ipv4: Pass struct net into ip_route_me_harder
authorEric W. Biederman <ebiederm@xmission.com>
Fri, 25 Sep 2015 20:07:30 +0000 (15:07 -0500)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 29 Sep 2015 18:21:32 +0000 (20:21 +0200)
Don't make ip_route_me_harder guess which network namespace
it is routing in, pass the network namespace in.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/linux/netfilter_ipv4.h
net/ipv4/netfilter.c
net/ipv4/netfilter/ipt_SYNPROXY.c
net/ipv4/netfilter/iptable_mangle.c
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
net/ipv4/netfilter/nf_reject_ipv4.c
net/ipv4/netfilter/nft_chain_route_ipv4.c
net/netfilter/ipvs/ip_vs_core.c

index 6e4591b..98c03b2 100644 (file)
@@ -6,7 +6,7 @@
 
 #include <uapi/linux/netfilter_ipv4.h>
 
-int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type);
+int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
 __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
                       unsigned int dataoff, u_int8_t protocol);
 #endif /*__LINUX_IP_NETFILTER_H*/
index 9e07e6f..c3776ff 100644 (file)
@@ -17,9 +17,8 @@
 #include <net/netfilter/nf_queue.h>
 
 /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
-int ip_route_me_harder(struct sk_buff *skb, unsigned int addr_type)
+int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_type)
 {
-       struct net *net = dev_net(skb_dst(skb)->dev);
        const struct iphdr *iph = ip_hdr(skb);
        struct rtable *rt;
        struct flowi4 fl4 = {};
@@ -116,7 +115,7 @@ static int nf_ip_reroute(struct net *net, struct sk_buff *skb,
                      skb->mark == rt_info->mark &&
                      iph->daddr == rt_info->daddr &&
                      iph->saddr == rt_info->saddr))
-                       return ip_route_me_harder(skb, RTN_UNSPEC);
+                       return ip_route_me_harder(net, skb, RTN_UNSPEC);
        }
        return 0;
 }
index 0060d9a..6a6e762 100644 (file)
@@ -45,6 +45,8 @@ synproxy_send_tcp(const struct synproxy_net *snet,
                  struct iphdr *niph, struct tcphdr *nth,
                  unsigned int tcp_hdr_size)
 {
+       struct net *net = nf_ct_net(snet->tmpl);
+
        nth->check = ~tcp_v4_check(tcp_hdr_size, niph->saddr, niph->daddr, 0);
        nskb->ip_summed   = CHECKSUM_PARTIAL;
        nskb->csum_start  = (unsigned char *)nth - nskb->head;
@@ -52,7 +54,7 @@ synproxy_send_tcp(const struct synproxy_net *snet,
 
        skb_dst_set_noref(nskb, skb_dst(skb));
        nskb->protocol = htons(ETH_P_IP);
-       if (ip_route_me_harder(nskb, RTN_UNSPEC))
+       if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
                goto free_nskb;
 
        if (nfct) {
index 2d6fc91..ba5d392 100644 (file)
@@ -67,7 +67,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state)
                    iph->daddr != daddr ||
                    skb->mark != mark ||
                    iph->tos != tos) {
-                       err = ip_route_me_harder(skb, RTN_UNSPEC);
+                       err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
                        if (err < 0)
                                ret = NF_DROP_ERR(err);
                }
index bc3b9dc..5075b7e 100644 (file)
@@ -431,7 +431,7 @@ nf_nat_ipv4_local_fn(void *priv, struct sk_buff *skb,
 
                if (ct->tuplehash[dir].tuple.dst.u3.ip !=
                    ct->tuplehash[!dir].tuple.src.u3.ip) {
-                       err = ip_route_me_harder(skb, RTN_UNSPEC);
+                       err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
                        if (err < 0)
                                ret = NF_DROP_ERR(err);
                }
index fb33740..2f5e925 100644 (file)
@@ -129,7 +129,7 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
                                   ip4_dst_hoplimit(skb_dst(nskb)));
        nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
 
-       if (ip_route_me_harder(nskb, RTN_UNSPEC))
+       if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
                goto free_nskb;
 
        /* "Never happens" */
index 9f486b3..2375b0a 100644 (file)
@@ -53,7 +53,7 @@ static unsigned int nf_route_table_hook(void *priv,
                    iph->daddr != daddr ||
                    skb->mark != mark ||
                    iph->tos != tos)
-                       if (ip_route_me_harder(skb, RTN_UNSPEC))
+                       if (ip_route_me_harder(state->net, skb, RTN_UNSPEC))
                                ret = NF_DROP;
        }
        return ret;
index fb6b6c8..800b085 100644 (file)
@@ -720,7 +720,7 @@ static int ip_vs_route_me_harder(struct netns_ipvs *ipvs, int af,
        } else
 #endif
                if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
-                   ip_route_me_harder(skb, RTN_LOCAL) != 0)
+                   ip_route_me_harder(ipvs->net, skb, RTN_LOCAL) != 0)
                        return 1;
 
        return 0;