[PATCH 11/15] [NETFILTER] stop tracking ICMP error at early point

Tue, 08 Nov 2005 16:22:59 -0800 

[NETFILTER] stop tracking ICMP error at early point

Currently connection tracking handles ICMP error like normal packets
if it failed to get related connection. But it fails that after all.

This makes connection tracking stop tracking ICMP error at early point.

Signed-off-by: Yasuyuki Kozakai <[EMAIL PROTECTED]>
Signed-off-by: Harald Welte <[EMAIL PROTECTED]>

---
commit 1e31b01ffe57ef46acad5ffec421880a97b43e83
tree d78373257aec02a2c122f9a00998d9f6dda71b59
parent 1f95776fa17a2b1234f3235d7fd746cdaf19c5b8
author Yasuyuki Kozakai <[EMAIL PROTECTED]> Tue, 08 Nov 2005 15:48:47 +0100
committer Harald Welte <[EMAIL PROTECTED]> Tue, 08 Nov 2005 15:48:47 +0100

 net/ipv4/netfilter/ip_conntrack_proto_icmp.c   |   10 +++++-----

diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 
b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
@@ -151,13 +151,13 @@ icmp_error_message(struct sk_buff *skb,
        /* Not enough header? */
        inside = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_in), &_in);
        if (inside == NULL)
-               return NF_ACCEPT;
+               return -NF_ACCEPT;
 
        /* Ignore ICMP's containing fragments (shouldn't happen) */
        if (inside->ip.frag_off & htons(IP_OFFSET)) {
                DEBUGP("icmp_error_track: fragment of proto %u\n",
                       inside->ip.protocol);
-               return NF_ACCEPT;
+               return -NF_ACCEPT;
        }
 
        innerproto = ip_conntrack_proto_find_get(inside->ip.protocol);
@@ -166,7 +166,7 @@ icmp_error_message(struct sk_buff *skb,
        if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, 
innerproto)) {
                DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol);
                ip_conntrack_proto_put(innerproto);
-               return NF_ACCEPT;
+               return -NF_ACCEPT;
        }
 
        /* Ordinarily, we'd expect the inverted tupleproto, but it's
@@ -174,7 +174,7 @@ icmp_error_message(struct sk_buff *skb,
        if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) {
                DEBUGP("icmp_error_track: Can't invert tuple\n");
                ip_conntrack_proto_put(innerproto);
-               return NF_ACCEPT;
+               return -NF_ACCEPT;
        }
        ip_conntrack_proto_put(innerproto);
 
@@ -190,7 +190,7 @@ icmp_error_message(struct sk_buff *skb,
 
                if (!h) {
                        DEBUGP("icmp_error_track: no match\n");
-                       return NF_ACCEPT;
+                       return -NF_ACCEPT;
                }
                /* Reverse direction from that found */
                if (DIRECTION(h) != IP_CT_DIR_REPLY)
-- 
- Harald Welte <[EMAIL PROTECTED]>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: pgpXlTSrboZ3W.pgp
Description: PGP signature

Reply via email to