From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: Patrick McHardy <kaber@trash.net>, netfilter-devel@vger.kernel.org
Subject: [NETFILTER 28/41]: nf_nat: don't add NAT extension for confirmed conntracks
Date: Mon, 14 Apr 2008 12:16:56 +0200 (MEST) [thread overview]
Message-ID: <20080414101653.32717.55084.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20080414101614.32717.35526.sendpatchset@localhost.localdomain>
[NETFILTER]: nf_nat: don't add NAT extension for confirmed conntracks
Adding extensions to confirmed conntracks is not allowed to avoid races
on reallocation. Don't setup NAT for confirmed conntracks in case NAT
module is loaded late.
The has one side-effect, the connections existing before the NAT module
was loaded won't enter the bysource hash. The only case where this actually
makes a difference is in case of SNAT to a multirange where the IP before
NAT is also part of the range. Since old connections don't enter the
bysource hash the first new connection from the IP will have a new address
selected. This shouldn't matter at all.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 6cad3b7ff5971feef96758c159ee689ab14118ee
tree 63a276412e0ff19d01bb0e97b56370caa3b66672
parent 021e7d24124820256a4789b5576bdbd1dbc1a274
author Patrick McHardy <kaber@trash.net> Mon, 14 Apr 2008 12:10:54 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 14 Apr 2008 12:10:54 +0200
include/net/netfilter/nf_nat_rule.h | 3 ---
net/ipv4/netfilter/nf_nat_rule.c | 19 -------------------
net/ipv4/netfilter/nf_nat_standalone.c | 8 ++++----
3 files changed, 4 insertions(+), 26 deletions(-)
diff --git a/include/net/netfilter/nf_nat_rule.h b/include/net/netfilter/nf_nat_rule.h
index 75d1825..e4a18ae 100644
--- a/include/net/netfilter/nf_nat_rule.h
+++ b/include/net/netfilter/nf_nat_rule.h
@@ -14,7 +14,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb,
extern unsigned int
alloc_null_binding(struct nf_conn *ct, unsigned int hooknum);
-
-extern unsigned int
-alloc_null_binding_confirmed(struct nf_conn *ct, unsigned int hooknum);
#endif /* _NF_NAT_RULE_H */
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index ebe0c79..e8b4d0d 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -188,25 +188,6 @@ alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));
}
-unsigned int
-alloc_null_binding_confirmed(struct nf_conn *ct, unsigned int hooknum)
-{
- __be32 ip
- = (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC
- ? ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip
- : ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip);
- __be16 all
- = (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC
- ? ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.all
- : ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.all);
- struct nf_nat_range range
- = { IP_NAT_RANGE_MAP_IPS, ip, ip, { all }, { all } };
-
- pr_debug("Allocating NULL binding for confirmed %p (%u.%u.%u.%u)\n",
- ct, NIPQUAD(ip));
- return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));
-}
-
int nf_nat_rule_find(struct sk_buff *skb,
unsigned int hooknum,
const struct net_device *in,
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index c362f67..a366b58 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -102,6 +102,9 @@ nf_nat_fn(unsigned int hooknum,
nat = nfct_nat(ct);
if (!nat) {
+ /* NAT module was loaded late. */
+ if (nf_ct_is_confirmed(ct))
+ return NF_ACCEPT;
nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
if (nat == NULL) {
pr_debug("failed to add NAT extension\n");
@@ -127,10 +130,7 @@ nf_nat_fn(unsigned int hooknum,
if (!nf_nat_initialized(ct, maniptype)) {
unsigned int ret;
- if (unlikely(nf_ct_is_confirmed(ct)))
- /* NAT module was loaded late */
- ret = alloc_null_binding_confirmed(ct, hooknum);
- else if (hooknum == NF_INET_LOCAL_IN)
+ if (hooknum == NF_INET_LOCAL_IN)
/* LOCAL_IN hook doesn't have a chain! */
ret = alloc_null_binding(ct, hooknum);
else
next prev parent reply other threads:[~2008-04-14 10:16 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-14 10:16 [NETFILTER 00/41]: Netfilter Update Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 01/41]: nf_conntrack: less hairy ifdefs around proc and sysctl Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 02/41]: {ip,ip6}t_LOG: print MARK value in log output Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 03/41]: ip_tables: per-netns FILTER/MANGLE/RAW tables for real Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 04/41]: bridge netfilter: use non-deprecated __RW_LOCK_UNLOCKED macro Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 05/41]: Use " Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 06/41]: xt_sctp: simplify xt_sctp.h Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 07/41]: annotate xtables targets with const and remove casts Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 08/41]: annotate {arp,ip,ip6,x}tables with const Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 09/41]: annotate rest of nf_conntrack_* " Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 10/41]: annotate rest of nf_nat_* " Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 11/41]: remove arpt_table indirection macro Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 12/41]: remove arpt_target " Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 13/41]: remove arpt_(un)register_target indirection macros Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 14/41]: Explicitly initialize .priority in arptable_filter Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 15/41]: nf_conntrack_sip: clear address in parse_addr() Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 16/41]: {ip,ip6,arp}_tables: return EAGAIN for invalid SO_GET_ENTRIES size Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 17/41]: nf_nat: add helpers for common NAT protocol operations Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 18/41]: nf_nat: fix random mode not to overwrite port rover Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 19/41]: nf_nat: move NAT ctnetlink helpers to nf_nat_proto_common Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 20/41]: nf_conntrack_netlink: clean up NAT protocol parsing Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 21/41]: nf_nat: remove unused name from struct nf_nat_protocol Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 22/41]: nf_nat: add UDP-Lite support Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 23/41]: Add partial checksum validation helper Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 24/41]: nf_conntrack: add DCCP protocol support Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 25/41]: nf_nat: " Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 26/41]: nf_nat: add SCTP " Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 27/41]: nf_nat: remove obsolete check for ICMP redirects Patrick McHardy
2008-04-14 10:16 ` Patrick McHardy [this message]
2008-04-14 10:16 ` [NETFILTER 29/41]: nf_conntrack_extend: warn on confirmed conntracks Patrick McHardy
2008-04-14 10:16 ` [NETFILTER 30/41]: nf_nat: kill helper and seq_adjust hooks Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 31/41]: nf_conntrack_tcp: catch invalid state updates over ctnetlink Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 32/41]: nf_conntrack: add tuplehash l3num/protonum accessors Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 33/41]: Remove unused callbacks in nf_conntrack_l3proto Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 34/41]: nf_conntrack: use bool type in struct nf_conntrack_l3proto Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 35/41]: nf_conntrack: use bool type in struct nf_conntrack_l4proto Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 36/41]: nf_conntrack: use bool type in struct nf_conntrack_tuple.h Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 37/41]: nf_nat: use bool type in nf_nat_proto Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 38/41]: nf_conntrack: const annotations in nf_conntrack_sctp, nf_nat_proto_gre Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 39/41]: nf_conntrack: replace NF_CT_DUMP_TUPLE macro indrection by function call Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 40/41]: bridge: add ebt_nflog watcher Patrick McHardy
2008-04-14 10:17 ` [NETFILTER 41/41]: nf_conntrack: fix incorrect check for expectations Patrick McHardy
2008-04-14 11:03 ` [NETFILTER 00/41]: Netfilter Update David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080414101653.32717.55084.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.