diff options
-rw-r--r-- | net/ipv4/ip_output.c | 9 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_standalone.c | 7 | ||||
-rw-r--r-- | net/packet/af_packet.c | 6 |
3 files changed, 13 insertions, 9 deletions
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 9de83e6e0f1d..80d13103b2b0 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c | |||
@@ -107,7 +107,6 @@ static int ip_dev_loopback_xmit(struct sk_buff *newskb) | |||
107 | newskb->pkt_type = PACKET_LOOPBACK; | 107 | newskb->pkt_type = PACKET_LOOPBACK; |
108 | newskb->ip_summed = CHECKSUM_UNNECESSARY; | 108 | newskb->ip_summed = CHECKSUM_UNNECESSARY; |
109 | BUG_TRAP(newskb->dst); | 109 | BUG_TRAP(newskb->dst); |
110 | nf_reset(newskb); | ||
111 | netif_rx(newskb); | 110 | netif_rx(newskb); |
112 | return 0; | 111 | return 0; |
113 | } | 112 | } |
@@ -188,14 +187,6 @@ static inline int ip_finish_output2(struct sk_buff *skb) | |||
188 | skb = skb2; | 187 | skb = skb2; |
189 | } | 188 | } |
190 | 189 | ||
191 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
192 | /* bridge-netfilter defers calling some IP hooks to the bridge layer | ||
193 | * and still needs the conntrack reference. | ||
194 | */ | ||
195 | if (skb->nf_bridge == NULL) | ||
196 | #endif | ||
197 | nf_reset(skb); | ||
198 | |||
199 | if (hh) { | 190 | if (hh) { |
200 | int hh_alen; | 191 | int hh_alen; |
201 | 192 | ||
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c index 42dc95102873..1dd824f3cf0a 100644 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c | |||
@@ -432,6 +432,13 @@ static unsigned int ip_conntrack_defrag(unsigned int hooknum, | |||
432 | const struct net_device *out, | 432 | const struct net_device *out, |
433 | int (*okfn)(struct sk_buff *)) | 433 | int (*okfn)(struct sk_buff *)) |
434 | { | 434 | { |
435 | #if !defined(CONFIG_IP_NF_NAT) && !defined(CONFIG_IP_NF_NAT_MODULE) | ||
436 | /* Previously seen (loopback)? Ignore. Do this before | ||
437 | fragment check. */ | ||
438 | if ((*pskb)->nfct) | ||
439 | return NF_ACCEPT; | ||
440 | #endif | ||
441 | |||
435 | /* Gather fragments. */ | 442 | /* Gather fragments. */ |
436 | if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) { | 443 | if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) { |
437 | *pskb = ip_ct_gather_frags(*pskb, | 444 | *pskb = ip_ct_gather_frags(*pskb, |
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 0269616e75a1..c9d5980aa4de 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c | |||
@@ -274,6 +274,9 @@ static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev, struct | |||
274 | dst_release(skb->dst); | 274 | dst_release(skb->dst); |
275 | skb->dst = NULL; | 275 | skb->dst = NULL; |
276 | 276 | ||
277 | /* drop conntrack reference */ | ||
278 | nf_reset(skb); | ||
279 | |||
277 | spkt = (struct sockaddr_pkt*)skb->cb; | 280 | spkt = (struct sockaddr_pkt*)skb->cb; |
278 | 281 | ||
279 | skb_push(skb, skb->data-skb->mac.raw); | 282 | skb_push(skb, skb->data-skb->mac.raw); |
@@ -517,6 +520,9 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, struct packe | |||
517 | dst_release(skb->dst); | 520 | dst_release(skb->dst); |
518 | skb->dst = NULL; | 521 | skb->dst = NULL; |
519 | 522 | ||
523 | /* drop conntrack reference */ | ||
524 | nf_reset(skb); | ||
525 | |||
520 | spin_lock(&sk->sk_receive_queue.lock); | 526 | spin_lock(&sk->sk_receive_queue.lock); |
521 | po->stats.tp_packets++; | 527 | po->stats.tp_packets++; |
522 | __skb_queue_tail(&sk->sk_receive_queue, skb); | 528 | __skb_queue_tail(&sk->sk_receive_queue, skb); |