netfilter: nf_conntrack: restrict NAT helper invocation to IPv4

The NAT helpers currently only handle IPv4 packets correctly. Restrict invocation of the helpers to IPv4 in preparation of IPv6 NAT. Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2012-08-26 19:14:01 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-30 03:00:12 +0200
commit: 811927ccfe90fbfcfff5253ba7f95057f6cae692 (patch)
tree: c0e2606135bef4b786b3ee60126d02d64528c0a4 /net/netfilter/nf_conntrack_ftp.c
parent: 2b60af017880f7dc35d1fac65f48fc94f8a3c1ec (diff)
download: linux-811927ccfe90fbfcfff5253ba7f95057f6cae692.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 4bb771d1f57af..3e1587e63c034 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -487,7 +487,8 @@ static int help(struct sk_buff *skb,
 	/* Now, NAT might want to mangle the packet, and register the
 	 * (possibly changed) expectation itself. */
 	nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
-	if (nf_nat_ftp && ct->status & IPS_NAT_MASK)
+	if (nf_nat_ftp && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
+	    ct->status & IPS_NAT_MASK)
 		ret = nf_nat_ftp(skb, ctinfo, search[dir][i].ftptype,
 				 matchoff, matchlen, exp);
 	else {
author	Patrick McHardy <kaber@trash.net>	2012-08-26 19:14:01 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-08-30 03:00:12 +0200
commit	811927ccfe90fbfcfff5253ba7f95057f6cae692 (patch)
tree	c0e2606135bef4b786b3ee60126d02d64528c0a4 /net/netfilter/nf_conntrack_ftp.c
parent	2b60af017880f7dc35d1fac65f48fc94f8a3c1ec (diff)
download	linux-811927ccfe90fbfcfff5253ba7f95057f6cae692.tar.gz