netfilter: conntrack: don't deliver events for racy packets

This patch skips the delivery of conntrack events if the packet was drop due to a race condition in the conntrack insertion. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2009-03-16 10:06:42 -0400
committer: Patrick McHardy <kaber@trash.net> 2009-03-16 10:06:42 -0400
commit: b1e93a68ca41e7e73766f95ba32ca05cf9052e15 (patch)
tree: 6ace3ccb810bda4e3f5bc9bd20b103a53c97bb46
parent: 325fb5b4d26038cba665dd0d8ee09555321061f0 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index c25068e38516..5a449b44ba33 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -62,7 +62,8 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
        if (ct && ct != &nf_conntrack_untracked) {
                if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
                        ret = __nf_conntrack_confirm(skb);
-                nf_ct_deliver_cached_events(ct);
+                if (likely(ret == NF_ACCEPT))
+                        nf_ct_deliver_cached_events(ct);
        }
        return ret;
 }
author	Pablo Neira Ayuso <pablo@netfilter.org>	2009-03-16 10:06:42 -0400
committer	Patrick McHardy <kaber@trash.net>	2009-03-16 10:06:42 -0400
commit	b1e93a68ca41e7e73766f95ba32ca05cf9052e15 (patch)
tree	6ace3ccb810bda4e3f5bc9bd20b103a53c97bb46
parent	325fb5b4d26038cba665dd0d8ee09555321061f0 (diff)