Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 94d117a1 authored by Eric Dumazet's avatar Eric Dumazet Committed by Patrick McHardy
Browse files

netfilter: ipt_CLUSTERIP: remove "no conntrack!" 



When a packet is meant to be handled by another node of the cluster,
silently drop it instead of flooding kernel log.

Note : INVALID packets are also dropped without notice.

Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Acked-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent a8fc0d9b

net/ipv4/netfilter/ipt_CLUSTERIP.c

+1 −6
Original line number Diff line number Diff line
@@ -300,13 +300,8 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par) 
	 * that the ->target() function isn't called after ->destroy() */



	ct = nf_ct_get(skb, &ctinfo);

	if (ct == NULL) {

		pr_info("no conntrack!\n");

			/* FIXME: need to drop invalid ones, since replies

			 * to outgoing connections of other nodes will be

			 * marked as INVALID */

	if (ct == NULL)

		return NF_DROP;

	}



	/* special case: ICMP error handling. conntrack distinguishes between

	 * error messages (RELATED) and information requests (see below) */