netfilter: flowtable: move skb_try_make_writable() before NAT in IPv4

For consistency with the IPv6 flowtable datapath and to make sure the skbuff is writable right before the NAT header updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: flowtable: move skb_try_make_writable() before NAT in IPv4
For consistency with the IPv6 flowtable datapath and to make sure the skbuff is writable right before the NAT header updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2babb46c · Pablo Neira Ayuso · 2fc11745 · 2babb46c
Commit 2babb46c authored Mar 17, 2021 by Pablo Neira Ayuso
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

net/netfilter/nf_flow_table_ip.c net/netfilter/nf_flow_table_ip.c +4 -4

No files found.
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -266,10 +266,6 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,

 	iph = ip_hdr(skb);
 	thoff = iph->ihl * 4;
-	if (skb_try_make_writable(skb, thoff + hdrsize))
-		return NF_DROP;
-
-	iph = ip_hdr(skb);
 	if (nf_flow_state_check(flow, iph->protocol, skb, thoff))
 		return NF_ACCEPT;

@@ -280,6 +276,10 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
 		return NF_ACCEPT;
 	}

+	if (skb_try_make_writable(skb, thoff + hdrsize))
+		return NF_DROP;
+
+	iph = ip_hdr(skb);
 	if (nf_flow_nat_ip(flow, skb, thoff, dir, iph) < 0)
 		return NF_DROP;