Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 848c29fd authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: nat: avoid rerouting packets if only XFRM policy key changed 



Currently NAT not only reroutes packets in the OUTPUT chain when the
routing key changed, but also if only the non-routing part of the
IPsec policy key changed. This breaks ping -I since it doesn't use
SO_BINDTODEVICE but IP_PKTINFO cmsg to specify the output device, and
this information is lost.

Only do full rerouting if the routing key changed, and just do a new
policy lookup with the old route if only the ports changed.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ca8fbb85

net/ipv4/netfilter/ip_nat_standalone.c

+9 −6
Original line number Original line Diff line number Diff line
@@ -253,15 +253,18 @@ ip_nat_local_fn(unsigned int hooknum, 
		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);





		if (ct->tuplehash[dir].tuple.dst.ip !=

		if (ct->tuplehash[dir].tuple.dst.ip !=

		    ct->tuplehash[!dir].tuple.src.ip

		    ct->tuplehash[!dir].tuple.src.ip) {

#ifdef CONFIG_XFRM

		    || ct->tuplehash[dir].tuple.dst.u.all !=

		       ct->tuplehash[!dir].tuple.src.u.all

#endif

		    )

			if (ip_route_me_harder(pskb, RTN_UNSPEC))

			if (ip_route_me_harder(pskb, RTN_UNSPEC))

				ret = NF_DROP;

				ret = NF_DROP;

		}

		}

#ifdef CONFIG_XFRM

		else if (ct->tuplehash[dir].tuple.dst.u.all !=

			 ct->tuplehash[!dir].tuple.src.u.all)

			if (ip_xfrm_me_harder(pskb))

				ret = NF_DROP;

#endif



	}

	return ret;

	return ret;

}

}

net/ipv4/netfilter/nf_nat_standalone.c

+8 −6
Original line number Original line Diff line number Diff line
@@ -245,15 +245,17 @@ nf_nat_local_fn(unsigned int hooknum, 
		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);





		if (ct->tuplehash[dir].tuple.dst.u3.ip !=

		if (ct->tuplehash[dir].tuple.dst.u3.ip !=

		    ct->tuplehash[!dir].tuple.src.u3.ip

		    ct->tuplehash[!dir].tuple.src.u3.ip) {

#ifdef CONFIG_XFRM

		    || ct->tuplehash[dir].tuple.dst.u.all !=

		       ct->tuplehash[!dir].tuple.src.u.all

#endif

		    )

			if (ip_route_me_harder(pskb, RTN_UNSPEC))

			if (ip_route_me_harder(pskb, RTN_UNSPEC))

				ret = NF_DROP;

				ret = NF_DROP;

		}

		}

#ifdef CONFIG_XFRM

		else if (ct->tuplehash[dir].tuple.dst.u.all !=

			 ct->tuplehash[!dir].tuple.src.u.all)

			if (ip_xfrm_me_harder(pskb))

				ret = NF_DROP;

#endif

	}

	return ret;

	return ret;

}

}