# This is a BitKeeper generated diff -Nru style patch. # # ChangeSet # 2004/11/27 13:35:38+01:00 kaber@coreworks.de # [NETFILTER]: Verify NAT manips have been applied before reversing them in icmp_reply_translation # # ICMP errors may be generated for packets that don't have # all NAT manips applied yet. Verify manips have been applied # before reversing them. # # Signed-off-by: Patrick McHardy # # net/ipv4/netfilter/ip_nat_core.c # 2004/11/27 13:35:30+01:00 kaber@coreworks.de +36 -0 # [NETFILTER]: Verify NAT manips have been applied before reversing them in icmp_reply_translation # # ICMP errors may be generated for packets that don't have # all NAT manips applied yet. Verify manips have been applied # before reversing them. # # Signed-off-by: Patrick McHardy # # net/ipv4/netfilter/ip_conntrack_standalone.c # 2004/11/27 13:35:30+01:00 kaber@coreworks.de +1 -0 # [NETFILTER]: Verify NAT manips have been applied before reversing them in icmp_reply_translation # # ICMP errors may be generated for packets that don't have # all NAT manips applied yet. Verify manips have been applied # before reversing them. # # Signed-off-by: Patrick McHardy # diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c --- a/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-11-28 21:36:55 +01:00 +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-11-28 21:36:55 +01:00 @@ -882,6 +882,7 @@ EXPORT_SYMBOL(ip_conntrack_protocol_register); EXPORT_SYMBOL(ip_conntrack_protocol_unregister); +EXPORT_SYMBOL(ip_ct_get_tuple); EXPORT_SYMBOL(invert_tuplepr); EXPORT_SYMBOL(ip_conntrack_alter_reply); EXPORT_SYMBOL(ip_conntrack_destroyed); diff -Nru a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c --- a/net/ipv4/netfilter/ip_nat_core.c 2004-11-28 21:36:55 +01:00 +++ b/net/ipv4/netfilter/ip_nat_core.c 2004-11-28 21:36:55 +01:00 @@ -813,6 +813,23 @@ /* not reached */ } +static inline int tuple_src_equal_dst(const struct ip_conntrack_tuple *t1, + const struct ip_conntrack_tuple *t2) +{ + if (t1->dst.protonum != t2->dst.protonum || t1->src.ip != t2->dst.ip) + return 0; + if (t1->dst.protonum != IPPROTO_ICMP) + return t1->src.u.all == t2->dst.u.all; + else { + struct ip_conntrack_tuple inv; + + /* ICMP tuples are asymetric */ + invert_tuplepr(&inv, t1); + return inv.src.u.all == t2->src.u.all && + inv.dst.u.all == t2->dst.u.all; + } +} + int icmp_reply_translation(struct sk_buff **pskb, struct ip_conntrack *conntrack, @@ -825,6 +842,7 @@ } *inside; unsigned int i; struct ip_nat_info *info = &conntrack->nat.info; + struct ip_conntrack_tuple *cttuple, innertuple; int hdrlen; if (!skb_ip_make_writable(pskb,(*pskb)->nh.iph->ihl*4+sizeof(*inside))) @@ -868,6 +886,13 @@ such addresses are not too uncommon, as Alan Cox points out) */ + if (!ip_ct_get_tuple(&inside->ip, *pskb, (*pskb)->nh.iph->ihl*4 + + sizeof(struct icmphdr) + inside->ip.ihl*4, + &innertuple, + ip_ct_find_proto(inside->ip.protocol))) + return 0; + cttuple = &conntrack->tuplehash[dir].tuple; + READ_LOCK(&ip_nat_lock); for (i = 0; i < info->num_manips; i++) { DEBUGP("icmp_reply: manip %u dir %s hook %u\n", @@ -890,6 +915,17 @@ if (info->manips[i].hooknum != hooknum) continue; + + /* ICMP errors may be generated locally for packets that + * don't have all NAT manips applied yet. Verify manips + * have been applied before reversing them */ + if (info->manips[i].maniptype == IP_NAT_MANIP_SRC) { + if (!tuple_src_equal_dst(cttuple, &innertuple)) + continue; + } else { + if (!tuple_src_equal_dst(&innertuple, cttuple)) + continue; + } DEBUGP("icmp_reply: inner %s -> %u.%u.%u.%u %u\n", info->manips[i].maniptype == IP_NAT_MANIP_SRC