[NETFILTER 00/02]: Netfilter fixes for 2.6.21

[NETFILTER 00/02]: Netfilter fixes for 2.6.21

[Patrick McHardy]

Hi Dave,

these two patches add a missing Kconfig dependency on NAT for nf_conntrack_netlink
and fix a problem with ping -I to a destination without a route in combination with
CONFIG_XFRM.

Please apply, thanks.


 net/ipv4/netfilter/ip_nat_standalone.c |   15 +++++++++------
 net/ipv4/netfilter/nf_nat_standalone.c |   14 ++++++++------
 net/netfilter/Kconfig                  |    1 +
 3 files changed, 18 insertions(+), 12 deletions(-)

Patrick McHardy:
      [NETFILTER]: nf_conntrack_netlink: add missing dependency on NF_NAT
      [NETFILTER]: nat: avoid rerouting packets if only XFRM policy key changed

[NETFILTER 01/02]: nf_conntrack_netlink: add missing dependency on NF_NAT

[Patrick McHardy]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1791 bytes --]

[NETFILTER]: nf_conntrack_netlink: add missing dependency on NF_NAT

NF_CT_NETLINK=y, NF_NAT=m results in:

 LD      .tmp_vmlinux1
 net/built-in.o: dans la fonction « nfnetlink_parse_nat_proto »:
 nf_conntrack_netlink.c:(.text+0x28db9): référence indéfinie vers « nf_nat_proto_find_get »
 nf_conntrack_netlink.c:(.text+0x28dd6): référence indéfinie vers « nf_nat_proto_put »
 net/built-in.o: dans la fonction « ctnetlink_new_conntrack »:
 nf_conntrack_netlink.c:(.text+0x29959): référence indéfinie vers « nf_nat_setup_info »
 nf_conntrack_netlink.c:(.text+0x29b35): référence indéfinie vers « nf_nat_setup_info »
 nf_conntrack_netlink.c:(.text+0x29cf7): référence indéfinie vers « nf_nat_setup_info »
 nf_conntrack_netlink.c:(.text+0x29de2): référence indéfinie vers « nf_nat_setup_info »
 make: *** [.tmp_vmlinux1] Erreur 1 

Reported by Kevin Baradon <kevin.baradon@gmail.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9b8ea8f4f4091c6e4424b46e8d56bb0366dfd3ee
tree 70c237a3e129df7366ac4a52f6efa142aa0a7d98
parent cd05a1f818073a623455a58e756c5b419fc98db9
author Patrick McHardy <kaber@trash.net> Sat, 17 Mar 2007 15:55:27 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 17 Mar 2007 15:55:27 +0100

 net/netfilter/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 253fce3..54698af 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -275,6 +275,7 @@ config NF_CT_NETLINK
 	tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
 	depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK
 	depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
+	depends on NF_NAT=n || NF_NAT
 	help
 	  This option enables support for a netlink-based userspace interface
 

[NETFILTER 02/02]: nat: avoid rerouting packets if only XFRM policy key changed

[Patrick McHardy]

[NETFILTER]: nat: avoid rerouting packets if only XFRM policy key changed

Currently NAT not only reroutes packets in the OUTPUT chain when the
routing key changed, but also if only the non-routing part of the
IPsec policy key changed. This breaks ping -I since it doesn't use
SO_BINDTODEVICE but IP_PKTINFO cmsg to specify the output device, and
this information is lost.

Only do full rerouting if the routing key changed, and just do a new
policy lookup with the old route if only the ports changed.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 3fa9a3e05bdab319a2367d4bdcabbdb1df76d0f5
tree 77a61451c8f61fc790edfb3a20bd67b2fba4aaa0
parent 9b8ea8f4f4091c6e4424b46e8d56bb0366dfd3ee
author Patrick McHardy <kaber@trash.net> Wed, 21 Mar 2007 06:17:00 +0100
committer Patrick McHardy <kaber@trash.net> Wed, 21 Mar 2007 06:17:00 +0100

 net/ipv4/netfilter/ip_nat_standalone.c |   15 +++++++++------
 net/ipv4/netfilter/nf_nat_standalone.c |   14 ++++++++------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index adf25f9..6bcfdf6 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -253,14 +253,17 @@ ip_nat_local_fn(unsigned int hooknum,
 		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 
 		if (ct->tuplehash[dir].tuple.dst.ip !=
-		    ct->tuplehash[!dir].tuple.src.ip
-#ifdef CONFIG_XFRM
-		    || ct->tuplehash[dir].tuple.dst.u.all !=
-		       ct->tuplehash[!dir].tuple.src.u.all
-#endif
-		    )
+		    ct->tuplehash[!dir].tuple.src.ip) {
 			if (ip_route_me_harder(pskb, RTN_UNSPEC))
 				ret = NF_DROP;
+		}
+#ifdef CONFIG_XFRM
+		else if (ct->tuplehash[dir].tuple.dst.u.all !=
+			 ct->tuplehash[!dir].tuple.src.u.all)
+			if (ip_xfrm_me_harder(pskb))
+				ret = NF_DROP;
+#endif
+
 	}
 	return ret;
 }
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index e4d3ef1..15aa3db 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -245,14 +245,16 @@ nf_nat_local_fn(unsigned int hooknum,
 		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 
 		if (ct->tuplehash[dir].tuple.dst.u3.ip !=
-		    ct->tuplehash[!dir].tuple.src.u3.ip
-#ifdef CONFIG_XFRM
-		    || ct->tuplehash[dir].tuple.dst.u.all !=
-		       ct->tuplehash[!dir].tuple.src.u.all
-#endif
-		    )
+		    ct->tuplehash[!dir].tuple.src.u3.ip) {
 			if (ip_route_me_harder(pskb, RTN_UNSPEC))
 				ret = NF_DROP;
+		}
+#ifdef CONFIG_XFRM
+		else if (ct->tuplehash[dir].tuple.dst.u.all !=
+			 ct->tuplehash[!dir].tuple.src.u.all)
+			if (ip_xfrm_me_harder(pskb))
+				ret = NF_DROP;
+#endif
 	}
 	return ret;
 }

Re: [NETFILTER 00/02]: Netfilter fixes for 2.6.21

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Wed, 21 Mar 2007 06:21:44 +0100 (MET)

> Hi Dave,
> 
> these two patches add a missing Kconfig dependency on NAT for nf_conntrack_netlink
> and fix a problem with ping -I to a destination without a route in combination with
> CONFIG_XFRM.
> 
> Please apply, thanks.

Applied, thanks a lot Patrick.