From patchwork Thu Dec 13 00:23:49 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Collins <bsderandrew@gmail.com>
X-Patchwork-Id: 205697
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 417232C0040
	for <incoming@patchwork.ozlabs.org>;
	Thu, 13 Dec 2012 11:24:11 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755279Ab2LMAYI (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 12 Dec 2012 19:24:08 -0500
Received: from mail-pb0-f46.google.com ([209.85.160.46]:47987 "EHLO
	mail-pb0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754962Ab2LMAYH (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Wed, 12 Dec 2012 19:24:07 -0500
Received: by mail-pb0-f46.google.com with SMTP id wy7so1041757pbc.19
	for <multiple recipients>; Wed, 12 Dec 2012 16:24:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:subject:date:message-id:x-mailer;
	bh=r7Oo52rRq20sNuPDKyFXbHAZcnLsgK2ImYehhfZk+M0=;
	b=ejjmt5QDXJvVhLKCLnAejlhFZ3EIsXRLf1McBy9VuFdF+zOTLGvbRGwkWa0vd0FxYj
	VIspW8uuX94o8ReIHWKj1p1tiOuz9yCYb3TulYL3zRfD0ey4TXkUabcZFFvwSVjsHvYa
	/v/+X91SG1hQJOYipZILDr0yPY3nth7iauld/AXZLyIwll36AgHkYsTegH6cPNFGWw29
	9eoA4t2nyID2PBCmAw1VjZ8xUOyRxDxYosDxkwAozdBg/7pb66FvCLdrx4XR4Z7s4W/W
	WYqKnzo37ofROOPgHW0FGdJe395zzdVX0Q4Fpcrrv6BsK2Dlh5QCVoUVl/x3p/xVHDYr
	9aTQ==
Received: by 10.66.73.165 with SMTP id m5mr844712pav.78.1355358247172;
	Wed, 12 Dec 2012 16:24:07 -0800 (PST)
Received: from localhost.localdomain ([64.128.89.190])
	by mx.google.com with ESMTPS id a4sm128205paw.21.2012.12.12.16.24.06
	(version=TLSv1/SSLv3 cipher=OTHER);
	Wed, 12 Dec 2012 16:24:06 -0800 (PST)
From: Andrew Collins <bsderandrew@gmail.com>
To: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
	kadlec@blackhole.kfki.hu
Subject: [PATCH v2] netfilter: nf_nat: Also handle non-ESTABLISHED routing
	changes in MASQUERADE
Date: Wed, 12 Dec 2012 17:23:49 -0700
Message-Id: <1355358229-25167-1-git-send-email-bsderandrew@gmail.com>
X-Mailer: git-send-email 1.7.1
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

The MASQUERADE target now handles routing changes which affect
the output interface of a connection, but only for ESTABLISHED
connections.  It is also possible for NEW connections which
already have a conntrack entry to be affected by routing changes.

This adds a check to drop entries in the NEW+conntrack state
when the oif has changed.

Signed-off-by: Andrew Collins <bsderandrew@gmail.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 net/ipv4/netfilter/iptable_nat.c  |   15 ++++++++++-----
 net/ipv6/netfilter/ip6table_nat.c |   15 ++++++++++-----
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index da2c8a3..eeaff7e 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -124,23 +124,28 @@ nf_nat_ipv4_fn(unsigned int hooknum,
 			ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
 			if (ret != NF_ACCEPT)
 				return ret;
-		} else
+		} else {
 			pr_debug("Already setup manip %s for ct %p\n",
 				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
 				 ct);
+			if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+				goto oif_changed;
+		}
 		break;
 
 	default:
 		/* ESTABLISHED */
 		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
 			     ctinfo == IP_CT_ESTABLISHED_REPLY);
-		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
-			nf_ct_kill_acct(ct, ctinfo, skb);
-			return NF_DROP;
-		}
+		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+			goto oif_changed;
 	}
 
 	return nf_nat_packet(ct, ctinfo, hooknum, skb);
+
+oif_changed:
+	nf_ct_kill_acct(ct, ctinfo, skb);
+	return NF_DROP;
 }
 
 static unsigned int
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index 6c8ae24..e0e788d 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -127,23 +127,28 @@ nf_nat_ipv6_fn(unsigned int hooknum,
 			ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
 			if (ret != NF_ACCEPT)
 				return ret;
-		} else
+		} else {
 			pr_debug("Already setup manip %s for ct %p\n",
 				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
 				 ct);
+			if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+				goto oif_changed;
+		}
 		break;
 
 	default:
 		/* ESTABLISHED */
 		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
 			     ctinfo == IP_CT_ESTABLISHED_REPLY);
-		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
-			nf_ct_kill_acct(ct, ctinfo, skb);
-			return NF_DROP;
-		}
+		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+			goto oif_changed;
 	}
 
 	return nf_nat_packet(ct, ctinfo, hooknum, skb);
+
+oif_changed:
+	nf_ct_kill_acct(ct, ctinfo, skb);
+	return NF_DROP;
 }
 
 static unsigned int