Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c7af6483 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Pablo Neira Ayuso
Browse files

netfilter: Pass net into nf_xfrm_me_harder 



Instead of calling dev_net on a likley looking network device
pass state->net into nf_xfrm_me_harder.

Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 06198b34

include/net/netfilter/nf_nat_core.h

+1 −1
Original line number Diff line number Diff line
@@ -10,7 +10,7 @@ 
unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,

			   unsigned int hooknum, struct sk_buff *skb);



int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family);

int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family);



static inline int nf_nat_initialized(struct nf_conn *ct,

				     enum nf_nat_manip_type manip)

net/ipv4/netfilter/nf_nat_l3proto_ipv4.c

+2 −2
Original line number Diff line number Diff line
@@ -396,7 +396,7 @@ nf_nat_ipv4_out(void *priv, struct sk_buff *skb, 
		    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&

		     ct->tuplehash[dir].tuple.src.u.all !=

		     ct->tuplehash[!dir].tuple.dst.u.all)) {

			err = nf_xfrm_me_harder(skb, AF_INET);

			err = nf_xfrm_me_harder(state->net, skb, AF_INET);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}
@@ -440,7 +440,7 @@ nf_nat_ipv4_local_fn(void *priv, struct sk_buff *skb, 
			 ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&

			 ct->tuplehash[dir].tuple.dst.u.all !=

			 ct->tuplehash[!dir].tuple.src.u.all) {

			err = nf_xfrm_me_harder(skb, AF_INET);

			err = nf_xfrm_me_harder(state->net, skb, AF_INET);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}

net/ipv6/netfilter/nf_nat_l3proto_ipv6.c

+2 −2
Original line number Diff line number Diff line
@@ -403,7 +403,7 @@ nf_nat_ipv6_out(void *priv, struct sk_buff *skb, 
		    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&

		     ct->tuplehash[dir].tuple.src.u.all !=

		     ct->tuplehash[!dir].tuple.dst.u.all)) {

			err = nf_xfrm_me_harder(skb, AF_INET6);

			err = nf_xfrm_me_harder(state->net, skb, AF_INET6);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}
@@ -446,7 +446,7 @@ nf_nat_ipv6_local_fn(void *priv, struct sk_buff *skb, 
			 ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&

			 ct->tuplehash[dir].tuple.dst.u.all !=

			 ct->tuplehash[!dir].tuple.src.u.all) {

			err = nf_xfrm_me_harder(skb, AF_INET6);

			err = nf_xfrm_me_harder(state->net, skb, AF_INET6);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}

net/netfilter/nf_nat_core.c

+2 −2
Original line number Diff line number Diff line
@@ -83,7 +83,7 @@ static void __nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl) 
	rcu_read_unlock();

}



int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family)

int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family)

{

	struct flowi fl;

	unsigned int hh_len;
@@ -99,7 +99,7 @@ int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family) 
		dst = ((struct xfrm_dst *)dst)->route;

	dst_hold(dst);



	dst = xfrm_lookup(dev_net(dst->dev), dst, &fl, skb->sk, 0);

	dst = xfrm_lookup(net, dst, &fl, skb->sk, 0);

	if (IS_ERR(dst))

		return PTR_ERR(dst);