2 files changed, 44 insertions, 3 deletions
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 52a3d7c57907..ed42cdc57cd9 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -78,6 +78,47 @@ int ip_route_me_harder(struct sk_buff **pskb)
 }
 EXPORT_SYMBOL(ip_route_me_harder);
+#ifdef CONFIG_XFRM
+int ip_xfrm_me_harder(struct sk_buff **pskb)
+{
+        struct flowi fl;
+        unsigned int hh_len;
+        struct dst_entry *dst;
+        if (IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)
+                return 0;
+        if (xfrm_decode_session(*pskb, &fl, AF_INET) < 0)
+                return -1;
+        dst = (*pskb)->dst;
+        if (dst->xfrm)
+                dst = ((struct xfrm_dst *)dst)->route;
+        dst_hold(dst);
+        if (xfrm_lookup(&dst, &fl, (*pskb)->sk, 0) < 0)
+                return -1;
+        dst_release((*pskb)->dst);
+        (*pskb)->dst = dst;
+        /* Change in oif may mean change in hh_len. */
+        hh_len = (*pskb)->dst->dev->hard_header_len;
+        if (skb_headroom(*pskb) < hh_len) {
+                struct sk_buff *nskb;
+                nskb = skb_realloc_headroom(*pskb, hh_len);
+                if (!nskb)
+                        return -1;
+                if ((*pskb)->sk)
+                        skb_set_owner_w(nskb, (*pskb)->sk);
+                kfree_skb(*pskb);
+                *pskb = nskb;
+        }
+        return 0;
+}
+EXPORT_SYMBOL(ip_xfrm_me_harder);
+#endif
 void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
 EXPORT_SYMBOL(ip_nat_decode_session);
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index 92c54999a19d..7c3f7d380240 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -235,19 +235,19 @@ ip_nat_out(unsigned int hooknum,
                return NF_ACCEPT;
        ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
+#ifdef CONFIG_XFRM
        if (ret != NF_DROP && ret != NF_STOLEN
            && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
                if (ct->tuplehash[dir].tuple.src.ip !=
                    ct->tuplehash[!dir].tuple.dst.ip
-#ifdef CONFIG_XFRM
                    || ct->tuplehash[dir].tuple.src.u.all !=
                       ct->tuplehash[!dir].tuple.dst.u.all
-#endif
                    )
-                        return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+                        return ip_xfrm_me_harder(pskb) == 0 ? ret : NF_DROP;
        }
+#endif
        return ret;
 }

diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c index 52a3d7c57907..ed42cdc57cd9 100644 --- a/net/ipv4/netfilter.c +++ b/net/ipv4/netfilter.c
@@ -78,6 +78,47 @@ int ip_route_me_harder(struct sk_buff **pskb)
78	}	78	}
79	EXPORT_SYMBOL(ip_route_me_harder);	79	EXPORT_SYMBOL(ip_route_me_harder);
80		80
		81	#ifdef CONFIG_XFRM
		82	int ip_xfrm_me_harder(struct sk_buff **pskb)
		83	{
		84	struct flowi fl;
		85	unsigned int hh_len;
		86	struct dst_entry *dst;
		87
		88	if (IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)
		89	return 0;
		90	if (xfrm_decode_session(*pskb, &fl, AF_INET) < 0)
		91	return -1;
		92
		93	dst = (*pskb)->dst;
		94	if (dst->xfrm)
		95	dst = ((struct xfrm_dst *)dst)->route;
		96	dst_hold(dst);
		97
		98	if (xfrm_lookup(&dst, &fl, (*pskb)->sk, 0) < 0)
		99	return -1;
		100
		101	dst_release((*pskb)->dst);
		102	(*pskb)->dst = dst;
		103
		104	/* Change in oif may mean change in hh_len. */
		105	hh_len = (*pskb)->dst->dev->hard_header_len;
		106	if (skb_headroom(*pskb) < hh_len) {
		107	struct sk_buff *nskb;
		108
		109	nskb = skb_realloc_headroom(*pskb, hh_len);
		110	if (!nskb)
		111	return -1;
		112	if ((*pskb)->sk)
		113	skb_set_owner_w(nskb, (*pskb)->sk);
		114	kfree_skb(*pskb);
		115	*pskb = nskb;
		116	}
		117	return 0;
		118	}
		119	EXPORT_SYMBOL(ip_xfrm_me_harder);
		120	#endif
		121
81	void (ip_nat_decode_session)(struct sk_buff , struct flowi *);	122	void (ip_nat_decode_session)(struct sk_buff , struct flowi *);
82	EXPORT_SYMBOL(ip_nat_decode_session);	123	EXPORT_SYMBOL(ip_nat_decode_session);
83		124


diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c index 92c54999a19d..7c3f7d380240 100644 --- a/net/ipv4/netfilter/ip_nat_standalone.c +++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -235,19 +235,19 @@ ip_nat_out(unsigned int hooknum,
235	return NF_ACCEPT;	235	return NF_ACCEPT;
236		236
237	ret = ip_nat_fn(hooknum, pskb, in, out, okfn);	237	ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
		238	#ifdef CONFIG_XFRM
238	if (ret != NF_DROP && ret != NF_STOLEN	239	if (ret != NF_DROP && ret != NF_STOLEN
239	&& (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {	240	&& (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
240	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);	241	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
241		242
242	if (ct->tuplehash[dir].tuple.src.ip !=	243	if (ct->tuplehash[dir].tuple.src.ip !=
243	ct->tuplehash[!dir].tuple.dst.ip	244	ct->tuplehash[!dir].tuple.dst.ip
244	#ifdef CONFIG_XFRM
245	\|\| ct->tuplehash[dir].tuple.src.u.all !=	245	\|\| ct->tuplehash[dir].tuple.src.u.all !=
246	ct->tuplehash[!dir].tuple.dst.u.all	246	ct->tuplehash[!dir].tuple.dst.u.all
247	#endif
248	)	247	)
249	return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;	248	return ip_xfrm_me_harder(pskb) == 0 ? ret : NF_DROP;
250	}	249	}
		250	#endif
251	return ret;	251	return ret;
252	}	252	}
253		253