1 From 38fe36a248ec3228f8e6507955d7ceb0432d2000 Mon Sep 17 00:00:00 2001
2 From: Ulrich Weber <ulrich.weber@sophos.com>
3 Date: Thu, 25 Oct 2012 05:34:45 +0000
4 Subject: netfilter: nf_nat: don't check for port change on ICMP tuples
6 From: Ulrich Weber <ulrich.weber@sophos.com>
8 commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream.
10 ICMP tuples have id in src and type/code in dst.
11 So comparing src.u.all with dst.u.all will always fail here
12 and ip_xfrm_me_harder() is called for every ICMP packet,
13 even if there was no NAT.
15 Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
16 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
17 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
21 net/ipv4/netfilter/nf_nat_standalone.c | 6 ++++--
22 1 file changed, 4 insertions(+), 2 deletions(-)
24 --- a/net/ipv4/netfilter/nf_nat_standalone.c
25 +++ b/net/ipv4/netfilter/nf_nat_standalone.c
26 @@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum,
28 if ((ct->tuplehash[dir].tuple.src.u3.ip !=
29 ct->tuplehash[!dir].tuple.dst.u3.ip) ||
30 - (ct->tuplehash[dir].tuple.src.u.all !=
31 + (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
32 + ct->tuplehash[dir].tuple.src.u.all !=
33 ct->tuplehash[!dir].tuple.dst.u.all)
35 return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
36 @@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum,
40 - else if (ct->tuplehash[dir].tuple.dst.u.all !=
41 + else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
42 + ct->tuplehash[dir].tuple.dst.u.all !=
43 ct->tuplehash[!dir].tuple.src.u.all)
44 if (ip_xfrm_me_harder(skb))
projects / thirdparty / kernel / stable-queue.git / blob