[NETFILTER]: Apply PRE_ROUTING manips in LOCAL_OUT for locally generated icmp errors

Locally generated ICMP errors never hit PRE_ROUTING. Fixes invalid addressed ICMP errors for SNATed packets. Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@coreworks.de> 2004-11-27 15:26:24 +0100
committer: David S. Miller <davem@kernel.bkbits.net> 2004-11-27 15:26:24 +0100
commit: 8aad8a722e0127fe6ce88220fec10f77f30f7762 (patch)
tree: 6e354ae2548ce1e1f6f9ce2f34fbf0fb9ef841f8
parent: 50cce6d2ae87f215f94b21760d0cba78e451419e (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index d43b3242152b3..cbd0924fc936d 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -880,6 +880,14 @@ icmp_reply_translation(struct sk_buff **pskb,
 		/* Mapping the inner packet is just like a normal packet, except
 		 * it was never src/dst reversed, so where we would normally
 		 * apply a dst manip, we apply a src, and vice versa. */
+
+		/* Only true for forwarded packets, locally generated packets
+		 * never hit PRE_ROUTING, we need to apply their PRE_ROUTING
+		 * manips in LOCAL_OUT. */
+		if (hooknum == NF_IP_LOCAL_OUT &&
+		    info->manips[i].hooknum == NF_IP_PRE_ROUTING)
+			hooknum = info->manips[i].hooknum;
+
 		if (info->manips[i].hooknum != hooknum)
 			continue;
author	Patrick McHardy <kaber@coreworks.de>	2004-11-27 15:26:24 +0100
committer	David S. Miller <davem@kernel.bkbits.net>	2004-11-27 15:26:24 +0100
commit	8aad8a722e0127fe6ce88220fec10f77f30f7762 (patch)
tree	6e354ae2548ce1e1f6f9ce2f34fbf0fb9ef841f8
parent	50cce6d2ae87f215f94b21760d0cba78e451419e (diff)