Hi Florian,
On Mon, 23 Jan 2017, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Mon, Jan 23, 2017 at 01:28:48PM +0100, Florian Westphal wrote:
> > > diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> > > index 0c629fdf90e1..ce6adfae521a 100644
> > > --- a/net/netfilter/core.c
> > > +++ b/net/netfilter/core.c
> > > @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb)
> > > {
> > > void (*attach)(struct sk_buff *, const struct sk_buff *);
> > >
> > > - if (skb_nfct(skb)) {
> > > + if (skb->nfct) {
> >
> > I guess this slipped through accidentally. No need to resent, I can
> > amend it here.
>
> Hmm, let me review this. I thin the skb_nfct() conversion is erroneous.
> (Q: If original is UNTRRACKED, should the reply packet that is being
> attached be UNTRACKED or INVALID?)
If the packet is UNTRACKED, then how can there be a reply packet from
conntrack point of view? In my opinion it's the user responsibility to
handle both directions.
> I think its "UNTRACKED", and then this needs testing of skb->_nfct .
>
> (at least once the untracked object gets removed).
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
