diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 16 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 16 |
2 files changed, 8 insertions, 24 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index c6ab3d99e792..d71ba7677344 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c | |||
| @@ -82,17 +82,10 @@ static int icmp_packet(struct nf_conn *ct, | |||
| 82 | u_int8_t pf, | 82 | u_int8_t pf, |
| 83 | unsigned int hooknum) | 83 | unsigned int hooknum) |
| 84 | { | 84 | { |
| 85 | /* Try to delete connection immediately after all replies: | 85 | /* Do not immediately delete the connection after the first |
| 86 | won't actually vanish as we still have skb, and del_timer | 86 | successful reply to avoid excessive conntrackd traffic |
| 87 | means this will only run once even if count hits zero twice | 87 | and also to handle correctly ICMP echo reply duplicates. */ |
| 88 | (theoretically possible with SMP) */ | 88 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout); |
| 89 | if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) { | ||
| 90 | if (atomic_dec_and_test(&ct->proto.icmp.count)) | ||
| 91 | nf_ct_kill_acct(ct, ctinfo, skb); | ||
| 92 | } else { | ||
| 93 | atomic_inc(&ct->proto.icmp.count); | ||
| 94 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout); | ||
| 95 | } | ||
| 96 | 89 | ||
| 97 | return NF_ACCEPT; | 90 | return NF_ACCEPT; |
| 98 | } | 91 | } |
| @@ -116,7 +109,6 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
| 116 | nf_ct_dump_tuple_ip(&ct->tuplehash[0].tuple); | 109 | nf_ct_dump_tuple_ip(&ct->tuplehash[0].tuple); |
| 117 | return false; | 110 | return false; |
| 118 | } | 111 | } |
| 119 | atomic_set(&ct->proto.icmp.count, 0); | ||
| 120 | return true; | 112 | return true; |
| 121 | } | 113 | } |
| 122 | 114 | ||
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index a0acd9655fef..642dcb127bab 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | |||
| @@ -95,17 +95,10 @@ static int icmpv6_packet(struct nf_conn *ct, | |||
| 95 | u_int8_t pf, | 95 | u_int8_t pf, |
| 96 | unsigned int hooknum) | 96 | unsigned int hooknum) |
| 97 | { | 97 | { |
| 98 | /* Try to delete connection immediately after all replies: | 98 | /* Do not immediately delete the connection after the first |
| 99 | won't actually vanish as we still have skb, and del_timer | 99 | successful reply to avoid excessive conntrackd traffic |
| 100 | means this will only run once even if count hits zero twice | 100 | and also to handle correctly ICMP echo reply duplicates. */ |
| 101 | (theoretically possible with SMP) */ | 101 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout); |
| 102 | if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) { | ||
| 103 | if (atomic_dec_and_test(&ct->proto.icmp.count)) | ||
| 104 | nf_ct_kill_acct(ct, ctinfo, skb); | ||
| 105 | } else { | ||
| 106 | atomic_inc(&ct->proto.icmp.count); | ||
| 107 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout); | ||
| 108 | } | ||
| 109 | 102 | ||
| 110 | return NF_ACCEPT; | 103 | return NF_ACCEPT; |
| 111 | } | 104 | } |
| @@ -131,7 +124,6 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
| 131 | type + 128); | 124 | type + 128); |
| 132 | return false; | 125 | return false; |
| 133 | } | 126 | } |
| 134 | atomic_set(&ct->proto.icmp.count, 0); | ||
| 135 | return true; | 127 | return true; |
| 136 | } | 128 | } |
| 137 | 129 | ||