From 95b00c7ee43128294fad771cd4457ea38a9f533d Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Fri, 30 Nov 2012 12:37:26 +0000
Subject: [PATCH] --- yaml --- r: 341867 b: refs/heads/master c:
 a0ecb85a2c3af73c63b6d44ce82aea52347ccf55 h: refs/heads/master i:   341865:
 db2922586efce95c9383d285bcd9f23a67c7871c   341863:
 2d79aa36d8cf02f98f4efceecc3e229dc1241501 v: v3

---
 [refs]                                  |  2 +-
 trunk/include/net/netfilter/nf_nat.h    | 15 +++++++++++++++
 trunk/net/ipv4/netfilter/iptable_nat.c  |  4 ++++
 trunk/net/ipv6/netfilter/ip6table_nat.c |  4 ++++
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index 39134e11df18..5479b3ea4f39 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 6d1fafcaecaa2e66eb9861a39d22fc7380ce6f78
+refs/heads/master: a0ecb85a2c3af73c63b6d44ce82aea52347ccf55
diff --git a/trunk/include/net/netfilter/nf_nat.h b/trunk/include/net/netfilter/nf_nat.h
index bd8eea720f2e..ad14a799fd2e 100644
--- a/trunk/include/net/netfilter/nf_nat.h
+++ b/trunk/include/net/netfilter/nf_nat.h
@@ -68,4 +68,19 @@ static inline struct nf_conn_nat *nfct_nat(const struct nf_conn *ct)
 #endif
 }
 
+static inline bool nf_nat_oif_changed(unsigned int hooknum,
+				      enum ip_conntrack_info ctinfo,
+				      struct nf_conn_nat *nat,
+				      const struct net_device *out)
+{
+#if IS_ENABLED(CONFIG_IP_NF_TARGET_MASQUERADE) || \
+    IS_ENABLED(CONFIG_IP6_NF_TARGET_MASQUERADE)
+	return nat->masq_index && hooknum == NF_INET_POST_ROUTING &&
+	       CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL &&
+	       nat->masq_index != out->ifindex;
+#else
+	return false;
+#endif
+}
+
 #endif
diff --git a/trunk/net/ipv4/netfilter/iptable_nat.c b/trunk/net/ipv4/netfilter/iptable_nat.c
index ac635a7b4416..da2c8a368f68 100644
--- a/trunk/net/ipv4/netfilter/iptable_nat.c
+++ b/trunk/net/ipv4/netfilter/iptable_nat.c
@@ -134,6 +134,10 @@ nf_nat_ipv4_fn(unsigned int hooknum,
 		/* ESTABLISHED */
 		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
 			     ctinfo == IP_CT_ESTABLISHED_REPLY);
+		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
+			nf_ct_kill_acct(ct, ctinfo, skb);
+			return NF_DROP;
+		}
 	}
 
 	return nf_nat_packet(ct, ctinfo, hooknum, skb);
diff --git a/trunk/net/ipv6/netfilter/ip6table_nat.c b/trunk/net/ipv6/netfilter/ip6table_nat.c
index fa84cf8ec6bc..6c8ae24b85eb 100644
--- a/trunk/net/ipv6/netfilter/ip6table_nat.c
+++ b/trunk/net/ipv6/netfilter/ip6table_nat.c
@@ -137,6 +137,10 @@ nf_nat_ipv6_fn(unsigned int hooknum,
 		/* ESTABLISHED */
 		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
 			     ctinfo == IP_CT_ESTABLISHED_REPLY);
+		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
+			nf_ct_kill_acct(ct, ctinfo, skb);
+			return NF_DROP;
+		}
 	}
 
 	return nf_nat_packet(ct, ctinfo, hooknum, skb);