diff options
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 16 |
1 files changed, 4 insertions, 12 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index a0acd9655fef..642dcb127bab 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | |||
@@ -95,17 +95,10 @@ static int icmpv6_packet(struct nf_conn *ct, | |||
95 | u_int8_t pf, | 95 | u_int8_t pf, |
96 | unsigned int hooknum) | 96 | unsigned int hooknum) |
97 | { | 97 | { |
98 | /* Try to delete connection immediately after all replies: | 98 | /* Do not immediately delete the connection after the first |
99 | won't actually vanish as we still have skb, and del_timer | 99 | successful reply to avoid excessive conntrackd traffic |
100 | means this will only run once even if count hits zero twice | 100 | and also to handle correctly ICMP echo reply duplicates. */ |
101 | (theoretically possible with SMP) */ | 101 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout); |
102 | if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) { | ||
103 | if (atomic_dec_and_test(&ct->proto.icmp.count)) | ||
104 | nf_ct_kill_acct(ct, ctinfo, skb); | ||
105 | } else { | ||
106 | atomic_inc(&ct->proto.icmp.count); | ||
107 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout); | ||
108 | } | ||
109 | 102 | ||
110 | return NF_ACCEPT; | 103 | return NF_ACCEPT; |
111 | } | 104 | } |
@@ -131,7 +124,6 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
131 | type + 128); | 124 | type + 128); |
132 | return false; | 125 | return false; |
133 | } | 126 | } |
134 | atomic_set(&ct->proto.icmp.count, 0); | ||
135 | return true; | 127 | return true; |
136 | } | 128 | } |
137 | 129 | ||