Commit 9a08ecfe authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: don't attach a nat extension by default

nowadays the NAT extension only stores the interface index
(used to purge connections that got masqueraded when interface goes down)
and pptp nat information.

Previous patches moved nf_ct_nat_ext_add to those places that need it.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 2fe7c321
...@@ -67,7 +67,7 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum, ...@@ -67,7 +67,7 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum,
{ {
#if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV4) || \ #if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV4) || \
IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV6) IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV6)
return nat->masq_index && hooknum == NF_INET_POST_ROUTING && return nat && nat->masq_index && hooknum == NF_INET_POST_ROUTING &&
CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL && CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL &&
nat->masq_index != out->ifindex; nat->masq_index != out->ifindex;
#else #else
......
...@@ -264,9 +264,7 @@ nf_nat_ipv4_fn(void *priv, struct sk_buff *skb, ...@@ -264,9 +264,7 @@ nf_nat_ipv4_fn(void *priv, struct sk_buff *skb,
if (!ct) if (!ct)
return NF_ACCEPT; return NF_ACCEPT;
nat = nf_ct_nat_ext_add(ct); nat = nfct_nat(ct);
if (nat == NULL)
return NF_ACCEPT;
switch (ctinfo) { switch (ctinfo) {
case IP_CT_RELATED: case IP_CT_RELATED:
......
...@@ -273,9 +273,7 @@ nf_nat_ipv6_fn(void *priv, struct sk_buff *skb, ...@@ -273,9 +273,7 @@ nf_nat_ipv6_fn(void *priv, struct sk_buff *skb,
if (!ct) if (!ct)
return NF_ACCEPT; return NF_ACCEPT;
nat = nf_ct_nat_ext_add(ct); nat = nfct_nat(ct);
if (nat == NULL)
return NF_ACCEPT;
switch (ctinfo) { switch (ctinfo) {
case IP_CT_RELATED: case IP_CT_RELATED:
......
...@@ -408,12 +408,6 @@ nf_nat_setup_info(struct nf_conn *ct, ...@@ -408,12 +408,6 @@ nf_nat_setup_info(struct nf_conn *ct,
enum nf_nat_manip_type maniptype) enum nf_nat_manip_type maniptype)
{ {
struct nf_conntrack_tuple curr_tuple, new_tuple; struct nf_conntrack_tuple curr_tuple, new_tuple;
struct nf_conn_nat *nat;
/* nat helper or nfctnetlink also setup binding */
nat = nf_ct_nat_ext_add(ct);
if (nat == NULL)
return NF_ACCEPT;
NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC || NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||
maniptype == NF_NAT_MANIP_DST); maniptype == NF_NAT_MANIP_DST);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment