Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 42cf800c authored by Patrick McHardy's avatar Patrick McHardy
Browse files

[NETFILTER]: nf_nat: remove obsolete check for ICMP redirects 



Locally generated ICMP packets have a reference to the conntrack entry
of the original packet manually attached by icmp_send(). Therefore the
check for locally originated untracked ICMP redirects can never be
true.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 9d908a69

net/ipv4/netfilter/nf_nat_standalone.c

+1 −14
Original line number Diff line number Diff line
@@ -93,21 +93,8 @@ nf_nat_fn(unsigned int hooknum, 
	   have dropped it.  Hence it's the user's responsibilty to

	   packet filter it out, or implement conntrack/NAT for that

	   protocol. 8) --RR */

	if (!ct) {

		/* Exception: ICMP redirect to new connection (not in

		   hash table yet).  We must not let this through, in

		   case we're doing NAT to the same network. */

		if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {

			struct icmphdr _hdr, *hp;



			hp = skb_header_pointer(skb, ip_hdrlen(skb),

						sizeof(_hdr), &_hdr);

			if (hp != NULL &&

			    hp->type == ICMP_REDIRECT)

				return NF_DROP;

		}

	if (!ct)

		return NF_ACCEPT;

	}



	/* Don't try to NAT if this packet is not conntracked */

	if (ct == &nf_conntrack_untracked)