patch-2.4.4 linux/net/ipv4/netfilter/ip_conntrack_standalone.c

Next file: linux/net/ipv4/netfilter/ip_fw_compat.c
Previous file: linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c
Back to the patch index
Back to the overall index

Lines: 49
Date: Fri Apr 27 14:15:01 2001
Orig file: v2.4.3/linux/net/ipv4/netfilter/ip_conntrack_standalone.c
Orig date: Thu Aug 10 12:35:15 2000


diff -u --recursive --new-file v2.4.3/linux/net/ipv4/netfilter/ip_conntrack_standalone.c linux/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -88,8 +88,6 @@
 			   proto);
 	if (conntrack->status & IPS_ASSURED)
 		len += sprintf(buffer + len, "[ASSURED] ");
-	if (!(conntrack->status & IPS_CONFIRMED))
-		len += sprintf(buffer + len, "[UNCONFIRMED] ");
 	len += sprintf(buffer + len, "use=%u ",
 		       atomic_read(&conntrack->ct_general.use));
 	len += sprintf(buffer + len, "\n");
@@ -169,22 +167,8 @@
 			       const struct net_device *out,
 			       int (*okfn)(struct sk_buff *))
 {
-	/* We've seen it coming out the other side: confirm.  Beware
-           REJECT generating TCP RESET response (IP_CT_REPLY), or ICMP
-           errors (IP_CT_REPLY + IP_CT_RELATED).  But new expected
-           connections must be confirmed as well (eg. ftp data,
-           IP_CT_RELATED). */
-	if ((*pskb)->nfct) {
-		struct ip_conntrack *ct
-			= (struct ip_conntrack *)(*pskb)->nfct->master;
-		/* ctinfo is the index of the nfct inside the conntrack */
-		enum ip_conntrack_info ctinfo = (*pskb)->nfct - ct->infos;
-
-		if ((ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)
-		    && !(ct->status & IPS_CONFIRMED))
-			ip_conntrack_confirm(ct);
-	}
-	return NF_ACCEPT;
+	/* We've seen it coming out the other side: confirm it */
+	return ip_conntrack_confirm(*pskb);
 }
 
 static unsigned int ip_refrag(unsigned int hooknum,
@@ -196,7 +180,8 @@
 	struct rtable *rt = (struct rtable *)(*pskb)->dst;
 
 	/* We've seen it coming out the other side: confirm */
-	ip_confirm(hooknum, pskb, in, out, okfn);
+	if (ip_confirm(hooknum, pskb, in, out, okfn) != NF_ACCEPT)
+		return NF_DROP;
 
 	/* Local packets are never produced too large for their
 	   interface.  We degfragment them at LOCAL_OUT, however,
@@ -345,3 +330,4 @@
 EXPORT_SYMBOL(ip_conntrack_expect_related);
 EXPORT_SYMBOL(ip_conntrack_tuple_taken);
 EXPORT_SYMBOL(ip_ct_gather_frags);
+EXPORT_SYMBOL(ip_conntrack_htable_size);

FUNET's LINUX-ADM group, linux-adm@nic.funet.fi

TCL-scripts by Sam Shen (who was at: slshen@lbl.gov)