diff options
author | Patrick McHardy <kaber@trash.net> | 2006-05-29 21:21:53 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-06-18 00:28:55 -0400 |
commit | 6442f1cf897643d4ca597f2f7d3464b765bae960 (patch) | |
tree | 0708a7d312c1db1f78c20df9cbdfc9f5e6218523 | |
parent | 404bdbfd242cb99ca0e9d3eb5fbb5bcd54123081 (diff) |
[NETFILTER]: conntrack: don't call helpers for related ICMP messages
None of the existing helpers expects to get called for related ICMP
packets and some even drop them if they can't parse them.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_standalone.c | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 | ||||
-rw-r--r-- | net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 2 |
3 files changed, 3 insertions, 3 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c index 929d61f7be91..f0cc7feb0da3 100644 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c | |||
@@ -417,7 +417,7 @@ static unsigned int ip_conntrack_help(unsigned int hooknum, | |||
417 | 417 | ||
418 | /* This is where we call the helper: as the packet goes out. */ | 418 | /* This is where we call the helper: as the packet goes out. */ |
419 | ct = ip_conntrack_get(*pskb, &ctinfo); | 419 | ct = ip_conntrack_get(*pskb, &ctinfo); |
420 | if (ct && ct->helper) { | 420 | if (ct && ct->helper && ctinfo != IP_CT_RELATED + IP_CT_IS_REPLY) { |
421 | unsigned int ret; | 421 | unsigned int ret; |
422 | ret = ct->helper->help(pskb, ct, ctinfo); | 422 | ret = ct->helper->help(pskb, ct, ctinfo); |
423 | if (ret != NF_ACCEPT) | 423 | if (ret != NF_ACCEPT) |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 77d974443c7b..8cc8e1b36778 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
@@ -145,7 +145,7 @@ static unsigned int ipv4_conntrack_help(unsigned int hooknum, | |||
145 | 145 | ||
146 | /* This is where we call the helper: as the packet goes out. */ | 146 | /* This is where we call the helper: as the packet goes out. */ |
147 | ct = nf_ct_get(*pskb, &ctinfo); | 147 | ct = nf_ct_get(*pskb, &ctinfo); |
148 | if (!ct) | 148 | if (!ct || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY) |
149 | return NF_ACCEPT; | 149 | return NF_ACCEPT; |
150 | 150 | ||
151 | help = nfct_help(ct); | 151 | help = nfct_help(ct); |
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index 93bae36f2663..2a71c3b669f1 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | |||
@@ -189,7 +189,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum, | |||
189 | 189 | ||
190 | /* This is where we call the helper: as the packet goes out. */ | 190 | /* This is where we call the helper: as the packet goes out. */ |
191 | ct = nf_ct_get(*pskb, &ctinfo); | 191 | ct = nf_ct_get(*pskb, &ctinfo); |
192 | if (!ct) | 192 | if (!ct || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY) |
193 | goto out; | 193 | goto out; |
194 | 194 | ||
195 | help = nfct_help(ct); | 195 | help = nfct_help(ct); |