[NETFILTER]: nf_nat: remove obsolete check for ICMP redirects
authorPatrick McHardy <kaber@trash.net>
Mon, 14 Apr 2008 09:15:50 +0000 (11:15 +0200)
committerPatrick McHardy <kaber@trash.net>
Mon, 14 Apr 2008 09:15:50 +0000 (11:15 +0200)
Locally generated ICMP packets have a reference to the conntrack entry
of the original packet manually attached by icmp_send(). Therefore the
check for locally originated untracked ICMP redirects can never be
true.

Signed-off-by: Patrick McHardy <kaber@trash.net>
net/ipv4/netfilter/nf_nat_standalone.c

index 4a3e0f85db97a746d9db3c7c685c47c45d137172..c362f672755a59dcd0c404a18d8b74441bbad9ca 100644 (file)
@@ -93,21 +93,8 @@ nf_nat_fn(unsigned int hooknum,
           have dropped it.  Hence it's the user's responsibilty to
           packet filter it out, or implement conntrack/NAT for that
           protocol. 8) --RR */
-       if (!ct) {
-               /* Exception: ICMP redirect to new connection (not in
-                  hash table yet).  We must not let this through, in
-                  case we're doing NAT to the same network. */
-               if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
-                       struct icmphdr _hdr, *hp;
-
-                       hp = skb_header_pointer(skb, ip_hdrlen(skb),
-                                               sizeof(_hdr), &_hdr);
-                       if (hp != NULL &&
-                           hp->type == ICMP_REDIRECT)
-                               return NF_DROP;
-               }
+       if (!ct)
                return NF_ACCEPT;
-       }
 
        /* Don't try to NAT if this packet is not conntracked */
        if (ct == &nf_conntrack_untracked)