[NETFILTER]: ctnetlink: return EEXIST instead of EINVAL for existing nat'ed conntracks

author Pablo Neira Ayuso <pablo@netfilter.org>

Wed, 8 Aug 2007 01:11:26 +0000 (18:11 -0700)

committer David S. Miller <davem@davemloft.net>

Wed, 8 Aug 2007 01:11:26 +0000 (18:11 -0700)
author Pablo Neira Ayuso <pablo@netfilter.org>
Wed, 8 Aug 2007 01:11:26 +0000 (18:11 -0700)
committer David S. Miller <davem@davemloft.net>
Wed, 8 Aug 2007 01:11:26 +0000 (18:11 -0700)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c

index 6f89b105a20572e1a120eae249ac5389803a7d59..2863e72b40916d74fd7d1ed63a83f1ef16d6bd1d 100644 (file)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1052,17 +1052,18 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
         }
         /* implicit 'else' */
  
-       /* we only allow nat config for new conntracks */
-       if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
-               err = -EINVAL;
-               goto out_unlock;
-       }
-
         /* We manipulate the conntrack inside the global conntrack table lock,
          * so there's no need to increase the refcount */
         err = -EEXIST;
-       if (!(nlh->nlmsg_flags & NLM_F_EXCL))
-               err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), cda);
+       if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
+               /* we only allow nat config for new conntracks */
+               if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
+                       err = -EINVAL;
+                       goto out_unlock;
+               }
+               err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
+                                                cda);
+       }
  
  out_unlock:
         write_unlock_bh(&nf_conntrack_lock);
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 8 Aug 2007 01:11:26 +0000 (18:11 -0700)
committer	David S. Miller <davem@davemloft.net>
	Wed, 8 Aug 2007 01:11:26 +0000 (18:11 -0700)