UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

netfilter: flowtable: move skb_try_make_writable() before NAT in IPv4 

For consistency with the IPv6 flowtable datapath and to make sure the
skbuff is writable right before the NAT header updates.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso 2021-03-17 15:54:43 +01:00
parent 2fc11745c3
commit 2babb46c8c
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
net/netfilter/nf_flow_table_ip.c
View File

@ -266,10 +266,6 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
iph = ip_hdr(skb);
thoff = iph->ihl * 4;
if (skb_try_make_writable(skb, thoff + hdrsize))
return NF_DROP;
iph = ip_hdr(skb);
if (nf_flow_state_check(flow, iph->protocol, skb, thoff))
return NF_ACCEPT;
@ -280,6 +276,10 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
return NF_ACCEPT;
}
if (skb_try_make_writable(skb, thoff + hdrsize))
return NF_DROP;
iph = ip_hdr(skb);
if (nf_flow_nat_ip(flow, skb, thoff, dir, iph) < 0)
return NF_DROP;