netfilter: don't attach a nat extension by default

nowadays the NAT extension only stores the interface index
(used to purge connections that got masqueraded when interface goes down)
and pptp nat information.

Previous patches moved nf_ct_nat_ext_add to those places that need it.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index c327a43..05c82a1 100644 (file)
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -67,7 +67,7 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum,
 {
 #if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV4) || \
     IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV6)
-       return nat->masq_index && hooknum == NF_INET_POST_ROUTING &&
+       return nat && nat->masq_index && hooknum == NF_INET_POST_ROUTING &&
               CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL &&
               nat->masq_index != out->ifindex;
 #else

diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
index e3bfa6a..feedd75 100644 (file)
--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
@@ -264,9 +264,7 @@ nf_nat_ipv4_fn(void *priv, struct sk_buff *skb,
        if (!ct)
                return NF_ACCEPT;
 
-       nat = nf_ct_nat_ext_add(ct);
-       if (nat == NULL)
-               return NF_ACCEPT;
+       nat = nfct_nat(ct);
 
        switch (ctinfo) {
        case IP_CT_RELATED:

diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index 922b5ae..bf3ad3e 100644 (file)
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -273,9 +273,7 @@ nf_nat_ipv6_fn(void *priv, struct sk_buff *skb,
        if (!ct)
                return NF_ACCEPT;
 
-       nat = nf_ct_nat_ext_add(ct);
-       if (nat == NULL)
-               return NF_ACCEPT;
+       nat = nfct_nat(ct);
 
        switch (ctinfo) {
        case IP_CT_RELATED:

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 86eeacb..ec9e6d8 100644 (file)
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -408,12 +408,6 @@ nf_nat_setup_info(struct nf_conn *ct,
                  enum nf_nat_manip_type maniptype)
 {
        struct nf_conntrack_tuple curr_tuple, new_tuple;
-       struct nf_conn_nat *nat;
-
-       /* nat helper or nfctnetlink also setup binding */
-       nat = nf_ct_nat_ext_add(ct);
-       if (nat == NULL)
-               return NF_ACCEPT;
 
        NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||
                     maniptype == NF_NAT_MANIP_DST);