netfilter: don't attach a nat extension by default

nowadays the NAT extension only stores the interface index
(used to purge connections that got masqueraded when interface goes down)
and pptp nat information.

Previous patches moved nf_ct_nat_ext_add to those places that need it.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index c327a431a6f38103598b82182d463dd728f70443..05c82a1a42679cf336c4ecc2addc30bdaceecbbe 100644 (file)
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -67,7 +67,7 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum,
 {
 #if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV4) || \
     IS_ENABLED(CONFIG_NF_NAT_MASQUERADE_IPV6)
-       return nat->masq_index && hooknum == NF_INET_POST_ROUTING &&
+       return nat && nat->masq_index && hooknum == NF_INET_POST_ROUTING &&
               CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL &&
               nat->masq_index != out->ifindex;
 #else

diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
index e3bfa6a169f004c7e505641bb1b79fac56bf6675..feedd759ca8043c3eff37e22d0f1c8301b229da2 100644 (file)
--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
@@ -264,9 +264,7 @@ nf_nat_ipv4_fn(void *priv, struct sk_buff *skb,
        if (!ct)
                return NF_ACCEPT;
 
-       nat = nf_ct_nat_ext_add(ct);
-       if (nat == NULL)
-               return NF_ACCEPT;
+       nat = nfct_nat(ct);
 
        switch (ctinfo) {
        case IP_CT_RELATED:

diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index 922b5aef273c3e05c2025b951df30508f2ca1992..bf3ad3e7b6479aeca80b24faefe381d1922ea290 100644 (file)
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -273,9 +273,7 @@ nf_nat_ipv6_fn(void *priv, struct sk_buff *skb,
        if (!ct)
                return NF_ACCEPT;
 
-       nat = nf_ct_nat_ext_add(ct);
-       if (nat == NULL)
-               return NF_ACCEPT;
+       nat = nfct_nat(ct);
 
        switch (ctinfo) {
        case IP_CT_RELATED:

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 86eeacbb479372dbd25519fa6541b5677af28d2b..ec9e6d8101b91120d3efe2509ca17b02ea01c578 100644 (file)
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -408,12 +408,6 @@ nf_nat_setup_info(struct nf_conn *ct,
                  enum nf_nat_manip_type maniptype)
 {
        struct nf_conntrack_tuple curr_tuple, new_tuple;
-       struct nf_conn_nat *nat;
-
-       /* nat helper or nfctnetlink also setup binding */
-       nat = nf_ct_nat_ext_add(ct);
-       if (nat == NULL)
-               return NF_ACCEPT;
 
        NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||
                     maniptype == NF_NAT_MANIP_DST);