patch-2.4.4 linux/net/ipv4/netfilter/ip_fw_compat.c

• Lines: 54
• Date: Fri Apr 27 14:15:01 2001
• Orig file: v2.4.3/linux/net/ipv4/netfilter/ip_fw_compat.c
• Orig date: Fri Feb 9 11:34:13 2001

diff -u --recursive --new-file v2.4.3/linux/net/ipv4/netfilter/ip_fw_compat.c linux/net/ipv4/netfilter/ip_fw_compat.c
@@ -69,21 +69,6 @@
 	return 0;
 }
 
-static inline void
-confirm_connection(struct sk_buff *skb)
-{
-	if (skb->nfct) {
-		struct ip_conntrack *ct
-			= (struct ip_conntrack *)skb->nfct->master;
-		/* ctinfo is the index of the nfct inside the conntrack */
-		enum ip_conntrack_info ctinfo = skb->nfct - ct->infos;
-
-		if ((ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)
-		    && !(ct->status & IPS_CONFIRMED))
-			ip_conntrack_confirm(ct);
-	}
-}
-
 static unsigned int
 fw_in(unsigned int hooknum,
       struct sk_buff **pskb,
@@ -96,7 +81,8 @@
 
 	/* Assume worse case: any hook could change packet */
 	(*pskb)->nfcache |= NFC_UNKNOWN | NFC_ALTERED;
-	(*pskb)->ip_summed = CHECKSUM_NONE;
+	if ((*pskb)->ip_summed == CHECKSUM_HW)
+		(*pskb)->ip_summed = CHECKSUM_NONE;
 
 	switch (hooknum) {
 	case NF_IP_PRE_ROUTING:
@@ -136,7 +122,10 @@
 						   (struct net_device *)out,
 						   (*pskb)->nh.raw, &redirpt,
 						   pskb);
-			confirm_connection(*pskb);
+
+			/* ip_conntrack_confirm return NF_DROP or NF_ACCEPT */
+			if (ip_conntrack_confirm(*pskb) == NF_DROP)
+				ret = FW_BLOCK;
 		}
 		break;
 	}
@@ -194,8 +183,7 @@
 			       const struct net_device *out,
 			       int (*okfn)(struct sk_buff *))
 {
-	confirm_connection(*pskb);
-	return NF_ACCEPT;
+	return ip_conntrack_confirm(*pskb);
 }
 
 extern int ip_fw_ctl(int optval, void *m, unsigned int len);