Skip to content

Commit 4e8e9de

Browse files
kaberDavid S. Miller
kaber
authored and
David S. Miller
committed
[NETFILTER]: Use conntrack information to determine if packet was NATed
Preparation for IPsec support for NAT: Use conntrack information instead of saving the saving and comparing the addresses to determine if a packet was NATed and needs to be rerouted to make it easier to extend the key. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 3e3850e commit 4e8e9de

File tree

1 file changed

+19
-15
lines changed

1 file changed

+19
-15
lines changed

net/ipv4/netfilter/ip_nat_standalone.c

Lines changed: 19 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -162,18 +162,20 @@ ip_nat_in(unsigned int hooknum,
162162
const struct net_device *out,
163163
int (*okfn)(struct sk_buff *))
164164
{
165-
u_int32_t saddr, daddr;
165+
struct ip_conntrack *ct;
166+
enum ip_conntrack_info ctinfo;
166167
unsigned int ret;
167168

168-
saddr = (*pskb)->nh.iph->saddr;
169-
daddr = (*pskb)->nh.iph->daddr;
170-
171169
ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
172170
if (ret != NF_DROP && ret != NF_STOLEN
173-
&& ((*pskb)->nh.iph->saddr != saddr
174-
|| (*pskb)->nh.iph->daddr != daddr)) {
175-
dst_release((*pskb)->dst);
176-
(*pskb)->dst = NULL;
171+
&& (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
172+
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
173+
174+
if (ct->tuplehash[dir].tuple.src.ip !=
175+
ct->tuplehash[!dir].tuple.dst.ip) {
176+
dst_release((*pskb)->dst);
177+
(*pskb)->dst = NULL;
178+
}
177179
}
178180
return ret;
179181
}
@@ -200,22 +202,24 @@ ip_nat_local_fn(unsigned int hooknum,
200202
const struct net_device *out,
201203
int (*okfn)(struct sk_buff *))
202204
{
203-
u_int32_t saddr, daddr;
205+
struct ip_conntrack *ct;
206+
enum ip_conntrack_info ctinfo;
204207
unsigned int ret;
205208

206209
/* root is playing with raw sockets. */
207210
if ((*pskb)->len < sizeof(struct iphdr)
208211
|| (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr))
209212
return NF_ACCEPT;
210213

211-
saddr = (*pskb)->nh.iph->saddr;
212-
daddr = (*pskb)->nh.iph->daddr;
213-
214214
ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
215215
if (ret != NF_DROP && ret != NF_STOLEN
216-
&& ((*pskb)->nh.iph->saddr != saddr
217-
|| (*pskb)->nh.iph->daddr != daddr))
218-
return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
216+
&& (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
217+
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
218+
219+
if (ct->tuplehash[dir].tuple.dst.ip !=
220+
ct->tuplehash[!dir].tuple.src.ip)
221+
return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
222+
}
219223
return ret;
220224
}
221225

0 commit comments

Comments
 (0)