8 files changed, 69 insertions, 20 deletions
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 4d1c40972a4b..e7bbff4340bb 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -192,7 +192,7 @@ int sysctl_icmp_echo_ignore_all;
 int sysctl_icmp_echo_ignore_broadcasts = 1;
 /* Control parameter - ignore bogus broadcast responses? */
-int sysctl_icmp_ignore_bogus_error_responses;
+int sysctl_icmp_ignore_bogus_error_responses = 1;
 /*
 *      Configurable global rate limit.
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index abe23923e4e7..9981dcd68f11 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -830,7 +830,8 @@ static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
        skb->h.raw = skb->nh.raw;
        skb->nh.raw = skb_push(skb, gre_hlen);
        memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
-        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE|IPSKB_XFRM_TRANSFORMED);
+        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
+                              IPSKB_REROUTED);
        dst_release(skb->dst);
        skb->dst = &rt->u.dst;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 3324fbfe528a..57d290d89ec2 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -207,8 +207,10 @@ static inline int ip_finish_output(struct sk_buff *skb)
 {
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
        /* Policy lookup after SNAT yielded a new policy */
-        if (skb->dst->xfrm != NULL)
+        if (skb->dst->xfrm != NULL) {
-                return xfrm4_output_finish(skb);
+                IPCB(skb)->flags |= IPSKB_REROUTED;
+                return dst_output(skb);
+        }
 #endif
        if (skb->len > dst_mtu(skb->dst) &&
            !(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size))
@@ -271,8 +273,9 @@ int ip_mc_output(struct sk_buff *skb)
                                newskb->dev, ip_dev_loopback_xmit);
        }
-        return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dev,
+        return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dev,
-                       ip_finish_output);
+                            ip_finish_output,
+                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 int ip_output(struct sk_buff *skb)
@@ -284,8 +287,9 @@ int ip_output(struct sk_buff *skb)
        skb->dev = dev;
        skb->protocol = htons(ETH_P_IP);
-        return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev,
+        return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev,
-                       ip_finish_output);
+                            ip_finish_output,
+                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index e5cbe72c6b80..03d13742a4b8 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -622,7 +622,8 @@ static int ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
        skb->h.raw = skb->nh.raw;
        skb->nh.raw = skb_push(skb, sizeof(struct iphdr));
        memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
-        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE|IPSKB_XFRM_TRANSFORMED);
+        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
+                              IPSKB_REROUTED);
        dst_release(skb->dst);
        skb->dst = &rt->u.dst;
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 52a3d7c57907..ed42cdc57cd9 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -78,6 +78,47 @@ int ip_route_me_harder(struct sk_buff **pskb)
 }
 EXPORT_SYMBOL(ip_route_me_harder);
+#ifdef CONFIG_XFRM
+int ip_xfrm_me_harder(struct sk_buff **pskb)
+{
+        struct flowi fl;
+        unsigned int hh_len;
+        struct dst_entry *dst;
+        if (IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)
+                return 0;
+        if (xfrm_decode_session(*pskb, &fl, AF_INET) < 0)
+                return -1;
+        dst = (*pskb)->dst;
+        if (dst->xfrm)
+                dst = ((struct xfrm_dst *)dst)->route;
+        dst_hold(dst);
+        if (xfrm_lookup(&dst, &fl, (*pskb)->sk, 0) < 0)
+                return -1;
+        dst_release((*pskb)->dst);
+        (*pskb)->dst = dst;
+        /* Change in oif may mean change in hh_len. */
+        hh_len = (*pskb)->dst->dev->hard_header_len;
+        if (skb_headroom(*pskb) < hh_len) {
+                struct sk_buff *nskb;
+                nskb = skb_realloc_headroom(*pskb, hh_len);
+                if (!nskb)
+                        return -1;
+                if ((*pskb)->sk)
+                        skb_set_owner_w(nskb, (*pskb)->sk);
+                kfree_skb(*pskb);
+                *pskb = nskb;
+        }
+        return 0;
+}
+EXPORT_SYMBOL(ip_xfrm_me_harder);
+#endif
 void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
 EXPORT_SYMBOL(ip_nat_decode_session);
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index 92c54999a19d..7c3f7d380240 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -235,19 +235,19 @@ ip_nat_out(unsigned int hooknum,
                return NF_ACCEPT;
        ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
+#ifdef CONFIG_XFRM
        if (ret != NF_DROP && ret != NF_STOLEN
            && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
                if (ct->tuplehash[dir].tuple.src.ip !=
                    ct->tuplehash[!dir].tuple.dst.ip
-#ifdef CONFIG_XFRM
                    || ct->tuplehash[dir].tuple.src.u.all !=
                       ct->tuplehash[!dir].tuple.dst.u.all
-#endif
                    )
-                        return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+                        return ip_xfrm_me_harder(pskb) == 0 ? ret : NF_DROP;
        }
+#endif
        return ret;
 }
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 167619f638c6..6c8624a54933 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -529,15 +529,10 @@ static int init_or_cleanup(int init)
                goto cleanup_localinops;
        }
 #endif
-        /* For use by REJECT target */
-        ip_ct_attach = __nf_conntrack_attach;
        return ret;
 cleanup:
        synchronize_net();
-        ip_ct_attach = NULL;
 #ifdef CONFIG_SYSCTL
        unregister_sysctl_table(nf_ct_ipv4_sysctl_header);
 cleanup_localinops:
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index d4df0ddd424b..32ad229b4fed 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -152,10 +152,16 @@ error_nolock:
        goto out_exit;
 }
-int xfrm4_output_finish(struct sk_buff *skb)
+static int xfrm4_output_finish(struct sk_buff *skb)
 {
        int err;
+#ifdef CONFIG_NETFILTER
+        if (!skb->dst->xfrm) {
+                IPCB(skb)->flags |= IPSKB_REROUTED;
+                return dst_output(skb);
+        }
+#endif
        while (likely((err = xfrm4_output_one(skb)) == 0)) {
                nf_reset(skb);
@@ -178,6 +184,7 @@ int xfrm4_output_finish(struct sk_buff *skb)
 int xfrm4_output(struct sk_buff *skb)
 {
-        return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
+        return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
-                       xfrm4_output_finish);
+                            xfrm4_output_finish,
+                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }