[NETFILTER]: Prevent NAT from seeing fragments

The path for loopback is: LOCAL_OUT: conntrack defrags POST_ROUTING: conntrack refrags PRE_ROUTING: skip conntrack defrag because skb->nfct != NULL PRE_ROUTING: NAT gets hit by fragments Always defrag on loopback if NAT is compiled in. Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Rusty Russel <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Prevent NAT from seeing fragments
The path for loopback is: LOCAL_OUT: conntrack defrags POST_ROUTING: conntrack refrags PRE_ROUTING: skip conntrack defrag because skb->nfct != NULL PRE_ROUTING: NAT gets hit by fragments Always defrag on loopback if NAT is compiled in. Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Rusty Russel <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
b6f0a1dc · Patrick McHardy · David S. Miller · 0f4389e9 · b6f0a1dc
Commit b6f0a1dc authored Feb 23, 2005 by Patrick McHardy Committed by David S. Miller Feb 23, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

net/ipv4/netfilter/ip_conntrack_standalone.c net/ipv4/netfilter/ip_conntrack_standalone.c +2 -0

No files found.
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -384,10 +384,12 @@ static unsigned int ip_conntrack_defrag(unsigned int hooknum,
 				        const struct net_device *out,
 				        int (*okfn)(struct sk_buff *))
 {
+#if !defined(CONFIG_IP_NF_NAT) && !defined(CONFIG_IP_NF_NAT_MODULE)
 	/* Previously seen (loopback)?  Ignore.  Do this before
           fragment check. */
 	if ((*pskb)->nfct)
 		return NF_ACCEPT;
+#endif

 	/* Gather fragments. */
 	if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {