[NETFILTER]: nat: avoid rerouting packets if only XFRM policy key changed

[powerpc.git] / net / ipv4 / netfilter / nf_nat_standalone.c

diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index e4d3ef1..15aa3db 100644 (file)
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -245,14 +245,16 @@ nf_nat_local_fn(unsigned int hooknum,
                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 
                if (ct->tuplehash[dir].tuple.dst.u3.ip !=
-                   ct->tuplehash[!dir].tuple.src.u3.ip
-#ifdef CONFIG_XFRM
-                   || ct->tuplehash[dir].tuple.dst.u.all !=
-                      ct->tuplehash[!dir].tuple.src.u.all
-#endif
-                   )
+                   ct->tuplehash[!dir].tuple.src.u3.ip) {
                        if (ip_route_me_harder(pskb, RTN_UNSPEC))
                                ret = NF_DROP;
+               }
+#ifdef CONFIG_XFRM
+               else if (ct->tuplehash[dir].tuple.dst.u.all !=
+                        ct->tuplehash[!dir].tuple.src.u.all)
+                       if (ip_xfrm_me_harder(pskb))
+                               ret = NF_DROP;
+#endif
        }
        return ret;
 }