diff options
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 16 |
1 files changed, 4 insertions, 12 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index c6ab3d99e792..d71ba7677344 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c | |||
| @@ -82,17 +82,10 @@ static int icmp_packet(struct nf_conn *ct, | |||
| 82 | u_int8_t pf, | 82 | u_int8_t pf, |
| 83 | unsigned int hooknum) | 83 | unsigned int hooknum) |
| 84 | { | 84 | { |
| 85 | /* Try to delete connection immediately after all replies: | 85 | /* Do not immediately delete the connection after the first |
| 86 | won't actually vanish as we still have skb, and del_timer | 86 | successful reply to avoid excessive conntrackd traffic |
| 87 | means this will only run once even if count hits zero twice | 87 | and also to handle correctly ICMP echo reply duplicates. */ |
| 88 | (theoretically possible with SMP) */ | 88 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout); |
| 89 | if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) { | ||
| 90 | if (atomic_dec_and_test(&ct->proto.icmp.count)) | ||
| 91 | nf_ct_kill_acct(ct, ctinfo, skb); | ||
| 92 | } else { | ||
| 93 | atomic_inc(&ct->proto.icmp.count); | ||
| 94 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout); | ||
| 95 | } | ||
| 96 | 89 | ||
| 97 | return NF_ACCEPT; | 90 | return NF_ACCEPT; |
| 98 | } | 91 | } |
| @@ -116,7 +109,6 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
| 116 | nf_ct_dump_tuple_ip(&ct->tuplehash[0].tuple); | 109 | nf_ct_dump_tuple_ip(&ct->tuplehash[0].tuple); |
| 117 | return false; | 110 | return false; |
| 118 | } | 111 | } |
| 119 | atomic_set(&ct->proto.icmp.count, 0); | ||
| 120 | return true; | 112 | return true; |
| 121 | } | 113 | } |
| 122 | 114 | ||