From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 46/53] netfilter: don't attach a nat extension by default
Date: Mon, 1 May 2017 12:47:13 +0200 [thread overview]
Message-ID: <1493635640-24325-47-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1493635640-24325-1-git-send-email-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
nowadays the NAT extension only stores the interface index
(used to purge connections that got masqueraded when interface goes down)
and pptp nat information.
Previous patches moved nf_ct_nat_ext_add to those places that need it.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_nat.h | 2 +-
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 4 +---
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 +---
net/netfilter/nf_nat_core.c | 6 ------
4 files changed, 3 insertions(+), 13 deletions(-)
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index c327a431a6f3..05c82a1a4267 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -67,7 +67,7 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum,
{
#if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV4) || \
IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV6)
- return nat->masq_index && hooknum == NF_INET_POST_ROUTING &&
+ return nat && nat->masq_index && hooknum == NF_INET_POST_ROUTING &&
CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL &&
nat->masq_index != out->ifindex;
#else
diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
index e3bfa6a169f0..feedd759ca80 100644
--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
@@ -264,9 +264,7 @@ nf_nat_ipv4_fn(void *priv, struct sk_buff *skb,
if (!ct)
return NF_ACCEPT;
- nat = nf_ct_nat_ext_add(ct);
- if (nat == NULL)
- return NF_ACCEPT;
+ nat = nfct_nat(ct);
switch (ctinfo) {
case IP_CT_RELATED:
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index 922b5aef273c..bf3ad3e7b647 100644
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -273,9 +273,7 @@ nf_nat_ipv6_fn(void *priv, struct sk_buff *skb,
if (!ct)
return NF_ACCEPT;
- nat = nf_ct_nat_ext_add(ct);
- if (nat == NULL)
- return NF_ACCEPT;
+ nat = nfct_nat(ct);
switch (ctinfo) {
case IP_CT_RELATED:
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 86eeacbb4793..ec9e6d8101b9 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -408,12 +408,6 @@ nf_nat_setup_info(struct nf_conn *ct,
enum nf_nat_manip_type maniptype)
{
struct nf_conntrack_tuple curr_tuple, new_tuple;
- struct nf_conn_nat *nat;
-
- /* nat helper or nfctnetlink also setup binding */
- nat = nf_ct_nat_ext_add(ct);
- if (nat == NULL)
- return NF_ACCEPT;
NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||
maniptype == NF_NAT_MANIP_DST);
--
2.1.4
next prev parent reply other threads:[~2017-05-01 10:47 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-01 10:46 [PATCH 00/53] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 01/53] netfilter: ipvs: don't check for presence of nat extension Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 02/53] netfilter: ipvs: Replace kzalloc with kcalloc Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 03/53] ipvs: remove unused variable Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 04/53] netfilter: nf_tables: add nft_is_base_chain() helper Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 05/53] netfilter: expect: Make sure the max_expected limit is effective Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 06/53] netfilter: nf_ct_expect: Add nf_ct_remove_expect() Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 07/53] netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 08/53] netfilter: nat: avoid use of nf_conn_nat extension Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 09/53] netfilter: ctnetlink: Expectations must have a conntrack helper area Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 10/53] netfilter: Add nfnl_msg_type() helper function Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 11/53] netfilter: Remove unnecessary cast on void pointer Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 12/53] netfilter: Use seq_puts()/seq_putc() where possible Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 13/53] net: netfilter: Use list_{next/prev}_entry instead of list_entry Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 14/53] netfilter: Remove exceptional & on function name Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 15/53] netfilter: ip6_tables: Remove unneccessary comments Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 16/53] netfilter: udplite: Remove duplicated udplite4/6 declaration Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 17/53] netfilter: nat: remove rcu_read_lock in __nf_nat_decode_session Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 18/53] netfilter: nf_tables: remove double return statement Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 19/53] netfilter: nf_conntrack: remove double assignment Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 20/53] ipset: remove unused function __ip_set_get_netlink Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 21/53] netfilter: nf_nat: Fix return NF_DROP in nfnetlink_parse_nat_setup Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 22/53] netfilter: ecache: Refine the nf_ct_deliver_cached_events Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 23/53] netfilter: kill the fake untracked conntrack objects Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 24/53] netfilter: remove nf_ct_is_untracked Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 25/53] netfilter: nft_ct: allow to set ctnetlink event types of a connection Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 26/53] netfilter: conntrack: move helper struct to nf_conntrack_helper.h Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 27/53] netfilter: helper: add build-time asserts for helper data size Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 28/53] netfilter: nfnetlink_cthelper: reject too large userspace allocation requests Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 29/53] netfilter: helpers: remove data_len usage for inkernel helpers Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 30/53] netfilter: remove last traces of variable-sized extensions Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 31/53] netfilter: conntrack: use u8 for extension sizes again Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 32/53] netfilter: allow early drop of assured conntracks Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 33/53] nefilter: eache: reduce struct size from 32 to 24 byte Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 34/53] netfilter: ipvs: fix incorrect conflict resolution Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 35/53] netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14 Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 36/53] netfilter: synproxy: only register hooks when needed Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 37/53] ipvs: convert to use pernet nf_hook api Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 38/53] netfilter: decnet: only register hooks in init namespace Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 39/53] ebtables: remove nf_hook_register usage Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 40/53] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 41/53] netfilter: conntrack: remove prealloc support Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 42/53] netfilter: conntrack: mark extension structs as const Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 43/53] netfilter: conntrack: handle initial extension alloc via krealloc Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 44/53] netfilter: masquerade: attach nat extension if not present Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 45/53] netfilter: pptp: attach nat extension when needed Pablo Neira Ayuso
2017-05-01 10:47 ` Pablo Neira Ayuso [this message]
2017-05-01 10:47 ` [PATCH 47/53] ipvs: remove unused function ip_vs_set_state_timeout Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 48/53] ipvs: change comparison on sync_refresh_period Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 49/53] netfilter: batch synchronize_net calls during hook unregister Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 50/53] netfilter: nf_log: don't call synchronize_rcu in nf_log_unset Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 51/53] netfilter: nf_queue: only call synchronize_net twice if nf_queue is active Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 52/53] netfilter: snmp: avoid stack size warning Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 53/53] netfilter: nf_ct_ext: invoke destroy even when ext is not attached Pablo Neira Ayuso
2017-05-01 10:53 ` [PATCH 00/53] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2017-05-01 14:48 ` David Miller
2017-05-01 14:47 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493635640-24325-47-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).