]> err.no Git - linux-2.6/commitdiff
[NETFILTER]: stop tracking ICMP error at early point
authorYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Wed, 9 Nov 2005 21:02:45 +0000 (13:02 -0800)
committerDavid S. Miller <davem@davemloft.net>
Wed, 9 Nov 2005 21:02:45 +0000 (13:02 -0800)
Currently connection tracking handles ICMP error like normal packets
if it failed to get related connection. But it fails that after all.

This makes connection tracking stop tracking ICMP error at early point.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/netfilter/ip_conntrack_proto_icmp.c

index 98f0015dd255ab593563fcc110b8c5ff67380183..9481d159acb6f22035fab7797ff61fd462696479 100644 (file)
@@ -151,13 +151,13 @@ icmp_error_message(struct sk_buff *skb,
        /* Not enough header? */
        inside = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_in), &_in);
        if (inside == NULL)
-               return NF_ACCEPT;
+               return -NF_ACCEPT;
 
        /* Ignore ICMP's containing fragments (shouldn't happen) */
        if (inside->ip.frag_off & htons(IP_OFFSET)) {
                DEBUGP("icmp_error_track: fragment of proto %u\n",
                       inside->ip.protocol);
-               return NF_ACCEPT;
+               return -NF_ACCEPT;
        }
 
        innerproto = ip_conntrack_proto_find_get(inside->ip.protocol);
@@ -166,7 +166,7 @@ icmp_error_message(struct sk_buff *skb,
        if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) {
                DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol);
                ip_conntrack_proto_put(innerproto);
-               return NF_ACCEPT;
+               return -NF_ACCEPT;
        }
 
        /* Ordinarily, we'd expect the inverted tupleproto, but it's
@@ -174,7 +174,7 @@ icmp_error_message(struct sk_buff *skb,
        if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) {
                DEBUGP("icmp_error_track: Can't invert tuple\n");
                ip_conntrack_proto_put(innerproto);
-               return NF_ACCEPT;
+               return -NF_ACCEPT;
        }
        ip_conntrack_proto_put(innerproto);
 
@@ -190,7 +190,7 @@ icmp_error_message(struct sk_buff *skb,
 
                if (!h) {
                        DEBUGP("icmp_error_track: no match\n");
-                       return NF_ACCEPT;
+                       return -NF_ACCEPT;
                }
                /* Reverse direction from that found */
                if (DIRECTION(h) != IP_CT_DIR_REPLY)