[NETFILTER]: Use conntrack information to determine if packet was NATed (4e8e9de7) · Commits · e / devices / android_kernel_fairphone_FP3

net/ipv4/netfilter/ip_nat_standalone.c

+19 −15

Original line number	Diff line number	Diff line
		@@ -162,19 +162,21 @@ ip_nat_in(unsigned int hooknum,
		const struct net_device *out,
		int (okfn)(struct sk_buff ))
		{
		u_int32_t saddr, daddr;
		struct ip_conntrack *ct;
		enum ip_conntrack_info ctinfo;
		unsigned int ret;

		saddr = (*pskb)->nh.iph->saddr;
		daddr = (*pskb)->nh.iph->daddr;

		ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
		if (ret != NF_DROP && ret != NF_STOLEN
		&& ((*pskb)->nh.iph->saddr != saddr
		\|\| (*pskb)->nh.iph->daddr != daddr)) {
		&& (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

		if (ct->tuplehash[dir].tuple.src.ip !=
		ct->tuplehash[!dir].tuple.dst.ip) {
		dst_release((*pskb)->dst);
		(*pskb)->dst = NULL;
		}
		}
		return ret;
		}

		@@ -200,7 +202,8 @@ ip_nat_local_fn(unsigned int hooknum,
		const struct net_device *out,
		int (okfn)(struct sk_buff ))
		{
		u_int32_t saddr, daddr;
		struct ip_conntrack *ct;
		enum ip_conntrack_info ctinfo;
		unsigned int ret;

		/* root is playing with raw sockets. */
		@@ -208,14 +211,15 @@ ip_nat_local_fn(unsigned int hooknum,
		\|\| (pskb)->nh.iph->ihl 4 < sizeof(struct iphdr))
		return NF_ACCEPT;

		saddr = (*pskb)->nh.iph->saddr;
		daddr = (*pskb)->nh.iph->daddr;

		ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
		if (ret != NF_DROP && ret != NF_STOLEN
		&& ((*pskb)->nh.iph->saddr != saddr
		\|\| (*pskb)->nh.iph->daddr != daddr))
		&& (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

		if (ct->tuplehash[dir].tuple.dst.ip !=
		ct->tuplehash[!dir].tuple.src.ip)
		return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
		}
		return ret;
		}