[NETFILTER 14/13]: Fix NAT PMTUD problems

[NETFILTER 14/13]: Fix NAT PMTUD problems

[Patrick McHardy]

[-- Attachment #1: 14.diff --]
[-- Type: text/x-patch, Size: 2386 bytes --]

[NETFILTER]: Fix NAT PMTUD problems

ICMP errors are only SNATed when their source matches the source of the
connection they are related to, otherwise the source address is not
changed. This creates problems with ICMP frag. required messages
originating from a router behind the NAT, if private IPs are used the
packet has a good change of getting dropped on the path to its destination.

Always NAT ICMP errors similar to the original connection.

Based on report by Al Viro.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit d8f2c4c9001e94af39643c14106c0bc7a659067b
tree 2856a88ee436733e0a8f4491d1a3a6ec6235db90
parent 0d101f9f648b51101f3c4ba4ba39b76b4a3e12c8
author Patrick McHardy <kaber@trash.net> Fri, 17 Feb 2006 16:13:25 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Feb 2006 16:13:25 +0100

 net/ipv4/netfilter/ip_nat_core.c |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index c1a6146..1741d55 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -434,6 +434,7 @@ int ip_nat_icmp_reply_translation(struct
 	} *inside;
 	struct ip_conntrack_tuple inner, target;
 	int hdrlen = (*pskb)->nh.iph->ihl * 4;
+	unsigned long statusbit;
 
 	if (!skb_make_writable(pskb, hdrlen + sizeof(*inside)))
 		return 0;
@@ -495,17 +496,16 @@ int ip_nat_icmp_reply_translation(struct
 
 	/* Change outer to look the reply to an incoming packet
 	 * (proto 0 means don't invert per-proto part). */
+	if (manip == IP_NAT_MANIP_SRC)
+		statusbit = IPS_SRC_NAT;
+	else
+		statusbit = IPS_DST_NAT;
+
+	/* Invert if this is reply dir. */
+	if (dir == IP_CT_DIR_REPLY)
+		statusbit ^= IPS_NAT_MASK;
 
-	/* Obviously, we need to NAT destination IP, but source IP
-	   should be NAT'ed only if it is from a NAT'd host.
-
-	   Explanation: some people use NAT for anonymizing.  Also,
-	   CERT recommends dropping all packets from private IP
-	   addresses (although ICMP errors from internal links with
-	   such addresses are not too uncommon, as Alan Cox points
-	   out) */
-	if (manip != IP_NAT_MANIP_SRC
-	    || ((*pskb)->nh.iph->saddr == ct->tuplehash[dir].tuple.src.ip)) {
+	if (ct->status & statusbit) {
 		invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
 		if (!manip_pkt(0, pskb, 0, &target, manip))
 			return 0;

Re: [NETFILTER 14/13]: Fix NAT PMTUD problems

[David S. Miller]

I think this belongs in net-2.6, is that where you want me to
put it?

Re: [NETFILTER 14/13]: Fix NAT PMTUD problems

[Patrick McHardy]

David S. Miller wrote:
> I think this belongs in net-2.6, is that where you want me to
> put it?

OK. There were enough netfilter patches touching critical spots
in the last -rc to make me feel a bit uncomfortable, which is
why I'm trying to keep it to a minimum.

Re: [NETFILTER 14/13]: Fix NAT PMTUD problems

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Sun, 19 Feb 2006 09:48:12 +0100

> David S. Miller wrote:
> > I think this belongs in net-2.6, is that where you want me to
> > put it?
> 
> OK. There were enough netfilter patches touching critical spots
> in the last -rc to make me feel a bit uncomfortable, which is
> why I'm trying to keep it to a minimum.

I've applied it.  This is just too serious a regression to
let slip into 2.6.16-final, I think.

Thanks.