patch-2.4.4 linux/net/ipv4/netfilter/ip_nat_standalone.c

• Lines: 44
• Date: Fri Apr 27 14:15:01 2001
• Orig file: v2.4.3/linux/net/ipv4/netfilter/ip_nat_standalone.c
• Orig date: Sat Feb 3 11:45:55 2001

diff -u --recursive --new-file v2.4.3/linux/net/ipv4/netfilter/ip_nat_standalone.c linux/net/ipv4/netfilter/ip_nat_standalone.c
@@ -64,21 +64,25 @@
 	(*pskb)->nfcache |= NFC_UNKNOWN;
 
 	/* If we had a hardware checksum before, it's now invalid */
-	if ((*pskb)->pkt_type != PACKET_LOOPBACK)
+	if ((*pskb)->ip_summed == CHECKSUM_HW)
 		(*pskb)->ip_summed = CHECKSUM_NONE;
 
 	ct = ip_conntrack_get(*pskb, &ctinfo);
-	/* Can't track?  Maybe out of memory: this would make NAT
-           unreliable. */
+	/* Can't track?  It's not due to stress, or conntrack would
+	   have dropped it.  Hence it's the user's responsibilty to
+	   packet filter it out, or implement conntrack/NAT for that
+	   protocol. 8) --RR */
 	if (!ct) {
-		if (net_ratelimit())
-			printk(KERN_DEBUG "NAT: %u dropping untracked packet %p %u %u.%u.%u.%u -> %u.%u.%u.%u\n",
-			       hooknum,
-			       *pskb,
-			       (*pskb)->nh.iph->protocol,
-			       NIPQUAD((*pskb)->nh.iph->saddr),
-			       NIPQUAD((*pskb)->nh.iph->daddr));
-		return NF_DROP;
+		/* Exception: ICMP redirect to new connection (not in
+                   hash table yet).  We must not let this through, in
+                   case we're doing NAT to the same network. */
+		struct iphdr *iph = (*pskb)->nh.iph;
+		struct icmphdr *hdr = (struct icmphdr *)
+			((u_int32_t *)iph + iph->ihl);
+		if (iph->protocol == IPPROTO_ICMP
+		    && hdr->type == ICMP_REDIRECT)
+			return NF_DROP;
+		return NF_ACCEPT;
 	}
 
 	switch (ctinfo) {
@@ -336,3 +340,6 @@
 EXPORT_SYMBOL(ip_nat_expect_register);
 EXPORT_SYMBOL(ip_nat_expect_unregister);
 EXPORT_SYMBOL(ip_nat_cheat_check);
+EXPORT_SYMBOL(ip_nat_mangle_tcp_packet);
+EXPORT_SYMBOL(ip_nat_seq_adjust);
+EXPORT_SYMBOL(ip_nat_delete_sack);