![Patrick McHardy](/assets/img/avatar_default.png)
Adding extensions to confirmed conntracks is not allowed to avoid races on reallocation. Don't setup NAT for confirmed conntracks in case NAT module is loaded late. The has one side-effect, the connections existing before the NAT module was loaded won't enter the bysource hash. The only case where this actually makes a difference is in case of SNAT to a multirange where the IP before NAT is also part of the range. Since old connections don't enter the bysource hash the first new connection from the IP will have a new address selected. This shouldn't matter at all. Signed-off-by: Patrick McHardy <kaber@trash.net>
18 lines
536 B
C
18 lines
536 B
C
#ifndef _NF_NAT_RULE_H
|
|
#define _NF_NAT_RULE_H
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
#include <net/netfilter/nf_nat.h>
|
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
|
|
|
extern int nf_nat_rule_init(void) __init;
|
|
extern void nf_nat_rule_cleanup(void);
|
|
extern int nf_nat_rule_find(struct sk_buff *skb,
|
|
unsigned int hooknum,
|
|
const struct net_device *in,
|
|
const struct net_device *out,
|
|
struct nf_conn *ct);
|
|
|
|
extern unsigned int
|
|
alloc_null_binding(struct nf_conn *ct, unsigned int hooknum);
|
|
#endif /* _NF_NAT_RULE_H */
|