diff options
author | Patrick McHardy <kaber@trash.net> | 2008-04-14 05:15:51 -0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2008-04-14 05:15:51 -0400 |
commit | 8c87238b726e543f8af4bdb4296020a328df4744 (patch) | |
tree | d6c74123cfdd8ccd784f8383446a19d260c9bddf /include/net | |
parent | 42cf800c240fa845e9c154429d70d62750e65b64 (diff) |
[NETFILTER]: nf_nat: don't add NAT extension for confirmed conntracks
Adding extensions to confirmed conntracks is not allowed to avoid races
on reallocation. Don't setup NAT for confirmed conntracks in case NAT
module is loaded late.
The has one side-effect, the connections existing before the NAT module
was loaded won't enter the bysource hash. The only case where this actually
makes a difference is in case of SNAT to a multirange where the IP before
NAT is also part of the range. Since old connections don't enter the
bysource hash the first new connection from the IP will have a new address
selected. This shouldn't matter at all.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/netfilter/nf_nat_rule.h | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/include/net/netfilter/nf_nat_rule.h b/include/net/netfilter/nf_nat_rule.h index 75d1825031d7..e4a18ae361c6 100644 --- a/include/net/netfilter/nf_nat_rule.h +++ b/include/net/netfilter/nf_nat_rule.h | |||
@@ -14,7 +14,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb, | |||
14 | 14 | ||
15 | extern unsigned int | 15 | extern unsigned int |
16 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum); | 16 | alloc_null_binding(struct nf_conn *ct, unsigned int hooknum); |
17 | |||
18 | extern unsigned int | ||
19 | alloc_null_binding_confirmed(struct nf_conn *ct, unsigned int hooknum); | ||
20 | #endif /* _NF_NAT_RULE_H */ | 17 | #endif /* _NF_NAT_RULE_H */ |