diff options
| author |   Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2012-11-30 12:37:26 +0000 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2012-12-03 15:14:20 +0100 |
| commit | a0ecb85a2c3af73c63b6d44ce82aea52347ccf55 (patch) | |
| tree | 41b54a39fabf0bda2bf3ea601154b36076d7b1d6 /include/net/netfilter | |
| parent | netfilter: ctnetlink: nla_policy updates (diff) | |
| download | linux-dev-a0ecb85a2c3af73c63b6d44ce82aea52347ccf55.tar.xz linux-dev-a0ecb85a2c3af73c63b6d44ce82aea52347ccf55.zip | |
netfilter: nf_nat: Handle routing changes in MASQUERADE target
When the route changes (backup default route, VPNs) which affect a
masqueraded target, the packets were sent out with the outdated source
address. The patch addresses the issue by comparing the outgoing interface
directly with the masqueraded interface in the nat table.
Events are inefficient in this case, because it'd require adding route
events to the network core and then scanning the whole conntrack table
and re-checking the route for all entry.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net/netfilter')
| -rw-r--r-- | include/net/netfilter/nf_nat.h | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h index bd8eea720f2e..ad14a799fd2e 100644 --- a/include/net/netfilter/nf_nat.h +++ b/include/net/netfilter/nf_nat.h @@ -68,4 +68,19 @@ static inline struct nf_conn_nat *nfct_nat(const struct nf_conn *ct) #endif } +static inline bool nf_nat_oif_changed(unsigned int hooknum, + enum ip_conntrack_info ctinfo, + struct nf_conn_nat *nat, + const struct net_device *out) +{ +#if IS_ENABLED(CONFIG_IP_NF_TARGET_MASQUERADE) || \ + IS_ENABLED(CONFIG_IP6_NF_TARGET_MASQUERADE) + return nat->masq_index && hooknum == NF_INET_POST_ROUTING && + CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL && + nat->masq_index != out->ifindex; +#else + return false; +#endif +} + #endif |