Commit c72d3796 authored by Harald Welte's avatar Harald Welte Committed by Patrick McHardy

[NETFILTER]: LOCAL_OUT NAT fix.

the 25_natcore-nohelper.patch (incorporated in 2.4.22) did actually make
things not better.  If a NAT rule was matched, num_manips can still be 0.
However, some helpers (like PPTP) need to _always mangle the packets,
even if there is no NAT mapping for a particular connection.
On the other hand, as soon as CONFIG_IP_NF_LOCAL_NAT was disabled,
we did end up half-mangling local (non-NAT'ed) connections.  This patch
removes the LOCAL_OUT hook from the NAT core unless CONFIG_IP_NF_NAT_LOCAL
is enabled.
parent 7674d511
...@@ -761,11 +761,6 @@ do_bindings(struct ip_conntrack *ct, ...@@ -761,11 +761,6 @@ do_bindings(struct ip_conntrack *ct,
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
int proto = (*pskb)->nh.iph->protocol; int proto = (*pskb)->nh.iph->protocol;
/* Skip everything and don't call helpers if there are no
* manips for this connection */
if (info->num_manips == 0)
return NF_ACCEPT;
/* Need nat lock to protect against modification, but neither /* Need nat lock to protect against modification, but neither
conntrack (referenced) and helper (deleted with conntrack (referenced) and helper (deleted with
synchronize_bh()) can vanish. */ synchronize_bh()) can vanish. */
......
...@@ -199,6 +199,7 @@ ip_nat_out(unsigned int hooknum, ...@@ -199,6 +199,7 @@ ip_nat_out(unsigned int hooknum,
return ip_nat_fn(hooknum, pskb, in, out, okfn); return ip_nat_fn(hooknum, pskb, in, out, okfn);
} }
#ifdef CONFIG_IP_NF_NAT_LOCAL
static unsigned int static unsigned int
ip_nat_local_fn(unsigned int hooknum, ip_nat_local_fn(unsigned int hooknum,
struct sk_buff **pskb, struct sk_buff **pskb,
...@@ -224,6 +225,7 @@ ip_nat_local_fn(unsigned int hooknum, ...@@ -224,6 +225,7 @@ ip_nat_local_fn(unsigned int hooknum,
return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP; return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
return ret; return ret;
} }
#endif
/* We must be after connection tracking and before packet filtering. */ /* We must be after connection tracking and before packet filtering. */
...@@ -245,6 +247,7 @@ static struct nf_hook_ops ip_nat_out_ops = { ...@@ -245,6 +247,7 @@ static struct nf_hook_ops ip_nat_out_ops = {
.priority = NF_IP_PRI_NAT_SRC, .priority = NF_IP_PRI_NAT_SRC,
}; };
#ifdef CONFIG_IP_NF_NAT_LOCAL
/* Before packet filtering, change destination */ /* Before packet filtering, change destination */
static struct nf_hook_ops ip_nat_local_out_ops = { static struct nf_hook_ops ip_nat_local_out_ops = {
.hook = ip_nat_local_fn, .hook = ip_nat_local_fn,
...@@ -254,7 +257,7 @@ static struct nf_hook_ops ip_nat_local_out_ops = { ...@@ -254,7 +257,7 @@ static struct nf_hook_ops ip_nat_local_out_ops = {
.priority = NF_IP_PRI_NAT_DST, .priority = NF_IP_PRI_NAT_DST,
}; };
#ifdef CONFIG_IP_NF_NAT_LOCAL /* After packet filtering, change source for reply packets of LOCAL_OUT DNAT */
static struct nf_hook_ops ip_nat_local_in_ops = { static struct nf_hook_ops ip_nat_local_in_ops = {
.hook = ip_nat_fn, .hook = ip_nat_fn,
.owner = THIS_MODULE, .owner = THIS_MODULE,
...@@ -324,12 +327,12 @@ static int init_or_cleanup(int init) ...@@ -324,12 +327,12 @@ static int init_or_cleanup(int init)
printk("ip_nat_init: can't register out hook.\n"); printk("ip_nat_init: can't register out hook.\n");
goto cleanup_inops; goto cleanup_inops;
} }
#ifdef CONFIG_IP_NF_NAT_LOCAL
ret = nf_register_hook(&ip_nat_local_out_ops); ret = nf_register_hook(&ip_nat_local_out_ops);
if (ret < 0) { if (ret < 0) {
printk("ip_nat_init: can't register local out hook.\n"); printk("ip_nat_init: can't register local out hook.\n");
goto cleanup_outops; goto cleanup_outops;
} }
#ifdef CONFIG_IP_NF_NAT_LOCAL
ret = nf_register_hook(&ip_nat_local_in_ops); ret = nf_register_hook(&ip_nat_local_in_ops);
if (ret < 0) { if (ret < 0) {
printk("ip_nat_init: can't register local in hook.\n"); printk("ip_nat_init: can't register local in hook.\n");
...@@ -342,9 +345,9 @@ static int init_or_cleanup(int init) ...@@ -342,9 +345,9 @@ static int init_or_cleanup(int init)
#ifdef CONFIG_IP_NF_NAT_LOCAL #ifdef CONFIG_IP_NF_NAT_LOCAL
nf_unregister_hook(&ip_nat_local_in_ops); nf_unregister_hook(&ip_nat_local_in_ops);
cleanup_localoutops: cleanup_localoutops:
#endif
nf_unregister_hook(&ip_nat_local_out_ops); nf_unregister_hook(&ip_nat_local_out_ops);
cleanup_outops: cleanup_outops:
#endif
nf_unregister_hook(&ip_nat_out_ops); nf_unregister_hook(&ip_nat_out_ops);
cleanup_inops: cleanup_inops:
nf_unregister_hook(&ip_nat_in_ops); nf_unregister_hook(&ip_nat_in_ops);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment