diff options
Diffstat (limited to 'net/openvswitch/conntrack.c')
| -rw-r--r-- | net/openvswitch/conntrack.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index dc5eb29fe7d6..1b9d286756be 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c | |||
| @@ -535,14 +535,15 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, | |||
| 535 | switch (ctinfo) { | 535 | switch (ctinfo) { |
| 536 | case IP_CT_RELATED: | 536 | case IP_CT_RELATED: |
| 537 | case IP_CT_RELATED_REPLY: | 537 | case IP_CT_RELATED_REPLY: |
| 538 | if (skb->protocol == htons(ETH_P_IP) && | 538 | if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && |
| 539 | skb->protocol == htons(ETH_P_IP) && | ||
| 539 | ip_hdr(skb)->protocol == IPPROTO_ICMP) { | 540 | ip_hdr(skb)->protocol == IPPROTO_ICMP) { |
| 540 | if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, | 541 | if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, |
| 541 | hooknum)) | 542 | hooknum)) |
| 542 | err = NF_DROP; | 543 | err = NF_DROP; |
| 543 | goto push; | 544 | goto push; |
| 544 | #if IS_ENABLED(CONFIG_NF_NAT_IPV6) | 545 | } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && |
| 545 | } else if (skb->protocol == htons(ETH_P_IPV6)) { | 546 | skb->protocol == htons(ETH_P_IPV6)) { |
| 546 | __be16 frag_off; | 547 | __be16 frag_off; |
| 547 | u8 nexthdr = ipv6_hdr(skb)->nexthdr; | 548 | u8 nexthdr = ipv6_hdr(skb)->nexthdr; |
| 548 | int hdrlen = ipv6_skip_exthdr(skb, | 549 | int hdrlen = ipv6_skip_exthdr(skb, |
| @@ -557,7 +558,6 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, | |||
| 557 | err = NF_DROP; | 558 | err = NF_DROP; |
| 558 | goto push; | 559 | goto push; |
| 559 | } | 560 | } |
| 560 | #endif | ||
| 561 | } | 561 | } |
| 562 | /* Non-ICMP, fall thru to initialize if needed. */ | 562 | /* Non-ICMP, fall thru to initialize if needed. */ |
| 563 | case IP_CT_NEW: | 563 | case IP_CT_NEW: |
| @@ -664,11 +664,12 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, | |||
| 664 | 664 | ||
| 665 | /* Determine NAT type. | 665 | /* Determine NAT type. |
| 666 | * Check if the NAT type can be deduced from the tracked connection. | 666 | * Check if the NAT type can be deduced from the tracked connection. |
| 667 | * Make sure expected traffic is NATted only when committing. | 667 | * Make sure new expected connections (IP_CT_RELATED) are NATted only |
| 668 | * when committing. | ||
| 668 | */ | 669 | */ |
| 669 | if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW && | 670 | if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW && |
| 670 | ct->status & IPS_NAT_MASK && | 671 | ct->status & IPS_NAT_MASK && |
| 671 | (!(ct->status & IPS_EXPECTED_BIT) || info->commit)) { | 672 | (ctinfo != IP_CT_RELATED || info->commit)) { |
| 672 | /* NAT an established or related connection like before. */ | 673 | /* NAT an established or related connection like before. */ |
| 673 | if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) | 674 | if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) |
| 674 | /* This is the REPLY direction for a connection | 675 | /* This is the REPLY direction for a connection |
| @@ -968,7 +969,8 @@ static int parse_nat(const struct nlattr *attr, | |||
| 968 | break; | 969 | break; |
| 969 | 970 | ||
| 970 | case OVS_NAT_ATTR_IP_MIN: | 971 | case OVS_NAT_ATTR_IP_MIN: |
| 971 | nla_memcpy(&info->range.min_addr, a, nla_len(a)); | 972 | nla_memcpy(&info->range.min_addr, a, |
| 973 | sizeof(info->range.min_addr)); | ||
| 972 | info->range.flags |= NF_NAT_RANGE_MAP_IPS; | 974 | info->range.flags |= NF_NAT_RANGE_MAP_IPS; |
| 973 | break; | 975 | break; |
| 974 | 976 | ||
| @@ -1238,7 +1240,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, | |||
| 1238 | } | 1240 | } |
| 1239 | 1241 | ||
| 1240 | if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { | 1242 | if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { |
| 1241 | if (info->family == NFPROTO_IPV4) { | 1243 | if (IS_ENABLED(CONFIG_NF_NAT_IPV4) && |
| 1244 | info->family == NFPROTO_IPV4) { | ||
| 1242 | if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN, | 1245 | if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN, |
| 1243 | info->range.min_addr.ip) || | 1246 | info->range.min_addr.ip) || |
| 1244 | (info->range.max_addr.ip | 1247 | (info->range.max_addr.ip |
| @@ -1246,8 +1249,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, | |||
| 1246 | (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX, | 1249 | (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX, |
| 1247 | info->range.max_addr.ip)))) | 1250 | info->range.max_addr.ip)))) |
| 1248 | return false; | 1251 | return false; |
| 1249 | #if IS_ENABLED(CONFIG_NF_NAT_IPV6) | 1252 | } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) && |
| 1250 | } else if (info->family == NFPROTO_IPV6) { | 1253 | info->family == NFPROTO_IPV6) { |
| 1251 | if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN, | 1254 | if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN, |
| 1252 | &info->range.min_addr.in6) || | 1255 | &info->range.min_addr.in6) || |
| 1253 | (memcmp(&info->range.max_addr.in6, | 1256 | (memcmp(&info->range.max_addr.in6, |
| @@ -1256,7 +1259,6 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, | |||
| 1256 | (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX, | 1259 | (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX, |
| 1257 | &info->range.max_addr.in6)))) | 1260 | &info->range.max_addr.in6)))) |
| 1258 | return false; | 1261 | return false; |
| 1259 | #endif | ||
| 1260 | } else { | 1262 | } else { |
| 1261 | return false; | 1263 | return false; |
| 1262 | } | 1264 | } |