On Mon, May 14, 2018 at 07:30:56PM +0200, Pablo Neira Ayuso wrote:
> On Mon, May 14, 2018 at 07:26:54PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > static int __init nf_nat_init(void)
> > > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> > > index 74a04638ef03..28e4fae98f60 100644
> > > --- a/net/netfilter/nfnetlink_queue.c
> > > +++ b/net/netfilter/nfnetlink_queue.c
> > > @@ -227,6 +227,30 @@ find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id)
> > > return entry;
> > > }
> > >
> > > +static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict)
> > > +{
> > > + enum ip_conntrack_info ctinfo;
> > > + struct nf_ct_hook *ct_hook;
> > > + struct nf_conn *ct;
> > > + int err;
> > > +
> > > + ct = nf_ct_get(entry->skb, &ctinfo);
> > > + if (ct && !nf_ct_is_confirmed(ct) &&
> > > + verdict != NF_STOLEN && verdict != NF_DROP) {
> >
> > Why not verdict == NF_ACCEPT?
>
> We also have to deal with NF_STOP, right?
Actually we could just to verdict == NF_ACCEPT || verdict == NF_STOP,
for clarity.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
