[NETFILTER]: Handle NAT in IPsec policy checks Handle NAT of decapsulated IPsec packets by reconstructing the struct flowi of the original packet from the conntrack information for IPsec policy checks. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: eb9c7ebe6980c41cf6ae889e301c3b49f473ee9f [log] [tgz]
author: Patrick McHardy <kaber@trash.net> Fri Jan 06 23:06:30 2006 -0800
committer: David S. Miller <davem@sunset.davemloft.net> Sat Jan 07 12:57:37 2006 -0800
tree: 419103d15b9de9c26c8400c698625231df55da91
parent: b59c270104f03960069596722fea70340579244d [diff] [blame]
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 23ba177..00f9832 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c

@@ -986,6 +986,7 @@
 
 	if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_and_relse;
+	nf_reset(skb);
 
 	return sk_receive_skb(sk, skb);
 
@@ -1099,7 +1100,6 @@
 		kfree_skb(sk->sk_send_head);
 		sk->sk_send_head = NULL;
 	}
-	nf_reset(skb);
 
 	/* Clean up a referenced DCCP bind bucket. */
 	if (inet_csk(sk)->icsk_bind_hash != NULL)
commit	eb9c7ebe6980c41cf6ae889e301c3b49f473ee9f	[log] [tgz]
author	Patrick McHardy <kaber@trash.net>	Fri Jan 06 23:06:30 2006 -0800
committer	David S. Miller <davem@sunset.davemloft.net>	Sat Jan 07 12:57:37 2006 -0800
tree	419103d15b9de9c26c8400c698625231df55da91
parent	b59c270104f03960069596722fea70340579244d [diff] [blame]