11 files changed, 25 insertions, 44 deletions
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index 76da32292bcd..9dc1039ff78b 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -80,7 +80,7 @@ struct nf_conn_nat
 /* Set up the info structure to map into this range. */
 extern unsigned int nf_nat_setup_info(struct nf_conn *ct,
                                      const struct nf_nat_range *range,
-                                      unsigned int hooknum);
+                                      enum nf_nat_manip_type maniptype);
 /* Is this tuple already taken? (not by us)*/
 extern int nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple,
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index f54150356cee..1cbff7b3084f 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -95,7 +95,7 @@ masquerade_tg(struct sk_buff *skb, const struct net_device *in,
                  mr->range[0].min, mr->range[0].max });
        /* Hand modified range to generic setup. */
-        return nf_nat_setup_info(ct, &newrange, hooknum);
+        return nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_SRC);
 }
 static int
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 8b8263e63579..5b71ef4d848a 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -70,7 +70,7 @@ netmap_tg(struct sk_buff *skb, const struct net_device *in,
                  mr->range[0].min, mr->range[0].max });
        /* Hand modified range to generic setup. */
-        return nf_nat_setup_info(ct, &newrange, hooknum);
+        return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(hooknum));
 }
 static struct xt_target netmap_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 74ce7e1e9d7f..3d9ec5c34c52 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -87,7 +87,7 @@ redirect_tg(struct sk_buff *skb, const struct net_device *in,
                  mr->range[0].min, mr->range[0].max });
        /* Hand modified range to generic setup. */
-        return nf_nat_setup_info(ct, &newrange, hooknum);
+        return nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_DST);
 }
 static struct xt_target redirect_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 7cc179cfc7c1..aec157d0ad93 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -277,12 +277,11 @@ out:
 unsigned int
 nf_nat_setup_info(struct nf_conn *ct,
                  const struct nf_nat_range *range,
-                  unsigned int hooknum)
+                  enum nf_nat_manip_type maniptype)
 {
        struct nf_conntrack_tuple curr_tuple, new_tuple;
        struct nf_conn_nat *nat;
        int have_to_hash = !(ct->status & IPS_NAT_DONE_MASK);
-        enum nf_nat_manip_type maniptype = HOOK2MANIP(hooknum);
        /* nat helper or nfctnetlink also setup binding */
        nat = nfct_nat(ct);
@@ -294,10 +293,8 @@ nf_nat_setup_info(struct nf_conn *ct,
                }
        }
-        NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING ||
+        NF_CT_ASSERT(maniptype == IP_NAT_MANIP_SRC ||
-                     hooknum == NF_INET_POST_ROUTING ||
+                     maniptype == IP_NAT_MANIP_DST);
-                     hooknum == NF_INET_LOCAL_IN ||
-                     hooknum == NF_INET_LOCAL_OUT);
        BUG_ON(nf_nat_initialized(ct, maniptype));
        /* What we've got will look like inverse of reply. Normally
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index 0f226df76f5c..2e4bdee92c4a 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -389,18 +389,14 @@ static void ip_nat_q931_expect(struct nf_conn *new,
        /* Change src to where master sends to */
        range.flags = IP_NAT_RANGE_MAP_IPS;
        range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;
+        nf_nat_setup_info(new, &range, IP_NAT_MANIP_SRC);
-        /* hook doesn't matter, but it has to do source manip */
-        nf_nat_setup_info(new, &range, NF_INET_POST_ROUTING);
        /* For DST manip, map port here to where it's expected. */
        range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
        range.min = range.max = this->saved_proto;
        range.min_ip = range.max_ip =
            new->master->tuplehash[!this->dir].tuple.src.u3.ip;
+        nf_nat_setup_info(new, &range, IP_NAT_MANIP_DST);
-        /* hook doesn't matter, but it has to do destination manip */
-        nf_nat_setup_info(new, &range, NF_INET_PRE_ROUTING);
 }
 /****************************************************************************/
@@ -479,17 +475,13 @@ static void ip_nat_callforwarding_expect(struct nf_conn *new,
        /* Change src to where master sends to */
        range.flags = IP_NAT_RANGE_MAP_IPS;
        range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;
+        nf_nat_setup_info(new, &range, IP_NAT_MANIP_SRC);
-        /* hook doesn't matter, but it has to do source manip */
-        nf_nat_setup_info(new, &range, NF_INET_POST_ROUTING);
        /* For DST manip, map port here to where it's expected. */
        range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
        range.min = range.max = this->saved_proto;
        range.min_ip = range.max_ip = this->saved_ip;
+        nf_nat_setup_info(new, &range, IP_NAT_MANIP_DST);
-        /* hook doesn't matter, but it has to do destination manip */
-        nf_nat_setup_info(new, &range, NF_INET_PRE_ROUTING);
 }
 /****************************************************************************/
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index d24f3d947394..4c0232842e75 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -433,15 +433,13 @@ void nf_nat_follow_master(struct nf_conn *ct,
        range.flags = IP_NAT_RANGE_MAP_IPS;
        range.min_ip = range.max_ip
                = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
-        /* hook doesn't matter, but it has to do source manip */
+        nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
-        nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
        /* For DST manip, map port here to where it's expected. */
        range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
        range.min = range.max = exp->saved_proto;
        range.min_ip = range.max_ip
                = ct->master->tuplehash[!exp->dir].tuple.src.u3.ip;
-        /* hook doesn't matter, but it has to do destination manip */
+        nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
-        nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
 }
 EXPORT_SYMBOL(nf_nat_follow_master);
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
index c540999f5090..e63b944a2ebb 100644
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -93,8 +93,7 @@ static void pptp_nat_expected(struct nf_conn *ct,
                range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
                range.min = range.max = exp->saved_proto;
        }
-        /* hook doesn't matter, but it has to do source manip */
+        nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
-        nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
        /* For DST manip, map port here to where it's expected. */
        range.flags = IP_NAT_RANGE_MAP_IPS;
@@ -104,8 +103,7 @@ static void pptp_nat_expected(struct nf_conn *ct,
                range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
                range.min = range.max = exp->saved_proto;
        }
-        /* hook doesn't matter, but it has to do destination manip */
+        nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
-        nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
 }
 /* outbound packets == from PNS to PAC */
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index ee39ed87bb08..4391aec56abd 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -87,7 +87,7 @@ static unsigned int ipt_snat_target(struct sk_buff *skb,
                            ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
        NF_CT_ASSERT(out);
-        return nf_nat_setup_info(ct, &mr->range[0], hooknum);
+        return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);
 }
 /* Before 2.6.11 we did implicit source NAT if required. Warn about change. */
@@ -133,7 +133,7 @@ static unsigned int ipt_dnat_target(struct sk_buff *skb,
                warn_if_extra_mangle(ip_hdr(skb)->daddr,
                                     mr->range[0].min_ip);
-        return nf_nat_setup_info(ct, &mr->range[0], hooknum);
+        return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST);
 }
 static bool ipt_snat_checkentry(const char *tablename,
@@ -184,7 +184,7 @@ alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
        pr_debug("Allocating NULL binding for %p (%u.%u.%u.%u)\n",
                 ct, NIPQUAD(ip));
-        return nf_nat_setup_info(ct, &range, hooknum);
+        return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));
 }
 unsigned int
@@ -203,7 +203,7 @@ alloc_null_binding_confirmed(struct nf_conn *ct, unsigned int hooknum)
        pr_debug("Allocating NULL binding for confirmed %p (%u.%u.%u.%u)\n",
                 ct, NIPQUAD(ip));
-        return nf_nat_setup_info(ct, &range, hooknum);
+        return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));
 }
 int nf_nat_rule_find(struct sk_buff *skb,
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index b8c0720cf428..606a170bf4ca 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -228,15 +228,13 @@ static void ip_nat_sdp_expect(struct nf_conn *ct,
        range.flags = IP_NAT_RANGE_MAP_IPS;
        range.min_ip = range.max_ip
                = ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
-        /* hook doesn't matter, but it has to do source manip */
+        nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
-        nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
        /* For DST manip, map port here to where it's expected. */
        range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
        range.min = range.max = exp->saved_proto;
        range.min_ip = range.max_ip = exp->saved_ip;
-        /* hook doesn't matter, but it has to do destination manip */
+        nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
-        nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
 }
 /* So, this packet has hit the connection tracking matching code.
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 7851065ef206..3a065f43ddd8 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -918,19 +918,17 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
                        if (nfnetlink_parse_nat(cda[CTA_NAT_DST], ct,
                                                &range) < 0)
                                return -EINVAL;
-                        if (nf_nat_initialized(ct,
+                        if (nf_nat_initialized(ct, IP_NAT_MANIP_DST))
-                                               HOOK2MANIP(NF_INET_PRE_ROUTING)))
                                return -EEXIST;
-                        nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
+                        nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
                }
                if (cda[CTA_NAT_SRC]) {
                        if (nfnetlink_parse_nat(cda[CTA_NAT_SRC], ct,
                                                &range) < 0)
                                return -EINVAL;
-                        if (nf_nat_initialized(ct,
+                        if (nf_nat_initialized(ct, IP_NAT_MANIP_SRC))
-                                               HOOK2MANIP(NF_INET_POST_ROUTING)))
                                return -EEXIST;
-                        nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
+                        nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
                }
 #endif
        }

diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h index 76da32292bcd..9dc1039ff78b 100644 --- a/include/net/netfilter/nf_nat.h +++ b/include/net/netfilter/nf_nat.h
@@ -80,7 +80,7 @@ struct nf_conn_nat
80	/* Set up the info structure to map into this range. */	80	/* Set up the info structure to map into this range. */
81	extern unsigned int nf_nat_setup_info(struct nf_conn *ct,	81	extern unsigned int nf_nat_setup_info(struct nf_conn *ct,
82	const struct nf_nat_range *range,	82	const struct nf_nat_range *range,
83	unsigned int hooknum);	83	enum nf_nat_manip_type maniptype);
84		84
85	/* Is this tuple already taken? (not by us)*/	85	/* Is this tuple already taken? (not by us)*/
86	extern int nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple,	86	extern int nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple,


diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index f54150356cee..1cbff7b3084f 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -95,7 +95,7 @@ masquerade_tg(struct sk_buff skb, const struct net_device in,
95	mr->range[0].min, mr->range[0].max });	95	mr->range[0].min, mr->range[0].max });
96		96
97	/* Hand modified range to generic setup. */	97	/* Hand modified range to generic setup. */
98	return nf_nat_setup_info(ct, &newrange, hooknum);	98	return nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_SRC);
99	}	99	}
100		100
101	static int	101	static int


diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c index 8b8263e63579..5b71ef4d848a 100644 --- a/net/ipv4/netfilter/ipt_NETMAP.c +++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -70,7 +70,7 @@ netmap_tg(struct sk_buff skb, const struct net_device in,
70	mr->range[0].min, mr->range[0].max });	70	mr->range[0].min, mr->range[0].max });
71		71
72	/* Hand modified range to generic setup. */	72	/* Hand modified range to generic setup. */
73	return nf_nat_setup_info(ct, &newrange, hooknum);	73	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(hooknum));
74	}	74	}
75		75
76	static struct xt_target netmap_tg_reg __read_mostly = {	76	static struct xt_target netmap_tg_reg __read_mostly = {


diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c index 74ce7e1e9d7f..3d9ec5c34c52 100644 --- a/net/ipv4/netfilter/ipt_REDIRECT.c +++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -87,7 +87,7 @@ redirect_tg(struct sk_buff skb, const struct net_device in,
87	mr->range[0].min, mr->range[0].max });	87	mr->range[0].min, mr->range[0].max });
88		88
89	/* Hand modified range to generic setup. */	89	/* Hand modified range to generic setup. */
90	return nf_nat_setup_info(ct, &newrange, hooknum);	90	return nf_nat_setup_info(ct, &newrange, IP_NAT_MANIP_DST);
91	}	91	}
92		92
93	static struct xt_target redirect_tg_reg __read_mostly = {	93	static struct xt_target redirect_tg_reg __read_mostly = {


diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index 7cc179cfc7c1..aec157d0ad93 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -277,12 +277,11 @@ out:
277	unsigned int	277	unsigned int
278	nf_nat_setup_info(struct nf_conn *ct,	278	nf_nat_setup_info(struct nf_conn *ct,
279	const struct nf_nat_range *range,	279	const struct nf_nat_range *range,
280	unsigned int hooknum)	280	enum nf_nat_manip_type maniptype)
281	{	281	{
282	struct nf_conntrack_tuple curr_tuple, new_tuple;	282	struct nf_conntrack_tuple curr_tuple, new_tuple;
283	struct nf_conn_nat *nat;	283	struct nf_conn_nat *nat;
284	int have_to_hash = !(ct->status & IPS_NAT_DONE_MASK);	284	int have_to_hash = !(ct->status & IPS_NAT_DONE_MASK);
285	enum nf_nat_manip_type maniptype = HOOK2MANIP(hooknum);
286		285
287	/* nat helper or nfctnetlink also setup binding */	286	/* nat helper or nfctnetlink also setup binding */
288	nat = nfct_nat(ct);	287	nat = nfct_nat(ct);
@@ -294,10 +293,8 @@ nf_nat_setup_info(struct nf_conn *ct,
294	}	293	}
295	}	294	}
296		295
297	NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING \|\|	296	NF_CT_ASSERT(maniptype == IP_NAT_MANIP_SRC \|\|
298	hooknum == NF_INET_POST_ROUTING \|\|	297	maniptype == IP_NAT_MANIP_DST);
299	hooknum == NF_INET_LOCAL_IN \|\|
300	hooknum == NF_INET_LOCAL_OUT);
301	BUG_ON(nf_nat_initialized(ct, maniptype));	298	BUG_ON(nf_nat_initialized(ct, maniptype));
302		299
303	/* What we've got will look like inverse of reply. Normally	300	/* What we've got will look like inverse of reply. Normally


diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c index 0f226df76f5c..2e4bdee92c4a 100644 --- a/net/ipv4/netfilter/nf_nat_h323.c +++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -389,18 +389,14 @@ static void ip_nat_q931_expect(struct nf_conn *new,
389	/* Change src to where master sends to */	389	/* Change src to where master sends to */
390	range.flags = IP_NAT_RANGE_MAP_IPS;	390	range.flags = IP_NAT_RANGE_MAP_IPS;
391	range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;	391	range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;
392		392	nf_nat_setup_info(new, &range, IP_NAT_MANIP_SRC);
393	/* hook doesn't matter, but it has to do source manip */
394	nf_nat_setup_info(new, &range, NF_INET_POST_ROUTING);
395		393
396	/* For DST manip, map port here to where it's expected. */	394	/* For DST manip, map port here to where it's expected. */
397	range.flags = (IP_NAT_RANGE_MAP_IPS \| IP_NAT_RANGE_PROTO_SPECIFIED);	395	range.flags = (IP_NAT_RANGE_MAP_IPS \| IP_NAT_RANGE_PROTO_SPECIFIED);
398	range.min = range.max = this->saved_proto;	396	range.min = range.max = this->saved_proto;
399	range.min_ip = range.max_ip =	397	range.min_ip = range.max_ip =
400	new->master->tuplehash[!this->dir].tuple.src.u3.ip;	398	new->master->tuplehash[!this->dir].tuple.src.u3.ip;
401		399	nf_nat_setup_info(new, &range, IP_NAT_MANIP_DST);
402	/* hook doesn't matter, but it has to do destination manip */
403	nf_nat_setup_info(new, &range, NF_INET_PRE_ROUTING);
404	}	400	}
405		401
406	/****************************************************************************/	402	/****************************************************************************/
@@ -479,17 +475,13 @@ static void ip_nat_callforwarding_expect(struct nf_conn *new,
479	/* Change src to where master sends to */	475	/* Change src to where master sends to */
480	range.flags = IP_NAT_RANGE_MAP_IPS;	476	range.flags = IP_NAT_RANGE_MAP_IPS;
481	range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;	477	range.min_ip = range.max_ip = new->tuplehash[!this->dir].tuple.src.u3.ip;
482		478	nf_nat_setup_info(new, &range, IP_NAT_MANIP_SRC);
483	/* hook doesn't matter, but it has to do source manip */
484	nf_nat_setup_info(new, &range, NF_INET_POST_ROUTING);
485		479
486	/* For DST manip, map port here to where it's expected. */	480	/* For DST manip, map port here to where it's expected. */
487	range.flags = (IP_NAT_RANGE_MAP_IPS \| IP_NAT_RANGE_PROTO_SPECIFIED);	481	range.flags = (IP_NAT_RANGE_MAP_IPS \| IP_NAT_RANGE_PROTO_SPECIFIED);
488	range.min = range.max = this->saved_proto;	482	range.min = range.max = this->saved_proto;
489	range.min_ip = range.max_ip = this->saved_ip;	483	range.min_ip = range.max_ip = this->saved_ip;
490		484	nf_nat_setup_info(new, &range, IP_NAT_MANIP_DST);
491	/* hook doesn't matter, but it has to do destination manip */
492	nf_nat_setup_info(new, &range, NF_INET_PRE_ROUTING);
493	}	485	}
494		486
495	/****************************************************************************/	487	/****************************************************************************/


diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c index d24f3d947394..4c0232842e75 100644 --- a/net/ipv4/netfilter/nf_nat_helper.c +++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -433,15 +433,13 @@ void nf_nat_follow_master(struct nf_conn *ct,
433	range.flags = IP_NAT_RANGE_MAP_IPS;	433	range.flags = IP_NAT_RANGE_MAP_IPS;
434	range.min_ip = range.max_ip	434	range.min_ip = range.max_ip
435	= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;	435	= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
436	/* hook doesn't matter, but it has to do source manip */	436	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
437	nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
438		437
439	/* For DST manip, map port here to where it's expected. */	438	/* For DST manip, map port here to where it's expected. */
440	range.flags = (IP_NAT_RANGE_MAP_IPS \| IP_NAT_RANGE_PROTO_SPECIFIED);	439	range.flags = (IP_NAT_RANGE_MAP_IPS \| IP_NAT_RANGE_PROTO_SPECIFIED);
441	range.min = range.max = exp->saved_proto;	440	range.min = range.max = exp->saved_proto;
442	range.min_ip = range.max_ip	441	range.min_ip = range.max_ip
443	= ct->master->tuplehash[!exp->dir].tuple.src.u3.ip;	442	= ct->master->tuplehash[!exp->dir].tuple.src.u3.ip;
444	/* hook doesn't matter, but it has to do destination manip */	443	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
445	nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
446	}	444	}
447	EXPORT_SYMBOL(nf_nat_follow_master);	445	EXPORT_SYMBOL(nf_nat_follow_master);


diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c index c540999f5090..e63b944a2ebb 100644 --- a/net/ipv4/netfilter/nf_nat_pptp.c +++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -93,8 +93,7 @@ static void pptp_nat_expected(struct nf_conn *ct,
93	range.flags \|= IP_NAT_RANGE_PROTO_SPECIFIED;	93	range.flags \|= IP_NAT_RANGE_PROTO_SPECIFIED;
94	range.min = range.max = exp->saved_proto;	94	range.min = range.max = exp->saved_proto;
95	}	95	}
96	/* hook doesn't matter, but it has to do source manip */	96	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
97	nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
98		97
99	/* For DST manip, map port here to where it's expected. */	98	/* For DST manip, map port here to where it's expected. */
100	range.flags = IP_NAT_RANGE_MAP_IPS;	99	range.flags = IP_NAT_RANGE_MAP_IPS;
@@ -104,8 +103,7 @@ static void pptp_nat_expected(struct nf_conn *ct,
104	range.flags \|= IP_NAT_RANGE_PROTO_SPECIFIED;	103	range.flags \|= IP_NAT_RANGE_PROTO_SPECIFIED;
105	range.min = range.max = exp->saved_proto;	104	range.min = range.max = exp->saved_proto;
106	}	105	}
107	/* hook doesn't matter, but it has to do destination manip */	106	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
108	nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
109	}	107	}
110		108
111	/* outbound packets == from PNS to PAC */	109	/* outbound packets == from PNS to PAC */


diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index ee39ed87bb08..4391aec56abd 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -87,7 +87,7 @@ static unsigned int ipt_snat_target(struct sk_buff *skb,
87	ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));	87	ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
88	NF_CT_ASSERT(out);	88	NF_CT_ASSERT(out);
89		89
90	return nf_nat_setup_info(ct, &mr->range[0], hooknum);	90	return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);
91	}	91	}
92		92
93	/* Before 2.6.11 we did implicit source NAT if required. Warn about change. */	93	/* Before 2.6.11 we did implicit source NAT if required. Warn about change. */
@@ -133,7 +133,7 @@ static unsigned int ipt_dnat_target(struct sk_buff *skb,
133	warn_if_extra_mangle(ip_hdr(skb)->daddr,	133	warn_if_extra_mangle(ip_hdr(skb)->daddr,
134	mr->range[0].min_ip);	134	mr->range[0].min_ip);
135		135
136	return nf_nat_setup_info(ct, &mr->range[0], hooknum);	136	return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST);
137	}	137	}
138		138
139	static bool ipt_snat_checkentry(const char *tablename,	139	static bool ipt_snat_checkentry(const char *tablename,
@@ -184,7 +184,7 @@ alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
184		184
185	pr_debug("Allocating NULL binding for %p (%u.%u.%u.%u)\n",	185	pr_debug("Allocating NULL binding for %p (%u.%u.%u.%u)\n",
186	ct, NIPQUAD(ip));	186	ct, NIPQUAD(ip));
187	return nf_nat_setup_info(ct, &range, hooknum);	187	return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));
188	}	188	}
189		189
190	unsigned int	190	unsigned int
@@ -203,7 +203,7 @@ alloc_null_binding_confirmed(struct nf_conn *ct, unsigned int hooknum)
203		203
204	pr_debug("Allocating NULL binding for confirmed %p (%u.%u.%u.%u)\n",	204	pr_debug("Allocating NULL binding for confirmed %p (%u.%u.%u.%u)\n",
205	ct, NIPQUAD(ip));	205	ct, NIPQUAD(ip));
206	return nf_nat_setup_info(ct, &range, hooknum);	206	return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));
207	}	207	}
208		208
209	int nf_nat_rule_find(struct sk_buff *skb,	209	int nf_nat_rule_find(struct sk_buff *skb,


diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c index b8c0720cf428..606a170bf4ca 100644 --- a/net/ipv4/netfilter/nf_nat_sip.c +++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -228,15 +228,13 @@ static void ip_nat_sdp_expect(struct nf_conn *ct,
228	range.flags = IP_NAT_RANGE_MAP_IPS;	228	range.flags = IP_NAT_RANGE_MAP_IPS;
229	range.min_ip = range.max_ip	229	range.min_ip = range.max_ip
230	= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;	230	= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
231	/* hook doesn't matter, but it has to do source manip */	231	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
232	nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);
233		232
234	/* For DST manip, map port here to where it's expected. */	233	/* For DST manip, map port here to where it's expected. */
235	range.flags = (IP_NAT_RANGE_MAP_IPS \| IP_NAT_RANGE_PROTO_SPECIFIED);	234	range.flags = (IP_NAT_RANGE_MAP_IPS \| IP_NAT_RANGE_PROTO_SPECIFIED);
236	range.min = range.max = exp->saved_proto;	235	range.min = range.max = exp->saved_proto;
237	range.min_ip = range.max_ip = exp->saved_ip;	236	range.min_ip = range.max_ip = exp->saved_ip;
238	/* hook doesn't matter, but it has to do destination manip */	237	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
239	nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);
240	}	238	}
241		239
242	/* So, this packet has hit the connection tracking matching code.	240	/* So, this packet has hit the connection tracking matching code.


diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 7851065ef206..3a065f43ddd8 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c
@@ -918,19 +918,17 @@ ctnetlink_change_status(struct nf_conn ct, struct nlattr cda[])
918	if (nfnetlink_parse_nat(cda[CTA_NAT_DST], ct,	918	if (nfnetlink_parse_nat(cda[CTA_NAT_DST], ct,
919	&range) < 0)	919	&range) < 0)
920	return -EINVAL;	920	return -EINVAL;
921	if (nf_nat_initialized(ct,	921	if (nf_nat_initialized(ct, IP_NAT_MANIP_DST))
922	HOOK2MANIP(NF_INET_PRE_ROUTING)))
923	return -EEXIST;	922	return -EEXIST;
924	nf_nat_setup_info(ct, &range, NF_INET_PRE_ROUTING);	923	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
925	}	924	}
926	if (cda[CTA_NAT_SRC]) {	925	if (cda[CTA_NAT_SRC]) {
927	if (nfnetlink_parse_nat(cda[CTA_NAT_SRC], ct,	926	if (nfnetlink_parse_nat(cda[CTA_NAT_SRC], ct,
928	&range) < 0)	927	&range) < 0)
929	return -EINVAL;	928	return -EINVAL;
930	if (nf_nat_initialized(ct,	929	if (nf_nat_initialized(ct, IP_NAT_MANIP_SRC))
931	HOOK2MANIP(NF_INET_POST_ROUTING)))
932	return -EEXIST;	930	return -EEXIST;
933	nf_nat_setup_info(ct, &range, NF_INET_POST_ROUTING);	931	nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
934	}	932	}
935	#endif	933	#endif
936	}	934	}