diff options
| author | Julian Anastasov <ja@ssi.bg> | 2010-10-11 04:23:07 -0400 |
|---|---|---|
| committer | Simon Horman <horms@verge.net.au> | 2010-10-21 07:30:02 -0400 |
| commit | b0aeef30433ea6854e985c2e9842fa19f51b95cc (patch) | |
| tree | aedeebe5ef7cc56abece7bd103fb6229179a11bd /net | |
| parent | 0d79641a96d612aaa6d57a4d4f521d7ed9c9ccdd (diff) | |
nf_nat: restrict ICMP translation for embedded header
Skip ICMP translation of embedded protocol header
if NAT bits are not set. Needed for IPVS to see the original
embedded addresses because for IPVS traffic the IPS_SRC_NAT_BIT
and IPS_DST_NAT_BIT bits are not set. It happens when IPVS performs
DNAT for client packets after using nf_conntrack_alter_reply
to expect replies from real server.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_core.c | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index e2e00c4da883..0047923c1f22 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c | |||
| @@ -462,6 +462,18 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct, | |||
| 462 | return 0; | 462 | return 0; |
| 463 | } | 463 | } |
| 464 | 464 | ||
| 465 | if (manip == IP_NAT_MANIP_SRC) | ||
| 466 | statusbit = IPS_SRC_NAT; | ||
| 467 | else | ||
| 468 | statusbit = IPS_DST_NAT; | ||
| 469 | |||
| 470 | /* Invert if this is reply dir. */ | ||
| 471 | if (dir == IP_CT_DIR_REPLY) | ||
| 472 | statusbit ^= IPS_NAT_MASK; | ||
| 473 | |||
| 474 | if (!(ct->status & statusbit)) | ||
| 475 | return 1; | ||
| 476 | |||
| 465 | pr_debug("icmp_reply_translation: translating error %p manip %u " | 477 | pr_debug("icmp_reply_translation: translating error %p manip %u " |
| 466 | "dir %s\n", skb, manip, | 478 | "dir %s\n", skb, manip, |
| 467 | dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY"); | 479 | dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY"); |
| @@ -496,20 +508,9 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct, | |||
| 496 | 508 | ||
| 497 | /* Change outer to look the reply to an incoming packet | 509 | /* Change outer to look the reply to an incoming packet |
| 498 | * (proto 0 means don't invert per-proto part). */ | 510 | * (proto 0 means don't invert per-proto part). */ |
| 499 | if (manip == IP_NAT_MANIP_SRC) | 511 | nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple); |
| 500 | statusbit = IPS_SRC_NAT; | 512 | if (!manip_pkt(0, skb, 0, &target, manip)) |
| 501 | else | 513 | return 0; |
| 502 | statusbit = IPS_DST_NAT; | ||
| 503 | |||
| 504 | /* Invert if this is reply dir. */ | ||
| 505 | if (dir == IP_CT_DIR_REPLY) | ||
| 506 | statusbit ^= IPS_NAT_MASK; | ||
| 507 | |||
| 508 | if (ct->status & statusbit) { | ||
| 509 | nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple); | ||
| 510 | if (!manip_pkt(0, skb, 0, &target, manip)) | ||
| 511 | return 0; | ||
| 512 | } | ||
| 513 | 514 | ||
| 514 | return 1; | 515 | return 1; |
| 515 | } | 516 | } |