Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2d89c68a authored by Patrick McHardy's avatar Patrick McHardy Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_nat: change sequence number adjustments to 32 bits 



Using 16 bits is too small, when many adjustments happen the offsets might
overflow and break the connection.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 0658cdc8

include/linux/netfilter.h

+1 −1
Original line number Diff line number Diff line
@@ -330,7 +330,7 @@ extern struct nfq_ct_hook __rcu *nfq_ct_hook; 


struct nfq_ct_nat_hook {

	void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,

			   u32 ctinfo, int off);

			   u32 ctinfo, s32 off);

};

extern struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook;

#else

include/net/netfilter/nf_conntrack.h

+1 −1
Original line number Diff line number Diff line
@@ -234,7 +234,7 @@ static inline bool nf_ct_kill(struct nf_conn *ct) 
}



/* These are for NAT.  Icky. */

extern s16 (*nf_ct_nat_offset)(const struct nf_conn *ct,

extern s32 (*nf_ct_nat_offset)(const struct nf_conn *ct,

			       enum ip_conntrack_dir dir,

			       u32 seq);

include/net/netfilter/nf_nat.h

+1 −1
Original line number Diff line number Diff line
@@ -19,7 +19,7 @@ struct nf_nat_seq { 
	u_int32_t correction_pos;



	/* sequence number offset before and after last modification */

	int16_t offset_before, offset_after;

	int32_t offset_before, offset_after;

};



#include <linux/list.h>

include/net/netfilter/nf_nat_helper.h

+3 −3
Original line number Diff line number Diff line
@@ -41,7 +41,7 @@ extern int nf_nat_mangle_udp_packet(struct sk_buff *skb, 


extern void nf_nat_set_seq_adjust(struct nf_conn *ct,

				  enum ip_conntrack_info ctinfo,

				  __be32 seq, s16 off);

				  __be32 seq, s32 off);

extern int nf_nat_seq_adjust(struct sk_buff *skb,

			     struct nf_conn *ct,

			     enum ip_conntrack_info ctinfo,
@@ -56,11 +56,11 @@ extern int (*nf_nat_seq_adjust_hook)(struct sk_buff *skb, 
extern void nf_nat_follow_master(struct nf_conn *ct,

				 struct nf_conntrack_expect *this);



extern s16 nf_nat_get_offset(const struct nf_conn *ct,

extern s32 nf_nat_get_offset(const struct nf_conn *ct,

			     enum ip_conntrack_dir dir,

			     u32 seq);



extern void nf_nat_tcp_seq_adjust(struct sk_buff *skb, struct nf_conn *ct,

				  u32 dir, int off);

				  u32 dir, s32 off);



#endif

net/netfilter/nf_conntrack_core.c

+1 −1
Original line number Diff line number Diff line
@@ -1695,7 +1695,7 @@ int nf_conntrack_init_net(struct net *net) 
	return ret;

}



s16 (*nf_ct_nat_offset)(const struct nf_conn *ct,

s32 (*nf_ct_nat_offset)(const struct nf_conn *ct,

			enum ip_conntrack_dir dir,

			u32 seq);

EXPORT_SYMBOL_GPL(nf_ct_nat_offset);