]> err.no Git - linux-2.6/commitdiff
[NETFILTER]: Fix outgoing redirects to loopback
authorPatrick McHardy <kaber@trash.net>
Mon, 20 Feb 2006 06:29:47 +0000 (22:29 -0800)
committerDavid S. Miller <davem@davemloft.net>
Mon, 20 Feb 2006 06:29:47 +0000 (22:29 -0800)
When redirecting an outgoing packet to loopback, it keeps the original
conntrack reference and information from the outgoing path, which
falsely triggers the check for DNAT on input and the dst_entry is
released to trigger rerouting. ip_route_input refuses to route the
packet because it has a local source address and it is dropped.

Look at the packet itself to dermine if it was NATed. Also fix a
missing inversion that causes unneccesary xfrm lookups.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/netfilter/ip_nat_standalone.c

index 7c3f7d380240b6fd1b00f90f9dfd87cea0b7b9b3..ab1f88fa21ecd24f6e5738d42d6397e17bd4f499 100644 (file)
@@ -200,20 +200,14 @@ ip_nat_in(unsigned int hooknum,
           const struct net_device *out,
           int (*okfn)(struct sk_buff *))
 {
-       struct ip_conntrack *ct;
-       enum ip_conntrack_info ctinfo;
        unsigned int ret;
+       u_int32_t daddr = (*pskb)->nh.iph->daddr;
 
        ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
        if (ret != NF_DROP && ret != NF_STOLEN
-           && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
-               enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
-
-               if (ct->tuplehash[dir].tuple.dst.ip !=
-                   ct->tuplehash[!dir].tuple.src.ip) {
-                       dst_release((*pskb)->dst);
-                       (*pskb)->dst = NULL;
-               }
+           && daddr != (*pskb)->nh.iph->daddr) {
+               dst_release((*pskb)->dst);
+               (*pskb)->dst = NULL;
        }
        return ret;
 }
@@ -276,7 +270,7 @@ ip_nat_local_fn(unsigned int hooknum,
                    ct->tuplehash[!dir].tuple.src.ip
 #ifdef CONFIG_XFRM
                    || ct->tuplehash[dir].tuple.dst.u.all !=
-                      ct->tuplehash[dir].tuple.src.u.all
+                      ct->tuplehash[!dir].tuple.src.u.all
 #endif
                    )
                        return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;