[NETFILTER]: Handle NAT in IPsec policy checks

Handle NAT of decapsulated IPsec packets by reconstructing the struct flowi of the original packet from the conntrack information for IPsec policy checks. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2006-01-07 02:06:30 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-01-07 15:57:37 -0500
commit: eb9c7ebe6980c41cf6ae889e301c3b49f473ee9f (patch)
tree: 419103d15b9de9c26c8400c698625231df55da91 /include
parent: b59c270104f03960069596722fea70340579244d (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 79bb977afeac..84506dfa1f37 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -274,6 +274,20 @@ struct nf_queue_rerouter {
 extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer);
 extern int nf_unregister_queue_rerouter(int pf);
+#include <net/flow.h>
+extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
+static inline void
+nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family)
+{
+#ifdef CONFIG_IP_NF_NAT_NEEDED
+        void (*decodefn)(struct sk_buff *, struct flowi *);
+        if (family == AF_INET && (decodefn = ip_nat_decode_session) != NULL)
+                decodefn(skb, fl);
+#endif
+}
 #ifdef CONFIG_PROC_FS
 #include <linux/proc_fs.h>
 extern struct proc_dir_entry *proc_net_netfilter;
@@ -282,6 +296,8 @@ extern struct proc_dir_entry *proc_net_netfilter;
 #else /* !CONFIG_NETFILTER */
 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
+static inline void
+nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {}
 #endif /*CONFIG_NETFILTER*/
 #endif /*__KERNEL__*/
author	Patrick McHardy <kaber@trash.net>	2006-01-07 02:06:30 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-01-07 15:57:37 -0500
commit	eb9c7ebe6980c41cf6ae889e301c3b49f473ee9f (patch)
tree	419103d15b9de9c26c8400c698625231df55da91 /include
parent	b59c270104f03960069596722fea70340579244d (diff)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 79bb977afeac..84506dfa1f37 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h
@@ -274,6 +274,20 @@ struct nf_queue_rerouter {
274	extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer);	274	extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer);
275	extern int nf_unregister_queue_rerouter(int pf);	275	extern int nf_unregister_queue_rerouter(int pf);
276		276
		277	#include <net/flow.h>
		278	extern void (ip_nat_decode_session)(struct sk_buff , struct flowi *);
		279
		280	static inline void
		281	nf_nat_decode_session(struct sk_buff skb, struct flowi fl, int family)
		282	{
		283	#ifdef CONFIG_IP_NF_NAT_NEEDED
		284	void (decodefn)(struct sk_buff , struct flowi *);
		285
		286	if (family == AF_INET && (decodefn = ip_nat_decode_session) != NULL)
		287	decodefn(skb, fl);
		288	#endif
		289	}
		290
277	#ifdef CONFIG_PROC_FS	291	#ifdef CONFIG_PROC_FS
278	#include <linux/proc_fs.h>	292	#include <linux/proc_fs.h>
279	extern struct proc_dir_entry *proc_net_netfilter;	293	extern struct proc_dir_entry *proc_net_netfilter;
@@ -282,6 +296,8 @@ extern struct proc_dir_entry *proc_net_netfilter;
282	#else /* !CONFIG_NETFILTER */	296	#else /* !CONFIG_NETFILTER */
283	#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)	297	#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
284	static inline void nf_ct_attach(struct sk_buff new, struct sk_buff skb) {}	298	static inline void nf_ct_attach(struct sk_buff new, struct sk_buff skb) {}
		299	static inline void
		300	nf_nat_decode_session(struct sk_buff skb, struct flowi fl, int family) {}
285	#endif /CONFIG_NETFILTER/	301	#endif /CONFIG_NETFILTER/
286		302
287	#endif /__KERNEL__/	303	#endif /__KERNEL__/