diff options
author | Patrick McHardy <kaber@trash.net> | 2006-05-29 18:21:53 -0700 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-06-17 21:28:55 -0700 |
commit | 6442f1cf897643d4ca597f2f7d3464b765bae960 (patch) | |
tree | 0708a7d312c1db1f78c20df9cbdfc9f5e6218523 /net/ipv6 | |
parent | 404bdbfd242cb99ca0e9d3eb5fbb5bcd54123081 (diff) | |
download | op-kernel-dev-6442f1cf897643d4ca597f2f7d3464b765bae960.zip op-kernel-dev-6442f1cf897643d4ca597f2f7d3464b765bae960.tar.gz |
[NETFILTER]: conntrack: don't call helpers for related ICMP messages
None of the existing helpers expects to get called for related ICMP
packets and some even drop them if they can't parse them.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index 93bae36..2a71c3b 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c @@ -189,7 +189,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum, /* This is where we call the helper: as the packet goes out. */ ct = nf_ct_get(*pskb, &ctinfo); - if (!ct) + if (!ct || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY) goto out; help = nfct_help(ct); |