mirror of
https://github.com/Fishwaldo/linux-bl808.git
synced 2025-06-17 20:25:19 +00:00
[NETFILTER]: Redo policy lookups after NAT when neccessary
When NAT changes the key used for the xfrm lookup it needs to be done again. If a new policy is returned in POST_ROUTING the packet needs to be passed to xfrm4_output_one manually after all hooks were called because POST_ROUTING is called with fixed okfn (ip_finish_output). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy
David S. Miller
parent
4e8e9de7c2
commit
5c901daaea
4 changed files with 32 additions and 3 deletions
|
|
@ -202,6 +202,11 @@ static inline int ip_finish_output2(struct sk_buff *skb)
|
|||
|
||||
static inline int ip_finish_output(struct sk_buff *skb)
|
||||
{
|
||||
#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
|
||||
/* Policy lookup after SNAT yielded a new policy */
|
||||
if (skb->dst->xfrm != NULL)
|
||||
return xfrm4_output_finish(skb);
|
||||
#endif
|
||||
if (skb->len > dst_mtu(skb->dst) &&
|
||||
!(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size))
|
||||
return ip_fragment(skb, ip_finish_output2);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue