aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2014-04-28 15:07:31 -0400
committerPablo Neira Ayuso <pablo@netfilter.org>2014-04-29 14:49:08 -0400
commitfe337ac2839521b360f828b3ebd992d597b1ad16 (patch)
tree000b67f61cfbc42e61c378e9a51e5fb59b3026f8
parent014f1b20108dc2c0bb0777d8383654a089c790f8 (diff)
netfilter: ctnetlink: don't add null bindings if no nat requested
commit 0eba801b64cc8284d9024c7ece30415a2b981a72 tried to fix a race where nat initialisation can happen after ctnetlink-created conntrack has been created. However, it causes the nat module(s) to be loaded needlessly on systems that are not using NAT. Fortunately, we do not have to create null bindings in that case. conntracks injected via ctnetlink always have the CONFIRMED bit set, which prevents addition of the nat extension in nf_nat_ipv4/6_fn(). We only need to make sure that either no nat extension is added or that we've created both src and dst manips. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat
-rw-r--r--net/netfilter/nf_conntrack_netlink.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index ccc46fa5edbc..58579634427d 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1336,6 +1336,9 @@ ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1336#ifdef CONFIG_NF_NAT_NEEDED 1336#ifdef CONFIG_NF_NAT_NEEDED
1337 int ret; 1337 int ret;
1338 1338
1339 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1340 return 0;
1341
1339 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, 1342 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1340 cda[CTA_NAT_DST]); 1343 cda[CTA_NAT_DST]);
1341 if (ret < 0) 1344 if (ret < 0)
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-22 14:22:46 -0400