GitHub-Mirror/linux-bl808
2
0
Fork 0
mirror of https://github.com/Fishwaldo/linux-bl808.git synced 2025-06-16 03:25:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[NETFILTER]: nf_nat: remove obsolete check for ICMP redirects

Browse source 
Locally generated ICMP packets have a reference to the conntrack entry
of the original packet manually attached by icmp_send(). Therefore the
check for locally originated untracked ICMP redirects can never be
true.

Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
Patrick McHardy 2008-04-14 11:15:50 +02:00
parent 9d908a69a3
commit 42cf800c24
1 changed files with 1 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
net/ipv4/netfilter/nf_nat_standalone.c
View file

@ -93,21 +93,8 @@ nf_nat_fn(unsigned int hooknum,
have dropped it. Hence it's the user's responsibilty to have dropped it. Hence it's the user's responsibilty to
packet filter it out, or implement conntrack/NAT for that packet filter it out, or implement conntrack/NAT for that
protocol. 8) --RR */ protocol. 8) --RR */
if (!ct) { if (!ct)
/* Exception: ICMP redirect to new connection (not in
hash table yet). We must not let this through, in
case we're doing NAT to the same network. */
if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
struct icmphdr _hdr, *hp;
hp = skb_header_pointer(skb, ip_hdrlen(skb),
sizeof(_hdr), &_hdr);
if (hp != NULL &&
hp->type == ICMP_REDIRECT)
return NF_DROP;
}
return NF_ACCEPT; return NF_ACCEPT;
}
/* Don't try to NAT if this packet is not conntracked */ /* Don't try to NAT if this packet is not conntracked */
if (ct == &nf_conntrack_untracked) if (ct == &nf_conntrack_untracked)