to the IP6CB Patrick McHardy
2006-01-07 1:09 ` [IPV4/6 03/10]: Netfilter IPsec input hooks Patrick McHardy
2006-01-07 1:09 ` [IPV4 04/10]: reset IPCB flags when neccessary Patrick McHardy
2006-01-07 1:09 ` [NETFILTER 05/10]: Fix xfrm lookup in ip_route_me_harder/ip6_route_me_harder Patrick McHardy
2006-01-07 1:09 ` Patrick McHardy [this message]
2006-01-07 1:09 ` [NETFILTER 07/10]: Redo policy lookups after NAT when neccessary Patrick McHardy
2006-01-07 1:09 ` [NETFILTER 08/10]: Keep conntrack reference until IPsec policy checks are done Patrick McHardy
2006-01-07 1:09 ` [NETFILTER 09/10]: Handle NAT in IPsec policy checks Patrick McHardy
2006-01-07 1:09 ` [NETFILTER 10/10]: Add ipt_policy/ip6t_policy matches Patrick McHardy
2006-01-07 2:21 ` [NETFILTER 00/10]: Netfilter IPsec support YOSHIFUJI Hideaki / 吉藤英明
2006-01-07 2:29 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060107010903.8712.43394.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.