[NETFILTER]: LOCAL_OUT NAT fix.

the 25_natcore-nohelper.patch (incorporated in 2.4.22) did actually make things not better. If a NAT rule was matched, num_manips can still be 0. However, some helpers (like PPTP) need to _always mangle the packets, even if there is no NAT mapping for a particular connection. On the other hand, as soon as CONFIG_IP_NF_LOCAL_NAT was disabled, we did end up half-mangling local (non-NAT'ed) connections. This patch removes the LOCAL_OUT hook from the NAT core unless CONFIG_IP_NF_NAT_LOCAL is enabled.

[NETFILTER]: LOCAL_OUT NAT fix.
the 25_natcore-nohelper.patch (incorporated in 2.4.22) did actually make things not better. If a NAT rule was matched, num_manips can still be 0. However, some helpers (like PPTP) need to _always mangle the packets, even if there is no NAT mapping for a particular connection. On the other hand, as soon as CONFIG_IP_NF_LOCAL_NAT was disabled, we did end up half-mangling local (non-NAT'ed) connections. This patch removes the LOCAL_OUT hook from the NAT core unless CONFIG_IP_NF_NAT_LOCAL is enabled.
c72d3796 · Harald Welte · Patrick McHardy · 7674d511 · c72d3796 · c72d3796
Commit c72d3796 authored Oct 02, 2003 by Harald Welte Committed by Patrick McHardy Oct 02, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 8 deletions

net/ipv4/netfilter/ip_nat_core.c net/ipv4/netfilter/ip_nat_core.c +0 -5

net/ipv4/netfilter/ip_nat_standalone.c net/ipv4/netfilter/ip_nat_standalone.c +6 -3

No files found.
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -761,11 +761,6 @@ do_bindings(struct ip_conntrack *ct,
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	int proto = (*pskb)->nh.iph->protocol;

-	/* Skip everything and don't call helpers if there are no
-	 * manips for this connection */
-	if (info->num_manips == 0)
-		return NF_ACCEPT;
-
 	/* Need nat lock to protect against modification, but neither
 	   conntrack (referenced) and helper (deleted with
 	   synchronize_bh()) can vanish. */

--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -199,6 +199,7 @@ ip_nat_out(unsigned int hooknum,
 	return ip_nat_fn(hooknum, pskb, in, out, okfn);
 }

+#ifdef CONFIG_IP_NF_NAT_LOCAL
 static unsigned int
 ip_nat_local_fn(unsigned int hooknum,
 		struct sk_buff **pskb,
@@ -224,6 +225,7 @@ ip_nat_local_fn(unsigned int hooknum,
 		return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
 	return ret;
 }
+#endif

 /* We must be after connection tracking and before packet filtering. */

@@ -245,6 +247,7 @@ static struct nf_hook_ops ip_nat_out_ops = {
 	.priority	= NF_IP_PRI_NAT_SRC,
 };

+#ifdef CONFIG_IP_NF_NAT_LOCAL
 /* Before packet filtering, change destination */
 static struct nf_hook_ops ip_nat_local_out_ops = {
 	.hook		= ip_nat_local_fn,
@@ -254,7 +257,7 @@ static struct nf_hook_ops ip_nat_local_out_ops = {
 	.priority	= NF_IP_PRI_NAT_DST,
 };

-#ifdef CONFIG_IP_NF_NAT_LOCAL
+/* After packet filtering, change source for reply packets of LOCAL_OUT DNAT */
 static struct nf_hook_ops ip_nat_local_in_ops = {
 	.hook		= ip_nat_fn,
 	.owner		= THIS_MODULE,
@@ -324,12 +327,12 @@ static int init_or_cleanup(int init)
 		printk("ip_nat_init: can't register out hook.\n");
 		goto cleanup_inops;
 	}
+#ifdef CONFIG_IP_NF_NAT_LOCAL
 	ret = nf_register_hook(&ip_nat_local_out_ops);
 	if (ret < 0) {
 		printk("ip_nat_init: can't register local out hook.\n");
 		goto cleanup_outops;
 	}
-#ifdef CONFIG_IP_NF_NAT_LOCAL
 	ret = nf_register_hook(&ip_nat_local_in_ops);
 	if (ret < 0) {
 		printk("ip_nat_init: can't register local in hook.\n");
@@ -342,9 +345,9 @@ static int init_or_cleanup(int init)
 #ifdef CONFIG_IP_NF_NAT_LOCAL
 	nf_unregister_hook(&ip_nat_local_in_ops);
 cleanup_localoutops:
-#endif
 	nf_unregister_hook(&ip_nat_local_out_ops);
 cleanup_outops:
+#endif
 	nf_unregister_hook(&ip_nat_out_ops);
 cleanup_inops:
 	nf_unregister_hook(&ip_nat_in_ops);