From patchwork Wed Dec 12 23:49:27 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Collins <bsderandrew@gmail.com>
X-Patchwork-Id: 205692
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 323CD2C0095
	for <patchwork-incoming@ozlabs.org>;
	Thu, 13 Dec 2012 10:49:41 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755187Ab2LLXth (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 12 Dec 2012 18:49:37 -0500
Received: from mail-da0-f46.google.com ([209.85.210.46]:40930 "EHLO
	mail-da0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754860Ab2LLXtg (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 12 Dec 2012 18:49:36 -0500
Received: by mail-da0-f46.google.com with SMTP id p5so457167dak.19
	for <multiple recipients>; Wed, 12 Dec 2012 15:49:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:subject:date:message-id:x-mailer;
	bh=A4agAVg9U+QRa4RGAjlanTyVxexFx/yXkyBT6Ve8IVk=;
	b=GDdRhTLQgJ9mlLreCHOZzR3Sk7S02Xjz1mrT0Oyx38ewX35N/HApWr7gWgd+3OhSUN
	6i21YYXEYteRj3f4c/v8W0puVmJ10VNwvvZjHUQ4dlJISia8gvRIz9u+iZhauyZabxRW
	JvGufgb/1kh+A4EZeFoVS8vRdDMSkPxNkRnQUfNU/qp2Bk8lJCYapbufqDRcO2SDbTZS
	nSKhibOF98nte2dleJQgp+M0lRz7PondrtC1yk5nyEhM/5axpFCTfXNPuQNp9kO8Sg90
	50J9k8XxprxDtXJN0H7PkeZFUjHGjUJx1Wrio3RCasa//IyW+C1vgdnomD4rZH/doqR3
	OuaQ==
Received: by 10.66.87.133 with SMTP id ay5mr707138pab.59.1355356175837;
	Wed, 12 Dec 2012 15:49:35 -0800 (PST)
Received: from localhost.localdomain ([64.128.89.190])
	by mx.google.com with ESMTPS id o1sm93165paw.0.2012.12.12.15.49.35
	(version=TLSv1/SSLv3 cipher=OTHER);
	Wed, 12 Dec 2012 15:49:35 -0800 (PST)
From: Andrew Collins <bsderandrew@gmail.com>
To: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
	kadlec@blackhole.kfki.hu
Subject: [PATCH] netfilter: nf_nat: Also handle non-ESTABLISHED routing
	changes in MASQUERADE
Date: Wed, 12 Dec 2012 16:49:27 -0700
Message-Id: <1355356167-10397-1-git-send-email-bsderandrew@gmail.com>
X-Mailer: git-send-email 1.7.1
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The MASQUERADE target now handles routing changes which affect
the output interface of a connection, but only for ESTABLISHED
connections.  It is also possible for NEW connections which
already have a conntrack entry to be affected by routing changes.

This adds a check to drop entries in the NEW+conntrack state
when the oif has changed.

Signed-off-by: Andrew Collins <bsderandrew@gmail.com>
---
 net/ipv4/netfilter/iptable_nat.c |   15 ++++++++++-----
 1 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index da2c8a3..eeaff7e 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -124,23 +124,28 @@ nf_nat_ipv4_fn(unsigned int hooknum,
 			ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
 			if (ret != NF_ACCEPT)
 				return ret;
-		} else
+		} else {
 			pr_debug("Already setup manip %s for ct %p\n",
 				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
 				 ct);
+			if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+				goto oif_changed;
+		}
 		break;
 
 	default:
 		/* ESTABLISHED */
 		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
 			     ctinfo == IP_CT_ESTABLISHED_REPLY);
-		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
-			nf_ct_kill_acct(ct, ctinfo, skb);
-			return NF_DROP;
-		}
+		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+			goto oif_changed;
 	}
 
 	return nf_nat_packet(ct, ctinfo, hooknum, skb);
+
+oif_changed:
+	nf_ct_kill_acct(ct, ctinfo, skb);
+	return NF_DROP;
 }
 
 static unsigned int