Re: netfilter NAT vs. pump

[Rusty Russell <rusty@xxxxxxxxxxxxxxxx>]

In message <200006132058.WAA27846@xxxxxxxxxxxxxxxx> you write:
>      - make it happen less often by setting NFC_ALTERED only when
>        something has changed (probably a good idea in any case)

Yep.  And NAT only makes sense for `simple' stuff anyway; NATting
local src=0.0.0.0 packets is just plain wierd.

This patch is trivial and clean.  Can you test it with unpatched pump?
Also sets NFC_ALTERED in compat layer (which doesn't hook in at
LOCAL_OUT anwyay, so is just me being a pedant).

Cheers,
Rusty.
--- working-2.4.0-test1/net/ipv4/netfilter/ip_nat_standalone.c.~1~      Tue Jun 
 6 00:11:01 2000
+++ working-2.4.0-test1/net/ipv4/netfilter/ip_nat_standalone.c  Fri Jun 16 
18:12:21 2000
@@ -60,8 +60,7 @@
        IP_NF_ASSERT(!((*pskb)->nh.iph->frag_off
                       & __constant_htons(IP_MF|IP_OFFSET)));
 
-       /* FIXME: One day, fill in properly. --RR */
-       (*pskb)->nfcache |= NFC_UNKNOWN | NFC_ALTERED;
+       (*pskb)->nfcache |= NFC_UNKNOWN;
 
        /* If we had a hardware checksum before, it's now invalid */
        if ((*pskb)->pkt_type != PACKET_LOOPBACK)
--- working-2.4.0-test1/net/ipv4/netfilter/ip_nat_core.c.~1~    Tue Jun  6 
00:11:01 2000
+++ working-2.4.0-test1/net/ipv4/netfilter/ip_nat_core.c        Fri Jun 16 
18:16:44 2000
@@ -663,8 +663,10 @@
 static void
 manip_pkt(u_int16_t proto, struct iphdr *iph, size_t len,
          const struct ip_conntrack_manip *manip,
-         enum ip_nat_manip_type maniptype)
+         enum ip_nat_manip_type maniptype,
+         __u32 *nfcache)
 {
+       *nfcache |= NFC_ALTERED;
        find_nat_proto(proto)->manip_pkt(iph, len, manip, maniptype);
 
        if (maniptype == IP_NAT_MANIP_SRC) {
@@ -718,7 +720,8 @@
                                  (*pskb)->nh.iph,
                                  (*pskb)->len,
                                  &info->manips[i].manip,
-                                 info->manips[i].maniptype);
+                                 info->manips[i].maniptype,
+                                 &(*pskb)->nfcache);
                }
        }
        helper = info->helper;
@@ -782,7 +785,8 @@
                        manip_pkt(inner->protocol, inner,
                                  skb->len - ((void *)inner - (void *)iph),
                                  &info->manips[i].manip,
-                                 !info->manips[i].maniptype);
+                                 !info->manips[i].maniptype,
+                                 &skb->nfcache);
                /* Outer packet needs to have IP header NATed like
                    it's a reply. */
                } else if (info->manips[i].direction == dir
@@ -795,7 +799,8 @@
                               IP_PARTS(info->manips[i].manip.ip));
                        manip_pkt(0, iph, skb->len,
                                  &info->manips[i].manip,
-                                 info->manips[i].maniptype);
+                                 info->manips[i].maniptype,
+                                 &skb->nfcache);
                }
        }
        READ_UNLOCK(&ip_nat_lock);
--- working-2.4.0-test1/net/ipv4/netfilter/ip_fw_compat.c.~1~   Fri May 12 
13:22:38 2000
+++ working-2.4.0-test1/net/ipv4/netfilter/ip_fw_compat.c       Fri Jun 16 
18:25:21 2000
@@ -83,7 +83,8 @@
        int ret = FW_BLOCK;
        u_int16_t redirpt;
 
-       (*pskb)->nfcache |= NFC_UNKNOWN;
+       /* Assume worse case: any hook could change packet */
+       (*pskb)->nfcache |= NFC_UNKNOWN | NFC_ALTERED;
        (*pskb)->ip_summed = CHECKSUM_NONE;
 
        switch (hooknum) {

--
Hacking time.