[NETFILTER]: nf_nat: remove obsolete check for ICMP redirects

Locally generated ICMP packets have a reference to the conntrack entry of the original packet manually attached by icmp_send(). Therefore the check for locally originated untracked ICMP redirects can never be true. Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2008-04-14 05:15:50 -0400
committer: Patrick McHardy <kaber@trash.net> 2008-04-14 05:15:50 -0400
commit: 42cf800c240fa845e9c154429d70d62750e65b64 (patch)
tree: e3144f6b168499ae946cad846259a8b024379691 /net/ipv4
parent: 9d908a69a32e0171eb5eeac93f2f46ffa4190573 (diff)
1 files changed, 1 insertions, 14 deletions
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 4a3e0f85db97..c362f672755a 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -93,21 +93,8 @@ nf_nat_fn(unsigned int hooknum,
           have dropped it.  Hence it's the user's responsibilty to
           packet filter it out, or implement conntrack/NAT for that
           protocol. 8) --RR */
-        if (!ct) {
+        if (!ct)
-                /* Exception: ICMP redirect to new connection (not in
-                   hash table yet).  We must not let this through, in
-                   case we're doing NAT to the same network. */
-                if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
-                        struct icmphdr _hdr, *hp;
-                        hp = skb_header_pointer(skb, ip_hdrlen(skb),
-                                                sizeof(_hdr), &_hdr);
-                        if (hp != NULL &&
-                            hp->type == ICMP_REDIRECT)
-                                return NF_DROP;
-                }
                return NF_ACCEPT;
-        }
        /* Don't try to NAT if this packet is not conntracked */
        if (ct == &nf_conntrack_untracked)
author	Patrick McHardy <kaber@trash.net>	2008-04-14 05:15:50 -0400
committer	Patrick McHardy <kaber@trash.net>	2008-04-14 05:15:50 -0400
commit	42cf800c240fa845e9c154429d70d62750e65b64 (patch)
tree	e3144f6b168499ae946cad846259a8b024379691 /net/ipv4
parent	9d908a69a32e0171eb5eeac93f2f46ffa4190573 (diff)

diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 4a3e0f85db97..c362f672755a 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -93,21 +93,8 @@ nf_nat_fn(unsigned int hooknum,
93	have dropped it. Hence it's the user's responsibilty to	93	have dropped it. Hence it's the user's responsibilty to
94	packet filter it out, or implement conntrack/NAT for that	94	packet filter it out, or implement conntrack/NAT for that
95	protocol. 8) --RR */	95	protocol. 8) --RR */
96	if (!ct) {	96	if (!ct)
97	/* Exception: ICMP redirect to new connection (not in
98	hash table yet). We must not let this through, in
99	case we're doing NAT to the same network. */
100	if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
101	struct icmphdr _hdr, *hp;
102
103	hp = skb_header_pointer(skb, ip_hdrlen(skb),
104	sizeof(_hdr), &_hdr);
105	if (hp != NULL &&
106	hp->type == ICMP_REDIRECT)
107	return NF_DROP;
108	}
109	return NF_ACCEPT;	97	return NF_ACCEPT;
110	}
111		98
112	/* Don't try to NAT if this packet is not conntracked */	99	/* Don't try to NAT if this packet is not conntracked */
113	if (ct == &nf_conntrack_untracked)	100	if (ct == &nf_conntrack_untracked)