aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter/nf_conntrack_core.c
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2018-09-12 15:19:08 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2018-09-20 17:57:17 +0200
commit9976fc6e6edbb0372f084a2ae8c1b8103b3bff1d (patch)
tree9240051ddacc76e3824b6efcb0cf8f02f1d94cd0 /net/netfilter/nf_conntrack_core.c
parentnetfilter: conntrack: pass nf_hook_state to packet and error handlers (diff)
downloadlinux-dev-9976fc6e6edbb0372f084a2ae8c1b8103b3bff1d.tar.xz
linux-dev-9976fc6e6edbb0372f084a2ae8c1b8103b3bff1d.zip
netfilter: conntrack: remove the l4proto->new() function
->new() gets invoked after ->error() and before ->packet() if a conntrack lookup has found no result for the tuple. We can fold it into ->packet() -- the packet() implementations can check if the conntrack is confirmed (new) or not (already in hash). If its unconfirmed, the conntrack isn't in the hash yet so current skb created a new conntrack entry. Only relevant side effect -- if packet() doesn't return NF_ACCEPT but -NF_ACCEPT (or drop), while the conntrack was just created, then the newly allocated conntrack is freed right away, rather than not created in the first place. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to '')
-rw-r--r--net/netfilter/nf_conntrack_core.c6
1 files changed, 0 insertions, 6 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 8e275f4cdcdd..dccc96e94d7c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1370,12 +1370,6 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
timeout_ext = tmpl ? nf_ct_timeout_find(tmpl) : NULL;
- if (!l4proto->new(ct, skb, dataoff)) {
- nf_conntrack_free(ct);
- pr_debug("can't track with proto module\n");
- return NULL;
- }
-
if (timeout_ext)
nf_ct_timeout_ext_add(ct, rcu_dereference(timeout_ext->timeout),
GFP_ATOMIC);