Message ID | 1469915660-16904-1-git-send-email-xfan@codeaurora.org |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
fxp2001640163@gmail.com <fxp2001640163@gmail.com> wrote: > From: Xiaoping Fan <xfan@codeaurora.org> > > In some case, bridged packet will come back again for routing. When bridge > netfilter is enabled, a null snat rule is assigned to bridged packet if no > matching in nat chain. Then nat rule matching is skipped when packet comes > back for routing. This result in private IP address exported to public > network. So we don't assign a null snat rule to bridged traffic if no > matching. This looks bogus. However, we already have issue with existing iptables nat vs nftables nat. So I think it might make sense to delay NULL binding allocation until we confirm the conntrack so users don't have to rmmod iptable_nat anymore when they use nftables as well. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c index 41c7992..151eee6 100644 --- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c @@ -315,6 +315,9 @@ nf_nat_ipv4_fn(void *priv, struct sk_buff *skb, break; } + if (nf_nat_is_bridged_pkt(skb)) + break; + ret = nf_nat_alloc_null_binding(ct, state->hook); if (ret != NF_ACCEPT) return ret; diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c index dc8df3a..c94eae4 100644 --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c @@ -324,6 +324,9 @@ nf_nat_ipv6_fn(void *priv, struct sk_buff *skb, break; } + if (nf_nat_is_bridged_pkt(skb)) + break; + ret = nf_nat_alloc_null_binding(ct, state->hook); if (ret != NF_ACCEPT) return ret;