Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9a08ecfe authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: don't attach a nat extension by default 



nowadays the NAT extension only stores the interface index
(used to purge connections that got masqueraded when interface goes down)
and pptp nat information.

Previous patches moved nf_ct_nat_ext_add to those places that need it.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 2fe7c321

include/net/netfilter/nf_nat.h

+1 −1
Original line number Diff line number Diff line
@@ -67,7 +67,7 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum, 
{

#if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV4) || \

    IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV6)

	return nat->masq_index && hooknum == NF_INET_POST_ROUTING &&

	return nat && nat->masq_index && hooknum == NF_INET_POST_ROUTING &&

	       CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL &&

	       nat->masq_index != out->ifindex;

#else

net/ipv4/netfilter/nf_nat_l3proto_ipv4.c

+1 −3
Original line number Diff line number Diff line
@@ -264,9 +264,7 @@ nf_nat_ipv4_fn(void *priv, struct sk_buff *skb, 
	if (!ct)

		return NF_ACCEPT;



	nat = nf_ct_nat_ext_add(ct);

	if (nat == NULL)

		return NF_ACCEPT;

	nat = nfct_nat(ct);



	switch (ctinfo) {

	case IP_CT_RELATED:

net/ipv6/netfilter/nf_nat_l3proto_ipv6.c

+1 −3
Original line number Diff line number Diff line
@@ -273,9 +273,7 @@ nf_nat_ipv6_fn(void *priv, struct sk_buff *skb, 
	if (!ct)

		return NF_ACCEPT;



	nat = nf_ct_nat_ext_add(ct);

	if (nat == NULL)

		return NF_ACCEPT;

	nat = nfct_nat(ct);



	switch (ctinfo) {

	case IP_CT_RELATED:

net/netfilter/nf_nat_core.c

+0 −6
Original line number Diff line number Diff line
@@ -408,12 +408,6 @@ nf_nat_setup_info(struct nf_conn *ct, 
		  enum nf_nat_manip_type maniptype)

{

	struct nf_conntrack_tuple curr_tuple, new_tuple;

	struct nf_conn_nat *nat;



	/* nat helper or nfctnetlink also setup binding */

	nat = nf_ct_nat_ext_add(ct);

	if (nat == NULL)

		return NF_ACCEPT;



	NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||

		     maniptype == NF_NAT_MANIP_DST);