diff options
| author | Christoph Paasch <christoph.paasch@gmail.com> | 2009-03-16 10:51:29 -0400 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2009-03-16 10:51:29 -0400 |
| commit | ec8d540969da9a70790e9028d57b5b577dd7aa77 (patch) | |
| tree | 375d23d65f3288776de1585cccae5270b90a56af | |
| parent | 626ba8fbac9156a94a80be46ffd2f2ce9e4e89a0 (diff) | |
netfilter: conntrack: fix dropping packet after l4proto->packet()
We currently use the negative value in the conntrack code to encode
the packet verdict in the error. As NF_DROP is equal to 0, inverting
NF_DROP makes no sense and, as a result, no packets are ever dropped.
Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
| -rw-r--r-- | net/netfilter/nf_conntrack_core.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 90ce9ddb9451..f4935e344b61 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
| @@ -726,7 +726,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, | |||
| 726 | NF_CT_ASSERT(skb->nfct); | 726 | NF_CT_ASSERT(skb->nfct); |
| 727 | 727 | ||
| 728 | ret = l4proto->packet(ct, skb, dataoff, ctinfo, pf, hooknum); | 728 | ret = l4proto->packet(ct, skb, dataoff, ctinfo, pf, hooknum); |
| 729 | if (ret < 0) { | 729 | if (ret <= 0) { |
| 730 | /* Invalid: inverse of the return code tells | 730 | /* Invalid: inverse of the return code tells |
| 731 | * the netfilter core what to do */ | 731 | * the netfilter core what to do */ |
| 732 | pr_debug("nf_conntrack_in: Can't track with proto module\n"); | 732 | pr_debug("nf_conntrack_in: Can't track with proto module\n"); |
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index a1edb9c1adee..f3fd154d1ddd 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
| @@ -859,7 +859,7 @@ static int tcp_packet(struct nf_conn *ct, | |||
| 859 | */ | 859 | */ |
| 860 | if (nf_ct_kill(ct)) | 860 | if (nf_ct_kill(ct)) |
| 861 | return -NF_REPEAT; | 861 | return -NF_REPEAT; |
| 862 | return -NF_DROP; | 862 | return NF_DROP; |
| 863 | } | 863 | } |
| 864 | /* Fall through */ | 864 | /* Fall through */ |
| 865 | case TCP_CONNTRACK_IGNORE: | 865 | case TCP_CONNTRACK_IGNORE: |
| @@ -892,7 +892,7 @@ static int tcp_packet(struct nf_conn *ct, | |||
| 892 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, | 892 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, |
| 893 | "nf_ct_tcp: killing out of sync session "); | 893 | "nf_ct_tcp: killing out of sync session "); |
| 894 | nf_ct_kill(ct); | 894 | nf_ct_kill(ct); |
| 895 | return -NF_DROP; | 895 | return NF_DROP; |
| 896 | } | 896 | } |
| 897 | ct->proto.tcp.last_index = index; | 897 | ct->proto.tcp.last_index = index; |
| 898 | ct->proto.tcp.last_dir = dir; | 898 | ct->proto.tcp.last_dir = dir; |