Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

netfilter: nf_nat: Also handle non-ESTABLISHED routing changes in MASQUERADE

Since (a0ecb85 netfilter: nf_nat: Handle routing changes in MASQUERADE
target), the MASQUERADE target handles routing changes which affect
the output interface of a connection, but only for ESTABLISHED
connections.  It is also possible for NEW connections which
already have a conntrack entry to be affected by routing changes.

This adds a check to drop entries in the NEW+conntrack state
when the oif has changed.

Signed-off-by: Andrew Collins <bsderandrew@gmail.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Andrew Collins 12 years ago
parent
c6f408996c
commit
c65ef8dc7b
2 changed files with 20 additions and 10 deletions
Split View Show Diff Stats
  1. 10 5
      net/ipv4/netfilter/iptable_nat.c
  2. 10 5
      net/ipv6/netfilter/ip6table_nat.c

+ 10 - 5
net/ipv4/netfilter/iptable_nat.c
View File 

@@ -124,23 +124,28 @@ nf_nat_ipv4_fn(unsigned int hooknum,
 
 			ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
 
 			if (ret != NF_ACCEPT)
 
 				return ret;
 
-		} else
 
+		} else {
 
 			pr_debug("Already setup manip %s for ct %p\n",
 
 				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
 
 				 ct);
 
+			if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
 
+				goto oif_changed;
 
+		}
 
 		break;
 
 
 	default:
 
 		/* ESTABLISHED */
 
 		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
 
 			     ctinfo == IP_CT_ESTABLISHED_REPLY);
 
-		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
 
-			nf_ct_kill_acct(ct, ctinfo, skb);
 
-			return NF_DROP;
 
-		}
 
+		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
 
+			goto oif_changed;
 
 	}
 
 
 	return nf_nat_packet(ct, ctinfo, hooknum, skb);
 
+
 
+oif_changed:
 
+	nf_ct_kill_acct(ct, ctinfo, skb);
 
+	return NF_DROP;
 
 }
 
 
 static unsigned int

+ 10 - 5
net/ipv6/netfilter/ip6table_nat.c
View File 

@@ -127,23 +127,28 @@ nf_nat_ipv6_fn(unsigned int hooknum,
 
 			ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
 
 			if (ret != NF_ACCEPT)
 
 				return ret;
 
-		} else
 
+		} else {
 
 			pr_debug("Already setup manip %s for ct %p\n",
 
 				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
 
 				 ct);
 
+			if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
 
+				goto oif_changed;
 
+		}
 
 		break;
 
 
 	default:
 
 		/* ESTABLISHED */
 
 		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
 
 			     ctinfo == IP_CT_ESTABLISHED_REPLY);
 
-		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
 
-			nf_ct_kill_acct(ct, ctinfo, skb);
 
-			return NF_DROP;
 
-		}
 
+		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
 
+			goto oif_changed;
 
 	}
 
 
 	return nf_nat_packet(ct, ctinfo, hooknum, skb);
 
+
 
+oif_changed:
 
+	nf_ct_kill_acct(ct, ctinfo, skb);
 
+	return NF_DROP;
 
 }
 
 
 static unsigned int