diff options
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 6f89b105a205..2863e72b4091 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -1052,17 +1052,18 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
| 1052 | } | 1052 | } |
| 1053 | /* implicit 'else' */ | 1053 | /* implicit 'else' */ |
| 1054 | 1054 | ||
| 1055 | /* we only allow nat config for new conntracks */ | ||
| 1056 | if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) { | ||
| 1057 | err = -EINVAL; | ||
| 1058 | goto out_unlock; | ||
| 1059 | } | ||
| 1060 | |||
| 1061 | /* We manipulate the conntrack inside the global conntrack table lock, | 1055 | /* We manipulate the conntrack inside the global conntrack table lock, |
| 1062 | * so there's no need to increase the refcount */ | 1056 | * so there's no need to increase the refcount */ |
| 1063 | err = -EEXIST; | 1057 | err = -EEXIST; |
| 1064 | if (!(nlh->nlmsg_flags & NLM_F_EXCL)) | 1058 | if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { |
| 1065 | err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), cda); | 1059 | /* we only allow nat config for new conntracks */ |
| 1060 | if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) { | ||
| 1061 | err = -EINVAL; | ||
| 1062 | goto out_unlock; | ||
| 1063 | } | ||
| 1064 | err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), | ||
| 1065 | cda); | ||
| 1066 | } | ||
| 1066 | 1067 | ||
| 1067 | out_unlock: | 1068 | out_unlock: |
| 1068 | write_unlock_bh(&nf_conntrack_lock); | 1069 | write_unlock_bh(&nf_conntrack_lock); |