1 files changed, 14 insertions, 9 deletions

diff --git a/net/ipv4/netfilter/ip_nat_proto_tcp.c b/net/ipv4/netfilter/ip_nat_proto_tcp.c
index fb21a0875fa447..694838c0acd0d0 100644
--- a/net/ipv4/netfilter/ip_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_tcp.c
@@ -85,14 +85,14 @@ tcp_unique_tuple(struct ip_conntrack_tuple *tuple,
 static int
 tcp_manip_pkt(struct sk_buff **pskb,
 	      unsigned int iphdroff,
-	      const struct ip_conntrack_manip *manip,
+	      const struct ip_conntrack_tuple *tuple,
 	      enum ip_nat_manip_type maniptype)
 {
 	struct iphdr *iph = (struct iphdr *)((*pskb)->data + iphdroff);
 	struct tcphdr *hdr;
 	unsigned int hdroff = iphdroff + iph->ihl*4;
-	u32 oldip, oldsrc = iph->saddr, olddst = iph->daddr;
-	u16 *portptr, oldport;
+	u32 oldip, newip;
+	u16 *portptr, newport, oldport;
 	int hdrsize = 8; /* TCP connection tracking guarantees this much */
 
 	/* this could be a inner header returned in icmp packet; in such
@@ -104,27 +104,32 @@ tcp_manip_pkt(struct sk_buff **pskb,
 	if (!skb_ip_make_writable(pskb, hdroff + hdrsize))
 		return 0;
 
-	hdr = (void *)(*pskb)->data + hdroff;
+	iph = (struct iphdr *)((*pskb)->data + iphdroff);
+	hdr = (struct tcphdr *)((*pskb)->data + iph->ihl*4);
 
 	if (maniptype == IP_NAT_MANIP_SRC) {
 		/* Get rid of src ip and src pt */
-		oldip = oldsrc;
+		oldip = iph->saddr;
+		newip = tuple->src.ip;
+		newport = tuple->src.u.tcp.port;
 		portptr = &hdr->source;
 	} else {
 		/* Get rid of dst ip and dst pt */
-		oldip = olddst;
+		oldip = iph->daddr;
+		newip = tuple->dst.ip;
+		newport = tuple->dst.u.tcp.port;
 		portptr = &hdr->dest;
 	}
 
 	oldport = *portptr;
-	*portptr = manip->u.tcp.port;
+	*portptr = newport;
 
 	if (hdrsize < sizeof(*hdr))
 		return 1;
 
-	hdr->check = ip_nat_cheat_check(~oldip, manip->ip,
+	hdr->check = ip_nat_cheat_check(~oldip, newip,
 					ip_nat_cheat_check(oldport ^ 0xFFFF,
-							   manip->u.tcp.port,
+							   newport,
 							   hdr->check));
 	return 1;
 }