diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_icmp.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c index 98f0015dd255..9481d159acb6 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c | |||
| @@ -151,13 +151,13 @@ icmp_error_message(struct sk_buff *skb, | |||
| 151 | /* Not enough header? */ | 151 | /* Not enough header? */ |
| 152 | inside = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_in), &_in); | 152 | inside = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_in), &_in); |
| 153 | if (inside == NULL) | 153 | if (inside == NULL) |
| 154 | return NF_ACCEPT; | 154 | return -NF_ACCEPT; |
| 155 | 155 | ||
| 156 | /* Ignore ICMP's containing fragments (shouldn't happen) */ | 156 | /* Ignore ICMP's containing fragments (shouldn't happen) */ |
| 157 | if (inside->ip.frag_off & htons(IP_OFFSET)) { | 157 | if (inside->ip.frag_off & htons(IP_OFFSET)) { |
| 158 | DEBUGP("icmp_error_track: fragment of proto %u\n", | 158 | DEBUGP("icmp_error_track: fragment of proto %u\n", |
| 159 | inside->ip.protocol); | 159 | inside->ip.protocol); |
| 160 | return NF_ACCEPT; | 160 | return -NF_ACCEPT; |
| 161 | } | 161 | } |
| 162 | 162 | ||
| 163 | innerproto = ip_conntrack_proto_find_get(inside->ip.protocol); | 163 | innerproto = ip_conntrack_proto_find_get(inside->ip.protocol); |
| @@ -166,7 +166,7 @@ icmp_error_message(struct sk_buff *skb, | |||
| 166 | if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) { | 166 | if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) { |
| 167 | DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol); | 167 | DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol); |
| 168 | ip_conntrack_proto_put(innerproto); | 168 | ip_conntrack_proto_put(innerproto); |
| 169 | return NF_ACCEPT; | 169 | return -NF_ACCEPT; |
| 170 | } | 170 | } |
| 171 | 171 | ||
| 172 | /* Ordinarily, we'd expect the inverted tupleproto, but it's | 172 | /* Ordinarily, we'd expect the inverted tupleproto, but it's |
| @@ -174,7 +174,7 @@ icmp_error_message(struct sk_buff *skb, | |||
| 174 | if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) { | 174 | if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) { |
| 175 | DEBUGP("icmp_error_track: Can't invert tuple\n"); | 175 | DEBUGP("icmp_error_track: Can't invert tuple\n"); |
| 176 | ip_conntrack_proto_put(innerproto); | 176 | ip_conntrack_proto_put(innerproto); |
| 177 | return NF_ACCEPT; | 177 | return -NF_ACCEPT; |
| 178 | } | 178 | } |
| 179 | ip_conntrack_proto_put(innerproto); | 179 | ip_conntrack_proto_put(innerproto); |
| 180 | 180 | ||
| @@ -190,7 +190,7 @@ icmp_error_message(struct sk_buff *skb, | |||
| 190 | 190 | ||
| 191 | if (!h) { | 191 | if (!h) { |
| 192 | DEBUGP("icmp_error_track: no match\n"); | 192 | DEBUGP("icmp_error_track: no match\n"); |
| 193 | return NF_ACCEPT; | 193 | return -NF_ACCEPT; |
| 194 | } | 194 | } |
| 195 | /* Reverse direction from that found */ | 195 | /* Reverse direction from that found */ |
| 196 | if (DIRECTION(h) != IP_CT_DIR_REPLY) | 196 | if (DIRECTION(h) != IP_CT_DIR_REPLY) |