diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/core/skbuff.c | 10 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_nat_core.c | 18 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_nat_standalone.c | 16 | ||||
-rw-r--r-- | net/xfrm/xfrm_policy.c | 2 |
4 files changed, 17 insertions, 29 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 6766f118f070..2144952d1c6c 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
@@ -411,6 +411,9 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask) | |||
411 | C(pkt_type); | 411 | C(pkt_type); |
412 | C(ip_summed); | 412 | C(ip_summed); |
413 | C(priority); | 413 | C(priority); |
414 | #if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE) | ||
415 | C(ipvs_property); | ||
416 | #endif | ||
414 | C(protocol); | 417 | C(protocol); |
415 | n->destructor = NULL; | 418 | n->destructor = NULL; |
416 | #ifdef CONFIG_NETFILTER | 419 | #ifdef CONFIG_NETFILTER |
@@ -422,13 +425,6 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask) | |||
422 | C(nfct_reasm); | 425 | C(nfct_reasm); |
423 | nf_conntrack_get_reasm(skb->nfct_reasm); | 426 | nf_conntrack_get_reasm(skb->nfct_reasm); |
424 | #endif | 427 | #endif |
425 | #if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE) | ||
426 | C(ipvs_property); | ||
427 | #endif | ||
428 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | ||
429 | C(nfct_reasm); | ||
430 | nf_conntrack_get_reasm(skb->nfct_reasm); | ||
431 | #endif | ||
432 | #ifdef CONFIG_BRIDGE_NETFILTER | 428 | #ifdef CONFIG_BRIDGE_NETFILTER |
433 | C(nf_bridge); | 429 | C(nf_bridge); |
434 | nf_bridge_get(skb->nf_bridge); | 430 | nf_bridge_get(skb->nf_bridge); |
diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c index c1a61462507f..1741d555ad0d 100644 --- a/net/ipv4/netfilter/ip_nat_core.c +++ b/net/ipv4/netfilter/ip_nat_core.c | |||
@@ -434,6 +434,7 @@ int ip_nat_icmp_reply_translation(struct sk_buff **pskb, | |||
434 | } *inside; | 434 | } *inside; |
435 | struct ip_conntrack_tuple inner, target; | 435 | struct ip_conntrack_tuple inner, target; |
436 | int hdrlen = (*pskb)->nh.iph->ihl * 4; | 436 | int hdrlen = (*pskb)->nh.iph->ihl * 4; |
437 | unsigned long statusbit; | ||
437 | 438 | ||
438 | if (!skb_make_writable(pskb, hdrlen + sizeof(*inside))) | 439 | if (!skb_make_writable(pskb, hdrlen + sizeof(*inside))) |
439 | return 0; | 440 | return 0; |
@@ -495,17 +496,16 @@ int ip_nat_icmp_reply_translation(struct sk_buff **pskb, | |||
495 | 496 | ||
496 | /* Change outer to look the reply to an incoming packet | 497 | /* Change outer to look the reply to an incoming packet |
497 | * (proto 0 means don't invert per-proto part). */ | 498 | * (proto 0 means don't invert per-proto part). */ |
499 | if (manip == IP_NAT_MANIP_SRC) | ||
500 | statusbit = IPS_SRC_NAT; | ||
501 | else | ||
502 | statusbit = IPS_DST_NAT; | ||
498 | 503 | ||
499 | /* Obviously, we need to NAT destination IP, but source IP | 504 | /* Invert if this is reply dir. */ |
500 | should be NAT'ed only if it is from a NAT'd host. | 505 | if (dir == IP_CT_DIR_REPLY) |
506 | statusbit ^= IPS_NAT_MASK; | ||
501 | 507 | ||
502 | Explanation: some people use NAT for anonymizing. Also, | 508 | if (ct->status & statusbit) { |
503 | CERT recommends dropping all packets from private IP | ||
504 | addresses (although ICMP errors from internal links with | ||
505 | such addresses are not too uncommon, as Alan Cox points | ||
506 | out) */ | ||
507 | if (manip != IP_NAT_MANIP_SRC | ||
508 | || ((*pskb)->nh.iph->saddr == ct->tuplehash[dir].tuple.src.ip)) { | ||
509 | invert_tuplepr(&target, &ct->tuplehash[!dir].tuple); | 509 | invert_tuplepr(&target, &ct->tuplehash[!dir].tuple); |
510 | if (!manip_pkt(0, pskb, 0, &target, manip)) | 510 | if (!manip_pkt(0, pskb, 0, &target, manip)) |
511 | return 0; | 511 | return 0; |
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c index 7c3f7d380240..ab1f88fa21ec 100644 --- a/net/ipv4/netfilter/ip_nat_standalone.c +++ b/net/ipv4/netfilter/ip_nat_standalone.c | |||
@@ -200,20 +200,14 @@ ip_nat_in(unsigned int hooknum, | |||
200 | const struct net_device *out, | 200 | const struct net_device *out, |
201 | int (*okfn)(struct sk_buff *)) | 201 | int (*okfn)(struct sk_buff *)) |
202 | { | 202 | { |
203 | struct ip_conntrack *ct; | ||
204 | enum ip_conntrack_info ctinfo; | ||
205 | unsigned int ret; | 203 | unsigned int ret; |
204 | u_int32_t daddr = (*pskb)->nh.iph->daddr; | ||
206 | 205 | ||
207 | ret = ip_nat_fn(hooknum, pskb, in, out, okfn); | 206 | ret = ip_nat_fn(hooknum, pskb, in, out, okfn); |
208 | if (ret != NF_DROP && ret != NF_STOLEN | 207 | if (ret != NF_DROP && ret != NF_STOLEN |
209 | && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) { | 208 | && daddr != (*pskb)->nh.iph->daddr) { |
210 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | 209 | dst_release((*pskb)->dst); |
211 | 210 | (*pskb)->dst = NULL; | |
212 | if (ct->tuplehash[dir].tuple.dst.ip != | ||
213 | ct->tuplehash[!dir].tuple.src.ip) { | ||
214 | dst_release((*pskb)->dst); | ||
215 | (*pskb)->dst = NULL; | ||
216 | } | ||
217 | } | 211 | } |
218 | return ret; | 212 | return ret; |
219 | } | 213 | } |
@@ -276,7 +270,7 @@ ip_nat_local_fn(unsigned int hooknum, | |||
276 | ct->tuplehash[!dir].tuple.src.ip | 270 | ct->tuplehash[!dir].tuple.src.ip |
277 | #ifdef CONFIG_XFRM | 271 | #ifdef CONFIG_XFRM |
278 | || ct->tuplehash[dir].tuple.dst.u.all != | 272 | || ct->tuplehash[dir].tuple.dst.u.all != |
279 | ct->tuplehash[dir].tuple.src.u.all | 273 | ct->tuplehash[!dir].tuple.src.u.all |
280 | #endif | 274 | #endif |
281 | ) | 275 | ) |
282 | return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP; | 276 | return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP; |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 98ec53bd3ac7..5e6b05ac1260 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -885,8 +885,6 @@ restart: | |||
885 | * We can't enlist stable bundles either. | 885 | * We can't enlist stable bundles either. |
886 | */ | 886 | */ |
887 | write_unlock_bh(&policy->lock); | 887 | write_unlock_bh(&policy->lock); |
888 | |||
889 | xfrm_pol_put(policy); | ||
890 | if (dst) | 888 | if (dst) |
891 | dst_free(dst); | 889 | dst_free(dst); |
892 | 890 | ||