1 files changed, 15 insertions, 14 deletions

diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index e2e00c4da88..0047923c1f2 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -462,6 +462,18 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
                         return 0;
         }
 
+        if (manip == IP_NAT_MANIP_SRC)
+                statusbit = IPS_SRC_NAT;
+        else
+                statusbit = IPS_DST_NAT;
+
+        /* Invert if this is reply dir. */
+        if (dir == IP_CT_DIR_REPLY)
+                statusbit ^= IPS_NAT_MASK;
+
+        if (!(ct->status & statusbit))
+                return 1;
+
         pr_debug("icmp_reply_translation: translating error %p manip %u "
                  "dir %s\n", skb, manip,
                  dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY");
@@ -496,20 +508,9 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
 
         /* Change outer to look the reply to an incoming packet
          * (proto 0 means don't invert per-proto part). */
-        if (manip == IP_NAT_MANIP_SRC)
-                statusbit = IPS_SRC_NAT;
-        else
-                statusbit = IPS_DST_NAT;
-
-        /* Invert if this is reply dir. */
-        if (dir == IP_CT_DIR_REPLY)
-                statusbit ^= IPS_NAT_MASK;
-
-        if (ct->status & statusbit) {
-                nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
-                if (!manip_pkt(0, skb, 0, &target, manip))
-                        return 0;
-        }
+        nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
+        if (!manip_pkt(0, skb, 0, &target, manip))
+                return 0;
 
         return 1;
 }