diff options
| -rw-r--r-- | include/net/netfilter/nf_nat_rule.h | 2 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_NETMAP.c | 6 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_rule.c | 10 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_standalone.c | 8 |
4 files changed, 11 insertions, 15 deletions
diff --git a/include/net/netfilter/nf_nat_rule.h b/include/net/netfilter/nf_nat_rule.h index e4a18ae361c6..2890bdc4cd92 100644 --- a/include/net/netfilter/nf_nat_rule.h +++ b/include/net/netfilter/nf_nat_rule.h | |||
| @@ -12,6 +12,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb, | |||
| 12 | const struct net_device *out, | 12 | const struct net_device *out, |
| 13 | struct nf_conn *ct); | 13 | struct nf_conn *ct); |
| 14 | 14 | ||
| 15 | extern unsigned int | ||
| 16 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum); | ||
| 17 | #endif /* _NF_NAT_RULE_H */ | 15 | #endif /* _NF_NAT_RULE_H */ |
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c index f43867d1697f..6cdb298f1035 100644 --- a/net/ipv4/netfilter/ipt_NETMAP.c +++ b/net/ipv4/netfilter/ipt_NETMAP.c | |||
| @@ -48,7 +48,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 48 | 48 | ||
| 49 | NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || | 49 | NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || |
| 50 | par->hooknum == NF_INET_POST_ROUTING || | 50 | par->hooknum == NF_INET_POST_ROUTING || |
| 51 | par->hooknum == NF_INET_LOCAL_OUT); | 51 | par->hooknum == NF_INET_LOCAL_OUT || |
| 52 | par->hooknum == NF_INET_LOCAL_IN); | ||
| 52 | ct = nf_ct_get(skb, &ctinfo); | 53 | ct = nf_ct_get(skb, &ctinfo); |
| 53 | 54 | ||
| 54 | netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip); | 55 | netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip); |
| @@ -77,7 +78,8 @@ static struct xt_target netmap_tg_reg __read_mostly = { | |||
| 77 | .table = "nat", | 78 | .table = "nat", |
| 78 | .hooks = (1 << NF_INET_PRE_ROUTING) | | 79 | .hooks = (1 << NF_INET_PRE_ROUTING) | |
| 79 | (1 << NF_INET_POST_ROUTING) | | 80 | (1 << NF_INET_POST_ROUTING) | |
| 80 | (1 << NF_INET_LOCAL_OUT), | 81 | (1 << NF_INET_LOCAL_OUT) | |
| 82 | (1 << NF_INET_LOCAL_IN), | ||
| 81 | .checkentry = netmap_tg_check, | 83 | .checkentry = netmap_tg_check, |
| 82 | .me = THIS_MODULE | 84 | .me = THIS_MODULE |
| 83 | }; | 85 | }; |
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 98ed78281aee..ebbd319f62f5 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
| @@ -28,7 +28,8 @@ | |||
| 28 | 28 | ||
| 29 | #define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \ | 29 | #define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \ |
| 30 | (1 << NF_INET_POST_ROUTING) | \ | 30 | (1 << NF_INET_POST_ROUTING) | \ |
| 31 | (1 << NF_INET_LOCAL_OUT)) | 31 | (1 << NF_INET_LOCAL_OUT) | \ |
| 32 | (1 << NF_INET_LOCAL_IN)) | ||
| 32 | 33 | ||
| 33 | static const struct xt_table nat_table = { | 34 | static const struct xt_table nat_table = { |
| 34 | .name = "nat", | 35 | .name = "nat", |
| @@ -45,7 +46,8 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 45 | enum ip_conntrack_info ctinfo; | 46 | enum ip_conntrack_info ctinfo; |
| 46 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 47 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
| 47 | 48 | ||
| 48 | NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING); | 49 | NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING || |
| 50 | par->hooknum == NF_INET_LOCAL_IN); | ||
| 49 | 51 | ||
| 50 | ct = nf_ct_get(skb, &ctinfo); | 52 | ct = nf_ct_get(skb, &ctinfo); |
| 51 | 53 | ||
| @@ -99,7 +101,7 @@ static int ipt_dnat_checkentry(const struct xt_tgchk_param *par) | |||
| 99 | return 0; | 101 | return 0; |
| 100 | } | 102 | } |
| 101 | 103 | ||
| 102 | unsigned int | 104 | static unsigned int |
| 103 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) | 105 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) |
| 104 | { | 106 | { |
| 105 | /* Force range to this IP; let proto decide mapping for | 107 | /* Force range to this IP; let proto decide mapping for |
| @@ -141,7 +143,7 @@ static struct xt_target ipt_snat_reg __read_mostly = { | |||
| 141 | .target = ipt_snat_target, | 143 | .target = ipt_snat_target, |
| 142 | .targetsize = sizeof(struct nf_nat_multi_range_compat), | 144 | .targetsize = sizeof(struct nf_nat_multi_range_compat), |
| 143 | .table = "nat", | 145 | .table = "nat", |
| 144 | .hooks = 1 << NF_INET_POST_ROUTING, | 146 | .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN), |
| 145 | .checkentry = ipt_snat_checkentry, | 147 | .checkentry = ipt_snat_checkentry, |
| 146 | .family = AF_INET, | 148 | .family = AF_INET, |
| 147 | }; | 149 | }; |
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 6723c682250d..95481fee8bdb 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
| @@ -131,13 +131,7 @@ nf_nat_fn(unsigned int hooknum, | |||
| 131 | if (!nf_nat_initialized(ct, maniptype)) { | 131 | if (!nf_nat_initialized(ct, maniptype)) { |
| 132 | unsigned int ret; | 132 | unsigned int ret; |
| 133 | 133 | ||
| 134 | if (hooknum == NF_INET_LOCAL_IN) | 134 | ret = nf_nat_rule_find(skb, hooknum, in, out, ct); |
| 135 | /* LOCAL_IN hook doesn't have a chain! */ | ||
| 136 | ret = alloc_null_binding(ct, hooknum); | ||
| 137 | else | ||
| 138 | ret = nf_nat_rule_find(skb, hooknum, in, out, | ||
| 139 | ct); | ||
| 140 | |||
| 141 | if (ret != NF_ACCEPT) | 135 | if (ret != NF_ACCEPT) |
| 142 | return ret; | 136 | return ret; |
| 143 | } else | 137 | } else |