aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>2005-11-09 16:02:45 -0500
committerDavid S. Miller <davem@davemloft.net>2005-11-09 16:02:45 -0500
commitd63a92810807e8da298895236f2b99697e884014 (patch)
treed687ea375c969fb220cc6fbb82b28ae51524b07b
parented77de9fc69076e6e7c85edf7c1b70650f53121a (diff)
[NETFILTER]: stop tracking ICMP error at early point
Currently connection tracking handles ICMP error like normal packets if it failed to get related connection. But it fails that after all. This makes connection tracking stop tracking ICMP error at early point. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/ip_conntrack_proto_icmp.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
index 98f0015dd255..9481d159acb6 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
@@ -151,13 +151,13 @@ icmp_error_message(struct sk_buff *skb,
151 /* Not enough header? */ 151 /* Not enough header? */
152 inside = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_in), &_in); 152 inside = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_in), &_in);
153 if (inside == NULL) 153 if (inside == NULL)
154 return NF_ACCEPT; 154 return -NF_ACCEPT;
155 155
156 /* Ignore ICMP's containing fragments (shouldn't happen) */ 156 /* Ignore ICMP's containing fragments (shouldn't happen) */
157 if (inside->ip.frag_off & htons(IP_OFFSET)) { 157 if (inside->ip.frag_off & htons(IP_OFFSET)) {
158 DEBUGP("icmp_error_track: fragment of proto %u\n", 158 DEBUGP("icmp_error_track: fragment of proto %u\n",
159 inside->ip.protocol); 159 inside->ip.protocol);
160 return NF_ACCEPT; 160 return -NF_ACCEPT;
161 } 161 }
162 162
163 innerproto = ip_conntrack_proto_find_get(inside->ip.protocol); 163 innerproto = ip_conntrack_proto_find_get(inside->ip.protocol);
@@ -166,7 +166,7 @@ icmp_error_message(struct sk_buff *skb,
166 if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) { 166 if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) {
167 DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol); 167 DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol);
168 ip_conntrack_proto_put(innerproto); 168 ip_conntrack_proto_put(innerproto);
169 return NF_ACCEPT; 169 return -NF_ACCEPT;
170 } 170 }
171 171
172 /* Ordinarily, we'd expect the inverted tupleproto, but it's 172 /* Ordinarily, we'd expect the inverted tupleproto, but it's
@@ -174,7 +174,7 @@ icmp_error_message(struct sk_buff *skb,
174 if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) { 174 if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) {
175 DEBUGP("icmp_error_track: Can't invert tuple\n"); 175 DEBUGP("icmp_error_track: Can't invert tuple\n");
176 ip_conntrack_proto_put(innerproto); 176 ip_conntrack_proto_put(innerproto);
177 return NF_ACCEPT; 177 return -NF_ACCEPT;
178 } 178 }
179 ip_conntrack_proto_put(innerproto); 179 ip_conntrack_proto_put(innerproto);
180 180
@@ -190,7 +190,7 @@ icmp_error_message(struct sk_buff *skb,
190 190
191 if (!h) { 191 if (!h) {
192 DEBUGP("icmp_error_track: no match\n"); 192 DEBUGP("icmp_error_track: no match\n");
193 return NF_ACCEPT; 193 return -NF_ACCEPT;
194 } 194 }
195 /* Reverse direction from that found */ 195 /* Reverse direction from that found */
196 if (DIRECTION(h) != IP_CT_DIR_REPLY) 196 if (DIRECTION(h) != IP_CT_DIR_REPLY)