From patchwork Thu Oct 25 15:34:45 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ulrich Weber X-Patchwork-Id: 194243 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 486AD2C00B1 for ; Fri, 26 Oct 2012 02:34:55 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757204Ab2JYPex (ORCPT ); Thu, 25 Oct 2012 11:34:53 -0400 Received: from mx2.sophos.com ([145.253.124.138]:51607 "EHLO mx2.sophos.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757197Ab2JYPew (ORCPT ); Thu, 25 Oct 2012 11:34:52 -0400 Received: from mx2.sophos.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 643D06000F; Thu, 25 Oct 2012 16:34:50 +0100 (BST) Received: from de-wie-exch3b.green.sophos (de-wie-exch3b.green.sophos [10.60.70.62]) by mx2.sophos.com (Postfix) with ESMTPS id 365A360009; Thu, 25 Oct 2012 16:34:50 +0100 (BST) Received: from uweber-WS (10.128.129.40) by de-wie-exch3b.green.sophos (10.60.70.62) with Microsoft SMTP Server (TLS) id 14.2.247.3; Thu, 25 Oct 2012 17:34:50 +0200 Date: Thu, 25 Oct 2012 17:34:45 +0200 From: Ulrich Weber To: CC: Subject: [PATCH] nf_nat: dont check for port change on ICMP tuples Message-ID: <20121025153445.GA22403@uweber-WS> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Originating-IP: [10.128.129.40] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sophos.com; h=date:from:to:cc:subject:message-id:mime-version:content-type; s=global; bh=6Gws4Ea3eZdbAEja4JGF2/g2P8wtW3FwwBL799ymwnk=; b=aa1vWiYalqwZPjV13Zak6ApgZrO829HGrX9wycmLKps9es+QoiVKfAe/C3zSOgHrWrojvqrDOttWLXvGDy3k3s0QtuaAIiCfuNwDITSjqGF1qLCHf+TCDVqqYbC7Fh9BsSlLaHEnStiq7fxN6cjhcPq42Db8NjWJuvkBvLTMK6o= Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org ICMP tuples have id in src and type/code in dst. So comparing src.u.all with dst.u.all will always fail here and ip_xfrm_me_harder() is called for every ICMP packet, even if there was no NAT... Signed-off-by: Ulrich Weber --- net/ipv4/netfilter/iptable_nat.c | 4 +++- net/ipv6/netfilter/ip6table_nat.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c index 9e0ffaf..a820472 100644 --- a/net/ipv4/netfilter/iptable_nat.c +++ b/net/ipv4/netfilter/iptable_nat.c @@ -184,7 +184,8 @@ nf_nat_ipv4_out(unsigned int hooknum, if ((ct->tuplehash[dir].tuple.src.u3.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) || - (ct->tuplehash[dir].tuple.src.u.all != + (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP && + ct->tuplehash[dir].tuple.src.u.all != ct->tuplehash[!dir].tuple.dst.u.all)) if (nf_xfrm_me_harder(skb, AF_INET) < 0) ret = NF_DROP; @@ -221,6 +222,7 @@ nf_nat_ipv4_local_fn(unsigned int hooknum, } #ifdef CONFIG_XFRM else if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) && + ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP && ct->tuplehash[dir].tuple.dst.u.all != ct->tuplehash[!dir].tuple.src.u.all) if (nf_xfrm_me_harder(skb, AF_INET) < 0) diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c index e418bd6..d57dab1 100644 --- a/net/ipv6/netfilter/ip6table_nat.c +++ b/net/ipv6/netfilter/ip6table_nat.c @@ -186,7 +186,8 @@ nf_nat_ipv6_out(unsigned int hooknum, if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &ct->tuplehash[!dir].tuple.dst.u3) || - (ct->tuplehash[dir].tuple.src.u.all != + (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && + ct->tuplehash[dir].tuple.src.u.all != ct->tuplehash[!dir].tuple.dst.u.all)) if (nf_xfrm_me_harder(skb, AF_INET6) < 0) ret = NF_DROP; @@ -222,6 +223,7 @@ nf_nat_ipv6_local_fn(unsigned int hooknum, } #ifdef CONFIG_XFRM else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && + ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && ct->tuplehash[dir].tuple.dst.u.all != ct->tuplehash[!dir].tuple.src.u.all) if (nf_xfrm_me_harder(skb, AF_INET6))