diff options
author | Ulrich Weber | 2012-10-25 00:34:45 -0500 |
---|---|---|
committer | Greg Kroah-Hartman | 2012-11-26 13:34:54 -0600 |
commit | 328325bf4fe39db557c2ea012a69b764734f27e5 (patch) | |
tree | 36fb0950745d9a28e2993d2fa67cf84a7e68ad96 /net | |
parent | 9e8b32b0a0e7981f157b2073dd4c6f354340c3e6 (diff) | |
download | kernel-common-328325bf4fe39db557c2ea012a69b764734f27e5.tar.gz kernel-common-328325bf4fe39db557c2ea012a69b764734f27e5.tar.xz kernel-common-328325bf4fe39db557c2ea012a69b764734f27e5.zip |
netfilter: nf_nat: don't check for port change on ICMP tuples
commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream.
ICMP tuples have id in src and type/code in dst.
So comparing src.u.all with dst.u.all will always fail here
and ip_xfrm_me_harder() is called for every ICMP packet,
even if there was no NAT.
Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/netfilter/nf_nat_standalone.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 483b76d042d..b2c3ed7d7ab 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
@@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum, | |||
194 | 194 | ||
195 | if ((ct->tuplehash[dir].tuple.src.u3.ip != | 195 | if ((ct->tuplehash[dir].tuple.src.u3.ip != |
196 | ct->tuplehash[!dir].tuple.dst.u3.ip) || | 196 | ct->tuplehash[!dir].tuple.dst.u3.ip) || |
197 | (ct->tuplehash[dir].tuple.src.u.all != | 197 | (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP && |
198 | ct->tuplehash[dir].tuple.src.u.all != | ||
198 | ct->tuplehash[!dir].tuple.dst.u.all) | 199 | ct->tuplehash[!dir].tuple.dst.u.all) |
199 | ) | 200 | ) |
200 | return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP; | 201 | return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP; |
@@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum, | |||
230 | ret = NF_DROP; | 231 | ret = NF_DROP; |
231 | } | 232 | } |
232 | #ifdef CONFIG_XFRM | 233 | #ifdef CONFIG_XFRM |
233 | else if (ct->tuplehash[dir].tuple.dst.u.all != | 234 | else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP && |
235 | ct->tuplehash[dir].tuple.dst.u.all != | ||
234 | ct->tuplehash[!dir].tuple.src.u.all) | 236 | ct->tuplehash[!dir].tuple.src.u.all) |
235 | if (ip_xfrm_me_harder(skb)) | 237 | if (ip_xfrm_me_harder(skb)) |
236 | ret = NF_DROP; | 238 | ret = NF_DROP; |