diff options
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_standalone.c | 15 |
1 files changed, 1 insertions, 14 deletions
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 4a3e0f85db97..c362f672755a 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
| @@ -93,21 +93,8 @@ nf_nat_fn(unsigned int hooknum, | |||
| 93 | have dropped it. Hence it's the user's responsibilty to | 93 | have dropped it. Hence it's the user's responsibilty to |
| 94 | packet filter it out, or implement conntrack/NAT for that | 94 | packet filter it out, or implement conntrack/NAT for that |
| 95 | protocol. 8) --RR */ | 95 | protocol. 8) --RR */ |
| 96 | if (!ct) { | 96 | if (!ct) |
| 97 | /* Exception: ICMP redirect to new connection (not in | ||
| 98 | hash table yet). We must not let this through, in | ||
| 99 | case we're doing NAT to the same network. */ | ||
| 100 | if (ip_hdr(skb)->protocol == IPPROTO_ICMP) { | ||
| 101 | struct icmphdr _hdr, *hp; | ||
| 102 | |||
| 103 | hp = skb_header_pointer(skb, ip_hdrlen(skb), | ||
| 104 | sizeof(_hdr), &_hdr); | ||
| 105 | if (hp != NULL && | ||
| 106 | hp->type == ICMP_REDIRECT) | ||
| 107 | return NF_DROP; | ||
| 108 | } | ||
| 109 | return NF_ACCEPT; | 97 | return NF_ACCEPT; |
| 110 | } | ||
| 111 | 98 | ||
| 112 | /* Don't try to NAT if this packet is not conntracked */ | 99 | /* Don't try to NAT if this packet is not conntracked */ |
| 113 | if (ct == &nf_conntrack_untracked) | 100 | if (ct == &nf_conntrack_untracked) |