Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6442f1cf authored May 29, 2006 by Patrick McHardy Committed by David S. Miller Jun 17, 2006

[NETFILTER]: conntrack: don't call helpers for related ICMP messages



None of the existing helpers expects to get called for related ICMP
packets and some even drop them if they can't parse them.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 404bdbfd

net/ipv4/netfilter/ip_conntrack_standalone.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -417,7 +417,7 @@ static unsigned int ip_conntrack_help(unsigned int hooknum,

		/* This is where we call the helper: as the packet goes out. */
		ct = ip_conntrack_get(*pskb, &ctinfo);
		if (ct && ct->helper) {
		if (ct && ct->helper && ctinfo != IP_CT_RELATED + IP_CT_IS_REPLY) {
		unsigned int ret;
		ret = ct->helper->help(pskb, ct, ctinfo);
		if (ret != NF_ACCEPT)

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -145,7 +145,7 @@ static unsigned int ipv4_conntrack_help(unsigned int hooknum,

		/* This is where we call the helper: as the packet goes out. */
		ct = nf_ct_get(*pskb, &ctinfo);
		if (!ct)
		if (!ct \|\| ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)
		return NF_ACCEPT;

		help = nfct_help(ct);

net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -189,7 +189,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum,

		/* This is where we call the helper: as the packet goes out. */
		ct = nf_ct_get(*pskb, &ctinfo);
		if (!ct)
		if (!ct \|\| ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)
		goto out;

		help = nfct_help(ct);