[NETFILTER]: Prevent NAT from seeing fragments

The path for loopback is:
LOCAL_OUT: conntrack defrags
POST_ROUTING: conntrack refrags
PRE_ROUTING: skip conntrack defrag because skb->nfct != NULL
PRE_ROUTING: NAT gets hit by fragments

Always defrag on loopback if NAT is compiled in.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Rusty Russel <rusty@rustcorp.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index dd9f125ff6508e04045fe47a363235c0270d96ab..16d60222b0513a229dc73c64fdcbbc06ad74c7a0 100644 (file)
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -384,10 +384,12 @@ static unsigned int ip_conntrack_defrag(unsigned int hooknum,
                                        const struct net_device *out,
                                        int (*okfn)(struct sk_buff *))
 {
+#if !defined(CONFIG_IP_NF_NAT) && !defined(CONFIG_IP_NF_NAT_MODULE)
        /* Previously seen (loopback)?  Ignore.  Do this before
            fragment check. */
        if ((*pskb)->nfct)
                return NF_ACCEPT;
+#endif
 
        /* Gather fragments. */
        if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {