patch-2.4.4 linux/net/ipv4/netfilter/ip_fw_compat.c
Next file: linux/net/ipv4/netfilter/ip_nat_core.c
Previous file: linux/net/ipv4/netfilter/ip_conntrack_standalone.c
Back to the patch index
Back to the overall index
- Lines: 54
- Date:
Fri Apr 27 14:15:01 2001
- Orig file:
v2.4.3/linux/net/ipv4/netfilter/ip_fw_compat.c
- Orig date:
Fri Feb 9 11:34:13 2001
diff -u --recursive --new-file v2.4.3/linux/net/ipv4/netfilter/ip_fw_compat.c linux/net/ipv4/netfilter/ip_fw_compat.c
@@ -69,21 +69,6 @@
return 0;
}
-static inline void
-confirm_connection(struct sk_buff *skb)
-{
- if (skb->nfct) {
- struct ip_conntrack *ct
- = (struct ip_conntrack *)skb->nfct->master;
- /* ctinfo is the index of the nfct inside the conntrack */
- enum ip_conntrack_info ctinfo = skb->nfct - ct->infos;
-
- if ((ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)
- && !(ct->status & IPS_CONFIRMED))
- ip_conntrack_confirm(ct);
- }
-}
-
static unsigned int
fw_in(unsigned int hooknum,
struct sk_buff **pskb,
@@ -96,7 +81,8 @@
/* Assume worse case: any hook could change packet */
(*pskb)->nfcache |= NFC_UNKNOWN | NFC_ALTERED;
- (*pskb)->ip_summed = CHECKSUM_NONE;
+ if ((*pskb)->ip_summed == CHECKSUM_HW)
+ (*pskb)->ip_summed = CHECKSUM_NONE;
switch (hooknum) {
case NF_IP_PRE_ROUTING:
@@ -136,7 +122,10 @@
(struct net_device *)out,
(*pskb)->nh.raw, &redirpt,
pskb);
- confirm_connection(*pskb);
+
+ /* ip_conntrack_confirm return NF_DROP or NF_ACCEPT */
+ if (ip_conntrack_confirm(*pskb) == NF_DROP)
+ ret = FW_BLOCK;
}
break;
}
@@ -194,8 +183,7 @@
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- confirm_connection(*pskb);
- return NF_ACCEPT;
+ return ip_conntrack_confirm(*pskb);
}
extern int ip_fw_ctl(int optval, void *m, unsigned int len);
FUNET's LINUX-ADM group, linux-adm@nic.funet.fi
TCL-scripts by Sam Shen (who was at: slshen@lbl.gov)