===== net/ipv4/ah4.c 1.29 vs edited ===== --- 1.29/net/ipv4/ah4.c Sat Jan 24 19:08:48 2004 +++ edited/net/ipv4/ah4.c Sat Jan 31 16:26:44 2004 @@ -6,6 +6,8 @@ #include #include #include +#include +#include #include #include @@ -54,6 +56,11 @@ return 0; } +static inline int ah_finish_output(struct sk_buff *skb) +{ + return NET_XMIT_BYPASS; +} + static int ah_output(struct sk_buff *skb) { int err; @@ -144,6 +151,18 @@ if ((skb->dst = dst_pop(dst)) == NULL) { err = -EHOSTUNREACH; goto error_nolock; + } + /* final packet goes through LOCAL_OUT hook */ + if (skb->dst->xfrm == NULL) { +#ifdef CONFIG_NETFILTER + nf_conntrack_put(skb->nfct); + skb->nfct = NULL; +#ifdef CONFIG_NETFILTER_DEBUG + skb->nf_debug = 0; +#endif +#endif + return NF_HOOK(AF_INET, NF_IP_LOCAL_OUT, skb, NULL, + skb->dst->dev, ah_finish_output); } return NET_XMIT_BYPASS; ===== net/ipv4/esp4.c 1.35 vs edited ===== --- 1.35/net/ipv4/esp4.c Mon Aug 18 13:14:38 2003 +++ edited/net/ipv4/esp4.c Sat Jan 31 16:26:33 2004 @@ -8,6 +8,8 @@ #include #include #include +#include +#include #include #include @@ -20,6 +22,11 @@ __u8 proto; }; +static inline int esp_finish_output(struct sk_buff *skb) +{ + return NET_XMIT_BYPASS; +} + int esp_output(struct sk_buff *skb) { int err; @@ -198,6 +205,18 @@ if ((skb->dst = dst_pop(dst)) == NULL) { err = -EHOSTUNREACH; goto error_nolock; + } + /* final packet goes through LOCAL_OUT hook */ + if (skb->dst->xfrm == NULL) { +#ifdef CONFIG_NETFILTER + nf_conntrack_put(skb->nfct); + skb->nfct = NULL; +#ifdef CONFIG_NETFILTER_DEBUG + skb->nf_debug = 0; +#endif +#endif + return NF_HOOK(AF_INET, NF_IP_LOCAL_OUT, skb, NULL, + skb->dst->dev, esp_finish_output); } return NET_XMIT_BYPASS; ===== net/ipv4/ip_forward.c 1.9 vs edited ===== --- 1.9/net/ipv4/ip_forward.c Sun Mar 23 11:21:28 2003 +++ edited/net/ipv4/ip_forward.c Sat Jan 31 16:27:11 2004 @@ -51,6 +51,10 @@ if (unlikely(opt->optlen)) ip_forward_options(skb); + if (skb->dst->xfrm != NULL) + return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev, + dst_output); + return dst_output(skb); } ===== net/ipv4/ip_output.c 1.48 vs edited ===== --- 1.48/net/ipv4/ip_output.c Wed Dec 17 21:06:18 2003 +++ edited/net/ipv4/ip_output.c Sat Jan 31 16:27:22 2004 @@ -122,6 +122,14 @@ return ttl; } +static inline int ip_dst_output(struct sk_buff *skb) +{ + if (skb->dst->xfrm != NULL) + return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, + skb->dst->dev, dst_output); + return dst_output(skb); +} + /* * Add an ip header to a skbuff and send it out. * @@ -164,7 +172,7 @@ /* Send it out. */ return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, - dst_output); + ip_dst_output); } static inline int ip_finish_output2(struct sk_buff *skb) @@ -386,7 +394,7 @@ skb->priority = sk->sk_priority; return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, - dst_output); + ip_dst_output); no_route: IP_INC_STATS(IpOutNoRoutes); @@ -1164,7 +1172,7 @@ /* Netfilter gets whole the not fragmented skb. */ err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, - skb->dst->dev, dst_output); + skb->dst->dev, ip_dst_output); if (err) { if (err > 0) err = inet->recverr ? net_xmit_errno(err) : 0; ===== net/ipv4/xfrm4_input.c 1.9 vs edited ===== --- 1.9/net/ipv4/xfrm4_input.c Fri Aug 8 06:17:15 2003 +++ edited/net/ipv4/xfrm4_input.c Sat Jan 31 14:23:52 2004 @@ -130,6 +130,13 @@ dst_release(skb->dst); skb->dst = NULL; } +#ifdef CONFIG_NETFILTER + nf_conntrack_put(skb->nfct); + skb->nfct = NULL; +#ifdef CONFIG_NETFILTER_DEBUG + skb->nf_debug = 0; +#endif +#endif netif_rx(skb); return 0; } else {