# This is a BitKeeper generated diff -Nru style patch. # # ChangeSet # 2004/02/16 00:50:24+01:00 kaber@trash.net # Make packets visible to POST_ROUTING before encryption and LOCAL_OUT # afterwards, reset netfilter fields before re-posting packet into the # stack on reception. # # net/ipv4/xfrm4_tunnel.c # 2004/02/16 00:50:18+01:00 kaber@trash.net +1 -0 # Make packets visible to POST_ROUTING before encryption and LOCAL_OUT # afterwards, reset netfilter fields before re-posting packet into the # stack on reception. # # net/ipv4/xfrm4_input.c # 2004/02/16 00:50:18+01:00 kaber@trash.net +1 -0 # Make packets visible to POST_ROUTING before encryption and LOCAL_OUT # afterwards, reset netfilter fields before re-posting packet into the # stack on reception. # # net/ipv4/ipcomp.c # 2004/02/16 00:50:18+01:00 kaber@trash.net +1 -0 # Make packets visible to POST_ROUTING before encryption and LOCAL_OUT # afterwards, reset netfilter fields before re-posting packet into the # stack on reception. # # net/ipv4/ip_output.c # 2004/02/16 00:50:18+01:00 kaber@trash.net +22 -4 # Make packets visible to POST_ROUTING before encryption and LOCAL_OUT # afterwards, reset netfilter fields before re-posting packet into the # stack on reception. # # net/ipv4/ip_forward.c # 2004/02/16 00:50:18+01:00 kaber@trash.net +4 -0 # Make packets visible to POST_ROUTING before encryption and LOCAL_OUT # afterwards, reset netfilter fields before re-posting packet into the # stack on reception. # # net/ipv4/esp4.c # 2004/02/16 00:50:18+01:00 kaber@trash.net +1 -0 # Make packets visible to POST_ROUTING before encryption and LOCAL_OUT # afterwards, reset netfilter fields before re-posting packet into the # stack on reception. # # net/ipv4/ah4.c # 2004/02/16 00:50:18+01:00 kaber@trash.net +1 -0 # Make packets visible to POST_ROUTING before encryption and LOCAL_OUT # afterwards, reset netfilter fields before re-posting packet into the # stack on reception. # # include/net/ip.h # 2004/02/16 00:50:18+01:00 kaber@trash.net +1 -0 # Make packets visible to POST_ROUTING before encryption and LOCAL_OUT # afterwards, reset netfilter fields before re-posting packet into the # stack on reception. # diff -Nru a/include/net/ip.h b/include/net/ip.h --- a/include/net/ip.h Mon Feb 16 02:13:07 2004 +++ b/include/net/ip.h Mon Feb 16 02:13:07 2004 @@ -48,6 +48,7 @@ #define IPSKB_TRANSLATED 2 #define IPSKB_FORWARDED 4 #define IPSKB_XFRM_TUNNEL_SIZE 8 +#define IPSKB_XFRM_TRANSFORMED 16 }; struct ipcm_cookie diff -Nru a/net/ipv4/ah4.c b/net/ipv4/ah4.c --- a/net/ipv4/ah4.c Mon Feb 16 02:13:07 2004 +++ b/net/ipv4/ah4.c Mon Feb 16 02:13:07 2004 @@ -137,6 +137,7 @@ ip_send_check(top_iph); skb->nh.raw = skb->data; + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; x->curlft.bytes += skb->len; x->curlft.packets++; diff -Nru a/net/ipv4/esp4.c b/net/ipv4/esp4.c --- a/net/ipv4/esp4.c Mon Feb 16 02:13:07 2004 +++ b/net/ipv4/esp4.c Mon Feb 16 02:13:07 2004 @@ -191,6 +191,7 @@ ip_send_check(top_iph); skb->nh.raw = skb->data; + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; x->curlft.bytes += skb->len; x->curlft.packets++; diff -Nru a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c --- a/net/ipv4/ip_forward.c Mon Feb 16 02:13:07 2004 +++ b/net/ipv4/ip_forward.c Mon Feb 16 02:13:07 2004 @@ -51,6 +51,10 @@ if (unlikely(opt->optlen)) ip_forward_options(skb); + if (skb->dst->xfrm != NULL) + return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, + skb->dst->dev, dst_output); + return dst_output(skb); } diff -Nru a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c --- a/net/ipv4/ip_output.c Mon Feb 16 02:13:07 2004 +++ b/net/ipv4/ip_output.c Mon Feb 16 02:13:07 2004 @@ -122,6 +122,14 @@ return ttl; } +static inline int ip_dst_output(struct sk_buff *skb) +{ + if (skb->dst->xfrm != NULL) + return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, + skb->dst->dev, dst_output); + return dst_output(skb); +} + /* * Add an ip header to a skbuff and send it out. * @@ -164,7 +172,7 @@ /* Send it out. */ return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, - dst_output); + ip_dst_output); } static inline int ip_finish_output2(struct sk_buff *skb) @@ -282,7 +290,7 @@ return ip_finish_output(skb); } -int ip_output(struct sk_buff *skb) +static inline int ip_output2(struct sk_buff *skb) { IP_INC_STATS(IpOutRequests); @@ -293,6 +301,16 @@ return ip_finish_output(skb); } +int ip_output(struct sk_buff *skb) +{ + if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) { + nf_reset(skb); + return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, + skb->dst->dev, ip_output2); + } + return ip_output2(skb); +} + int ip_queue_xmit(struct sk_buff *skb, int ipfragok) { struct sock *sk = skb->sk; @@ -386,7 +404,7 @@ skb->priority = sk->sk_priority; return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, - dst_output); + ip_dst_output); no_route: IP_INC_STATS(IpOutNoRoutes); @@ -1165,7 +1183,7 @@ /* Netfilter gets whole the not fragmented skb. */ err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, - skb->dst->dev, dst_output); + skb->dst->dev, ip_dst_output); if (err) { if (err > 0) err = inet->recverr ? net_xmit_errno(err) : 0; diff -Nru a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c --- a/net/ipv4/ipcomp.c Mon Feb 16 02:13:07 2004 +++ b/net/ipv4/ipcomp.c Mon Feb 16 02:13:07 2004 @@ -223,6 +223,7 @@ skb->nh.raw = skb->data; out_ok: + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; x->curlft.bytes += skb->len; x->curlft.packets++; spin_unlock_bh(&x->lock); diff -Nru a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c --- a/net/ipv4/xfrm4_input.c Mon Feb 16 02:13:07 2004 +++ b/net/ipv4/xfrm4_input.c Mon Feb 16 02:13:07 2004 @@ -130,6 +130,7 @@ dst_release(skb->dst); skb->dst = NULL; } + nf_reset(skb); netif_rx(skb); return 0; } else { diff -Nru a/net/ipv4/xfrm4_tunnel.c b/net/ipv4/xfrm4_tunnel.c --- a/net/ipv4/xfrm4_tunnel.c Mon Feb 16 02:13:07 2004 +++ b/net/ipv4/xfrm4_tunnel.c Mon Feb 16 02:13:07 2004 @@ -66,6 +66,7 @@ ip_send_check(top_iph); skb->nh.raw = skb->data; + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; x->curlft.bytes += skb->len; x->curlft.packets++;