When NAT module loads, set NAT-done flag for untracked conntrack in every netns. Signed-off-by: Alexey Dobriyan <adobriyan@xxxxxxxxx> --- net/ipv4/netfilter/nf_nat_core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c @@ -588,6 +588,10 @@ static int __net_init nf_nat_net_init(struct net *net) &net->ipv4.nat_vmalloced); if (!net->ipv4.nat_bysource) return -ENOMEM; + + /* Initialize fake conntrack so that NAT will skip it */ + net->ct.untracked.status |= IPS_NAT_DONE_MASK; + return 0; } @@ -645,9 +649,6 @@ static int __init nf_nat_init(void) rcu_assign_pointer(nf_nat_protos[IPPROTO_ICMP], &nf_nat_protocol_icmp); spin_unlock_bh(&nf_nat_lock); - /* Initialize fake conntrack so that NAT will skip it */ - init_net.ct.untracked.status |= IPS_NAT_DONE_MASK; - l3proto = nf_ct_l3proto_find_get((u_int16_t)AF_INET); BUG_ON(nf_nat_seq_adjust_hook != NULL); -- 1.5.4.5 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
