[NETFILTER]: Apply PRE_ROUTING manips in LOCAL_OUT for locally generated icmp errors

Locally generated ICMP errors never hit PRE_ROUTING. Fixes invalid addressed ICMP errors for SNATed packets. Signed-off-by: Patrick McHardy <kaber@trash.net>

[NETFILTER]: Apply PRE_ROUTING manips in LOCAL_OUT for locally generated icmp errors
Locally generated ICMP errors never hit PRE_ROUTING. Fixes invalid addressed ICMP errors for SNATed packets. Signed-off-by: Patrick McHardy <kaber@trash.net>
8aad8a72 · Patrick McHardy · David S. Miller · 50cce6d2 · 8aad8a72
Commit 8aad8a72 authored Nov 27, 2004 by Patrick McHardy Committed by David S. Miller Nov 27, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

net/ipv4/netfilter/ip_nat_core.c net/ipv4/netfilter/ip_nat_core.c +8 -0

No files found.
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -880,6 +880,14 @@ icmp_reply_translation(struct sk_buff **pskb,
 		/* Mapping the inner packet is just like a normal packet, except
 		 * it was never src/dst reversed, so where we would normally
 		 * apply a dst manip, we apply a src, and vice versa. */
+
+		/* Only true for forwarded packets, locally generated packets
+		 * never hit PRE_ROUTING, we need to apply their PRE_ROUTING
+		 * manips in LOCAL_OUT. */
+		if (hooknum == NF_IP_LOCAL_OUT &&
+		    info->manips[i].hooknum == NF_IP_PRE_ROUTING)
+			hooknum = info->manips[i].hooknum;
+
 		if (info->manips[i].hooknum != hooknum)
 			continue;