[NETFILTER] nf_conntrack: Add missing code to TCP conntrack module

Looks like the nf_conntrack TCP code was slightly mismerged: it does not contain an else branch present in the IPv4 version. Let's add that code and make the testsuite happy. Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: KOVACS Krisztian <hidden@balabit.hu> 2005-11-14 15:23:01 -0800
committer: David S. Miller <davem@davemloft.net> 2005-11-14 15:23:01 -0800
commit: 3746a2b1402e7933c7f1eabdce384b8454dc2ef7 (patch)
tree: 154061b5e4f038a490173370c53472d077fec4ef /net/netfilter
parent: [NETFILTER] ctnetlink: More thorough size checking of attributes (diff)
download: linux-dev-3746a2b1402e7933c7f1eabdce384b8454dc2ef7.tar.xz
linux-dev-3746a2b1402e7933c7f1eabdce384b8454dc2ef7.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 156680ddb042..5a6fcf349bdf 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -970,6 +970,12 @@ static int tcp_packet(struct nf_conn *conntrack,
 		    		conntrack->timeout.function((unsigned long)
 		    					    conntrack);
 		    	return -NF_REPEAT;
+		} else {
+			write_unlock_bh(&tcp_lock);
+			if (LOG_INVALID(IPPROTO_TCP))
+				nf_log_packet(pf, 0, skb, NULL, NULL,
+					      NULL, "nf_ct_tcp: invalid SYN");
+			return -NF_ACCEPT;
 		}
 	case TCP_CONNTRACK_CLOSE:
 		if (index == TCP_RST_SET
author	KOVACS Krisztian <hidden@balabit.hu>	2005-11-14 15:23:01 -0800
committer	David S. Miller <davem@davemloft.net>	2005-11-14 15:23:01 -0800
commit	3746a2b1402e7933c7f1eabdce384b8454dc2ef7 (patch)
tree	154061b5e4f038a490173370c53472d077fec4ef /net/netfilter
parent	[NETFILTER] ctnetlink: More thorough size checking of attributes (diff)
download	linux-dev-3746a2b1402e7933c7f1eabdce384b8454dc2ef7.tar.xz linux-dev-3746a2b1402e7933c7f1eabdce384b8454dc2ef7.zip