• Patrick McHardy's avatar
    [NETFILTER]: Fix xfrm lookup after SNAT · ee68cea2
    Patrick McHardy authored
    To find out if a packet needs to be handled by IPsec after SNAT, packets
    are currently rerouted in POST_ROUTING and a new xfrm lookup is done. This
    breaks SNAT of non-unicast packets to non-local addresses because the
    packet is routed as incoming packet and no neighbour entry is bound to the
    dst_entry. In general, it seems to be a bad idea to replace the dst_entry
    after the packet was already sent to the output routine because its state
    might not match what's expected.
    
    This patch changes the xfrm lookup in POST_ROUTING to re-use the original
    dst_entry without routing the packet again. This means no policy routing
    can be used for transport mode transforms (which keep the original route)
    when packets are SNATed to match the policy, but it looks like the best
    we can do for now.
    Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    ee68cea2
netfilter.c 4.15 KB