Alexey Dobriyan wrote:
> On Thu, Feb 11, 2010 at 7:59 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote:
>> Alexey Dobriyan wrote:
>>> --- a/net/bridge/br_netfilter.c
>>> +++ b/net/bridge/br_netfilter.c
>>> @@ -792,9 +792,11 @@ static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff *skb,
>>> }
>>>
>>> #if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE)
>>> +#include <net/netfilter/nf_conntrack.h>
>>> +
>>> static int br_nf_dev_queue_xmit(struct sk_buff *skb)
>>> {
>>> - if (skb->nfct != NULL &&
>>> + if ((skb->nfct != NULL || nf_ct_is_untracked(skb)) &&
>> Seems unnecessary since nfct should be NULL when the conntrack
>> is untracked.
>
> Before untracked connections would pass the test, so additional check required.
Actually they are supposed to pass this test since they
are also defragmented.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
