nf_conntrack_update uses nf_nat_hook to do some nat stuff. However, it will only be not NULL if CONFIG_NF_NAT is enabled. Wrap the code in a CONFIG_NF_NAT check to skip it altogether. Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx> --- net/netfilter/nf_conntrack_core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 81a8ef42b88d..c597b3e8450b 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1885,7 +1885,9 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb) struct nf_conntrack_tuple_hash *h; struct nf_conntrack_tuple tuple; enum ip_conntrack_info ctinfo; +#if IS_ENABLED(CONFIG_NF_NAT) struct nf_nat_hook *nat_hook; +#endif unsigned int status; struct nf_conn *ct; int dataoff; @@ -1935,6 +1937,7 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb) ct = nf_ct_tuplehash_to_ctrack(h); nf_ct_set(skb, ct, ctinfo); +#if IS_ENABLED(CONFIG_NF_NAT) nat_hook = rcu_dereference(nf_nat_hook); if (!nat_hook) return 0; @@ -1948,6 +1951,7 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb) nat_hook->manip_pkt(skb, ct, NF_NAT_MANIP_DST, IP_CT_DIR_ORIGINAL) == NF_DROP) return -1; +#endif return 0; } -- 2.23.0.rc1
