diff options
author | Patrick McHardy <kaber@trash.net> | 2007-09-11 11:27:01 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-09-11 11:27:01 +0200 |
commit | 0fb96701376874c9f1f80322f89a5bf4457c709f (patch) | |
tree | d62aa99af2e68d0d2ac1191af6f402aafa25ffce /net | |
parent | 66eb50d5c972cc16df2be730497b7f06d75d8132 (diff) | |
download | talos-op-linux-0fb96701376874c9f1f80322f89a5bf4457c709f.tar.gz talos-op-linux-0fb96701376874c9f1f80322f89a5bf4457c709f.zip |
[NETFILTER]: nf_conntrack_ipv4: fix "Frag of proto ..." messages
Since we're now using a generic tuple decoding function in ICMP
connection tracking, ipv4_get_l4proto() might get called with a
fragmented packet from within an ICMP error. Remove the error
message we used to print when this happens.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 10 |
1 files changed, 3 insertions, 7 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index d9b5177989c6..53cb1772f38f 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c @@ -87,14 +87,10 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff, if (iph == NULL) return -NF_DROP; - /* Never happen */ - if (iph->frag_off & htons(IP_OFFSET)) { - if (net_ratelimit()) { - printk(KERN_ERR "ipv4_get_l4proto: Frag of proto %u\n", - iph->protocol); - } + /* Conntrack defragments packets, we might still see fragments + * inside ICMP packets though. */ + if (iph->frag_off & htons(IP_OFFSET)) return -NF_DROP; - } *dataoff = nhoff + (iph->ihl << 2); *protonum = iph->protocol; |