Patchwork netfilter: Remove warn_if_extra_mangle

login
register
mail settings
Submitter Simon Arlott
Date Nov. 3, 2008, 9:51 p.m.
Message ID <490F727C.6020705@simon.arlott.org.uk>
Download mbox | patch
Permalink /patch/7002/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

Simon Arlott - Nov. 3, 2008, 9:51 p.m.
In net/ipv4/netfilter/nf_nat_rule.c, the function warn_if_extra_mangle was added 
in commit 5b1158e909ecbe1a052203e0d8df15633f829930 (2006-12-02). I have a DNAT 
target in the OUTPUT chain than changes connections with dst 2.0.0.1 to another 
address which I'll substitute with 66.102.9.99 below.

On every boot I get the following message:
[  146.252505] NAT: no longer support implicit source local NAT
[  146.252517] NAT: packet src 66.102.9.99 -> dst 2.0.0.1

As far as I can tell from reading the function doing this, it should warn if the 
source IP for the route to 66.102.9.99 is different from 2.0.0.1 but that is not 
the case. It doesn't make sense to check the DNAT target against the local route 
source.

Either the function should be changed to correctly check the route, or it should 
be removed entirely as it's been nearly 2 years since it was added.

Signed-off-by: Simon Arlott <simon@fire.lp0.eu>
---
 net/ipv4/netfilter/nf_nat_rule.c |   24 ------------------------
 1 files changed, 0 insertions(+), 24 deletions(-)
Patrick McHardy - Nov. 4, 2008, 1:36 p.m.
Simon Arlott wrote:
> In net/ipv4/netfilter/nf_nat_rule.c, the function warn_if_extra_mangle was added 
> in commit 5b1158e909ecbe1a052203e0d8df15633f829930 (2006-12-02). I have a DNAT 
> target in the OUTPUT chain than changes connections with dst 2.0.0.1 to another 
> address which I'll substitute with 66.102.9.99 below.
> 
> On every boot I get the following message:
> [  146.252505] NAT: no longer support implicit source local NAT
> [  146.252517] NAT: packet src 66.102.9.99 -> dst 2.0.0.1
> 
> As far as I can tell from reading the function doing this, it should warn if the 
> source IP for the route to 66.102.9.99 is different from 2.0.0.1 but that is not 
> the case. It doesn't make sense to check the DNAT target against the local route 
> source.
> 
> Either the function should be changed to correctly check the route, or it should 
> be removed entirely as it's been nearly 2 years since it was added.

Removing it sounds fine to me. Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index bea54a6..0e8af39 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -86,25 +86,6 @@  ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
 	return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);
 }
 
-/* Before 2.6.11 we did implicit source NAT if required. Warn about change. */
-static void warn_if_extra_mangle(struct net *net, __be32 dstip, __be32 srcip)
-{
-	static int warned = 0;
-	struct flowi fl = { .nl_u = { .ip4_u = { .daddr = dstip } } };
-	struct rtable *rt;
-
-	if (ip_route_output_key(net, &rt, &fl) != 0)
-		return;
-
-	if (rt->rt_src != srcip && !warned) {
-		printk("NAT: no longer support implicit source local NAT\n");
-		printk("NAT: packet src %u.%u.%u.%u -> dst %u.%u.%u.%u\n",
-		       NIPQUAD(srcip), NIPQUAD(dstip));
-		warned = 1;
-	}
-	ip_rt_put(rt);
-}
-
 static unsigned int
 ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
 {
@@ -120,11 +101,6 @@  ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
 	/* Connection must be valid and new. */
 	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED));
 
-	if (par->hooknum == NF_INET_LOCAL_OUT &&
-	    mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)
-		warn_if_extra_mangle(dev_net(par->out), ip_hdr(skb)->daddr,
-				     mr->range[0].min_ip);
-
 	return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST);
 }