On Monday 2009-02-23 11:15, Pablo Neira Ayuso wrote: >diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c >index 8b9dbb7..4503727 100644 >--- a/net/netfilter/nf_conntrack_core.c >+++ b/net/netfilter/nf_conntrack_core.c >@@ -733,6 +733,8 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, > nf_conntrack_put(skb->nfct); > skb->nfct = NULL; > NF_CT_STAT_INC_ATOMIC(net, invalid); >+ if (-ret == NF_DROP) >+ NF_CT_STAT_INC_ATOMIC(net, drop); > return -ret; > } > *boggle* Why not just "ret == -NF_DROP"? The assumption would be near that "-NF_DROP" is a constant just as "NF_DROP" would be, but "-ret" involves an extra instruction for negating ret. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
