On Saturday 2011-02-12 03:14, Pandu Poluan wrote:
>(sorry for top posting)
>
>Strangely enough, the iptables binary does not complain when I tried:
>
>iptables -t raw -A PREROUTING -p icmp -m state --state
>ESTABLISHED,RELATED -j LOG --log-prefix "RP MATCH:"
Well, `rm -Rf *` also does not complain about files going away --
"Computer is a serious tool" :-)
Oh well, nature. Here's a patch for nature...
parent 44bd4de9c2270b22c3c898310102bc6be9ed2978 (v2.6.38-rc1-187-g44bd4de)
commit ddc00998c0b1aa720720529ebaac73bb142e531f
Author: Jan Engelhardt <jengelh@xxxxxxxxxx>
Date: Sat Feb 12 04:24:07 2011 +0100
netfilter: xt_conntrack: warn about use in raw table
nfct happens to run after the raw table only.
Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx>
---
net/netfilter/xt_conntrack.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 4ef1b63..2c0086a 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -272,6 +272,11 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
{
int ret;
+ if (strcmp(par->table, "raw") == 0) {
+ pr_info("state is undetermined at the time of raw table\n");
+ return -EINVAL;
+ }
+
ret = nf_ct_l3proto_try_module_get(par->family);
if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
--
# Created with git-export-patch
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
