03486a4f83
When the NAT module is loaded when connections are already confirmed it must not change their tuples anymore. This is especially important with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will refuse to remove an entry from a list when it can not be found on the list, so when a changed tuple hashes to a new bucket the entry is kept in the list until and after the conntrack is freed. Allocate the exact conntrack tuple for NAT for already confirmed connections or drop them if that fails. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
29 lines
811 B
C
29 lines
811 B
C
#ifndef _IP_NAT_RULE_H
|
|
#define _IP_NAT_RULE_H
|
|
#include <linux/netfilter_ipv4/ip_conntrack.h>
|
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
|
#include <linux/netfilter_ipv4/ip_nat.h>
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
extern int ip_nat_rule_init(void) __init;
|
|
extern void ip_nat_rule_cleanup(void);
|
|
extern int ip_nat_rule_find(struct sk_buff **pskb,
|
|
unsigned int hooknum,
|
|
const struct net_device *in,
|
|
const struct net_device *out,
|
|
struct ip_conntrack *ct,
|
|
struct ip_nat_info *info);
|
|
|
|
extern unsigned int
|
|
alloc_null_binding(struct ip_conntrack *conntrack,
|
|
struct ip_nat_info *info,
|
|
unsigned int hooknum);
|
|
|
|
extern unsigned int
|
|
alloc_null_binding_confirmed(struct ip_conntrack *conntrack,
|
|
struct ip_nat_info *info,
|
|
unsigned int hooknum);
|
|
#endif
|
|
#endif /* _IP_NAT_RULE_H */
|