diff options
-rw-r--r-- | include/net/netfilter/nf_nat_rule.h | 3 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_nat_rule.c | 19 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_nat_standalone.c | 8 |
3 files changed, 4 insertions, 26 deletions
diff --git a/include/net/netfilter/nf_nat_rule.h b/include/net/netfilter/nf_nat_rule.h index 75d1825031d7..e4a18ae361c6 100644 --- a/include/net/netfilter/nf_nat_rule.h +++ b/include/net/netfilter/nf_nat_rule.h | |||
@@ -14,7 +14,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb, | |||
14 | 14 | ||
15 | extern unsigned int | 15 | extern unsigned int |
16 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum); | 16 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum); |
17 | |||
18 | extern unsigned int | ||
19 | alloc_null_binding_confirmed(struct nf_conn *ct, unsigned int hooknum); | ||
20 | #endif /* _NF_NAT_RULE_H */ | 17 | #endif /* _NF_NAT_RULE_H */ |
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index ebe0c7903ae9..e8b4d0d4439e 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
@@ -188,25 +188,6 @@ alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) | |||
188 | return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum)); | 188 | return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum)); |
189 | } | 189 | } |
190 | 190 | ||
191 | unsigned int | ||
192 | alloc_null_binding_confirmed(struct nf_conn *ct, unsigned int hooknum) | ||
193 | { | ||
194 | __be32 ip | ||
195 | = (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC | ||
196 | ? ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip | ||
197 | : ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip); | ||
198 | __be16 all | ||
199 | = (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC | ||
200 | ? ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.all | ||
201 | : ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.all); | ||
202 | struct nf_nat_range range | ||
203 | = { IP_NAT_RANGE_MAP_IPS, ip, ip, { all }, { all } }; | ||
204 | |||
205 | pr_debug("Allocating NULL binding for confirmed %p (%u.%u.%u.%u)\n", | ||
206 | ct, NIPQUAD(ip)); | ||
207 | return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum)); | ||
208 | } | ||
209 | |||
210 | int nf_nat_rule_find(struct sk_buff *skb, | 191 | int nf_nat_rule_find(struct sk_buff *skb, |
211 | unsigned int hooknum, | 192 | unsigned int hooknum, |
212 | const struct net_device *in, | 193 | const struct net_device *in, |
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index c362f672755a..a366b5865b9c 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
@@ -102,6 +102,9 @@ nf_nat_fn(unsigned int hooknum, | |||
102 | 102 | ||
103 | nat = nfct_nat(ct); | 103 | nat = nfct_nat(ct); |
104 | if (!nat) { | 104 | if (!nat) { |
105 | /* NAT module was loaded late. */ | ||
106 | if (nf_ct_is_confirmed(ct)) | ||
107 | return NF_ACCEPT; | ||
105 | nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC); | 108 | nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC); |
106 | if (nat == NULL) { | 109 | if (nat == NULL) { |
107 | pr_debug("failed to add NAT extension\n"); | 110 | pr_debug("failed to add NAT extension\n"); |
@@ -127,10 +130,7 @@ nf_nat_fn(unsigned int hooknum, | |||
127 | if (!nf_nat_initialized(ct, maniptype)) { | 130 | if (!nf_nat_initialized(ct, maniptype)) { |
128 | unsigned int ret; | 131 | unsigned int ret; |
129 | 132 | ||
130 | if (unlikely(nf_ct_is_confirmed(ct))) | 133 | if (hooknum == NF_INET_LOCAL_IN) |
131 | /* NAT module was loaded late */ | ||
132 | ret = alloc_null_binding_confirmed(ct, hooknum); | ||
133 | else if (hooknum == NF_INET_LOCAL_IN) | ||
134 | /* LOCAL_IN hook doesn't have a chain! */ | 134 | /* LOCAL_IN hook doesn't have a chain! */ |
135 | ret = alloc_null_binding(ct, hooknum); | 135 | ret = alloc_null_binding(ct, hooknum); |
136 | else | 136 | else |