Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=848c29fd648e78fa87d0e399223826ce5dfc1b7a
Commit:     848c29fd648e78fa87d0e399223826ce5dfc1b7a
Parent:     ca8fbb859c42c9a402c5c19fd0588d89ae4988ba
Author:     Patrick McHardy <[EMAIL PROTECTED]>
AuthorDate: Thu Mar 22 12:30:29 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Thu Mar 22 12:30:29 2007 -0700

    [NETFILTER]: nat: avoid rerouting packets if only XFRM policy key changed
    
    Currently NAT not only reroutes packets in the OUTPUT chain when the
    routing key changed, but also if only the non-routing part of the
    IPsec policy key changed. This breaks ping -I since it doesn't use
    SO_BINDTODEVICE but IP_PKTINFO cmsg to specify the output device, and
    this information is lost.
    
    Only do full rerouting if the routing key changed, and just do a new
    policy lookup with the old route if only the ports changed.
    
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 net/ipv4/netfilter/ip_nat_standalone.c |   15 +++++++++------
 net/ipv4/netfilter/nf_nat_standalone.c |   14 ++++++++------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/net/ipv4/netfilter/ip_nat_standalone.c 
b/net/ipv4/netfilter/ip_nat_standalone.c
index adf25f9..6bcfdf6 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -253,14 +253,17 @@ ip_nat_local_fn(unsigned int hooknum,
                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 
                if (ct->tuplehash[dir].tuple.dst.ip !=
-                   ct->tuplehash[!dir].tuple.src.ip
-#ifdef CONFIG_XFRM
-                   || ct->tuplehash[dir].tuple.dst.u.all !=
-                      ct->tuplehash[!dir].tuple.src.u.all
-#endif
-                   )
+                   ct->tuplehash[!dir].tuple.src.ip) {
                        if (ip_route_me_harder(pskb, RTN_UNSPEC))
                                ret = NF_DROP;
+               }
+#ifdef CONFIG_XFRM
+               else if (ct->tuplehash[dir].tuple.dst.u.all !=
+                        ct->tuplehash[!dir].tuple.src.u.all)
+                       if (ip_xfrm_me_harder(pskb))
+                               ret = NF_DROP;
+#endif
+
        }
        return ret;
 }
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c 
b/net/ipv4/netfilter/nf_nat_standalone.c
index e4d3ef1..15aa3db 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -245,14 +245,16 @@ nf_nat_local_fn(unsigned int hooknum,
                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 
                if (ct->tuplehash[dir].tuple.dst.u3.ip !=
-                   ct->tuplehash[!dir].tuple.src.u3.ip
-#ifdef CONFIG_XFRM
-                   || ct->tuplehash[dir].tuple.dst.u.all !=
-                      ct->tuplehash[!dir].tuple.src.u.all
-#endif
-                   )
+                   ct->tuplehash[!dir].tuple.src.u3.ip) {
                        if (ip_route_me_harder(pskb, RTN_UNSPEC))
                                ret = NF_DROP;
+               }
+#ifdef CONFIG_XFRM
+               else if (ct->tuplehash[dir].tuple.dst.u.all !=
+                        ct->tuplehash[!dir].tuple.src.u.all)
+                       if (ip_xfrm_me_harder(pskb))
+                               ret = NF_DROP;
+#endif
        }
        return ret;
 }
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to