diff options
author | Florian Westphal <fw@strlen.de> | 2017-01-23 20:21:54 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-02-02 16:31:51 +0300 |
commit | 6e10148c5c85629832d9156f337cbf67e96b69fe (patch) | |
tree | de5dcd5c24789532222702f5272299379a881cf6 /net/ipv4 | |
parent | 11df4b760f11ca7528c62b1c4b870735d1c62116 (diff) | |
download | linux-6e10148c5c85629832d9156f337cbf67e96b69fe.tar.xz |
netfilter: reset netfilter state when duplicating packet
We should also toss nf_bridge_info, if any -- packet is leaving via
ip_local_out, also, this skb isn't bridged -- it is a locally generated
copy. Also this avoids the need to touch this later when skb->nfct is
replaced with 'unsigned long _nfct' in followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/netfilter/nf_dup_ipv4.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c index cf986e1c7bbd..a981ef7151ca 100644 --- a/net/ipv4/netfilter/nf_dup_ipv4.c +++ b/net/ipv4/netfilter/nf_dup_ipv4.c @@ -68,7 +68,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, #if IS_ENABLED(CONFIG_NF_CONNTRACK) /* Avoid counting cloned packets towards the original connection. */ - nf_conntrack_put(skb->nfct); + nf_reset(skb); skb->nfct = &nf_ct_untracked_get()->ct_general; skb->nfctinfo = IP_CT_NEW; nf_conntrack_get(skb->nfct); |