On Tuesday 2009-08-25 14:24, Patrick McHardy wrote:
>I'm about to commit a couple of patches from some private trees
>to my nf-next-2.6.git tree. Any comments welcome.
>
>
> int (*nf_nat_seq_adjust_hook)(struct sk_buff *skb,
> struct nf_conn *ct,
>@@ -113,8 +114,11 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
>
> ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
> ct, ctinfo);
>- if (ret != NF_ACCEPT)
>+ if (ret != NF_ACCEPT) {
>+ nf_log_packet(AF_INET, hooknum, skb, in, out, NULL,
>+ "nf_ct_%s: dropping packet", helper->name);
> return ret;
>+ }
These calls should probably be using NFPROTO_*.
Also, the actual helpers should be audited and any "we dropped things"
messages be removed since now that is done by your patch.
>+ if (ret != NF_ACCEPT) {
>+ nf_log_packet(AF_INET6, hooknum, skb, in, out, NULL,
>+ "nf_ct_%s: dropping packet", helper->name);
> return ret;
>+ }
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
