84e294de7aec249ceb0d5adb71195288caffb25c
[openwrt/staging/aparcar.git] /
1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Tue, 23 Mar 2021 00:56:23 +0100
3 Subject: [PATCH] netfilter: flowtable: move skb_try_make_writable()
4 before NAT in IPv4
5
6 For consistency with the IPv6 flowtable datapath and to make sure the
7 skbuff is writable right before the NAT header updates.
8
9 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 ---
11
12 --- a/net/netfilter/nf_flow_table_ip.c
13 +++ b/net/netfilter/nf_flow_table_ip.c
14 @@ -266,10 +266,6 @@ nf_flow_offload_ip_hook(void *priv, stru
15
16 iph = ip_hdr(skb);
17 thoff = iph->ihl * 4;
18 - if (skb_try_make_writable(skb, thoff + hdrsize))
19 - return NF_DROP;
20 -
21 - iph = ip_hdr(skb);
22 if (nf_flow_state_check(flow, iph->protocol, skb, thoff))
23 return NF_ACCEPT;
24
25 @@ -280,6 +276,10 @@ nf_flow_offload_ip_hook(void *priv, stru
26 return NF_ACCEPT;
27 }
28
29 + if (skb_try_make_writable(skb, thoff + hdrsize))
30 + return NF_DROP;
31 +
32 + iph = ip_hdr(skb);
33 if (nf_flow_nat_ip(flow, skb, thoff, dir, iph) < 0)
34 return NF_DROP;
35