Skip to content

Commit

Permalink
[PATCH] don't try to do any NAT on untracked connections
Browse files Browse the repository at this point in the history 
With the introduction of 'rustynat' in 2.6.11, the old tricks of preventing
NAT of 'untracked' connections (e.g. NOTRACK target in 'raw' table) are no
longer sufficient.

The ip_conntrack_untracked.status |= IPS_NAT_DONE_MASK effectively
prevents iteration of the 'nat' table, but doesn't prevent nat_packet()
to be executed.  Since nr_manips is gone in 'rustynat', nat_packet() now
implicitly thinks that it has to do NAT on the packet.

This patch fixes that problem by explicitly checking for
ip_conntrack_untracked in ip_nat_fn().

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
  • Loading branch information
Harald Welte authored and Linus Torvalds committed Aug 8, 2005
1 parent 48de5be commit 8b83bc7
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions net/ipv4/netfilter/ip_nat_standalone.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ ip_nat_fn(unsigned int hooknum,
return NF_ACCEPT;
}

/* Don't try to NAT if this packet is not conntracked */
if (ct == &ip_conntrack_untracked)
return NF_ACCEPT;

switch (ctinfo) {
case IP_CT_RELATED:
case IP_CT_RELATED+IP_CT_IS_REPLY:
Expand Down

0 comments on commit 8b83bc7

Please sign in to comment.