]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 36a5b5e) | patch
[NETFILTER]: nf_nat: don't add NAT extension for confirmed conntracks
authorPatrick McHardy <kaber@trash.net>
Mon, 14 Apr 2008 09:15:51 +0000 (11:15 +0200)
committerPatrick McHardy <kaber@trash.net>
Mon, 14 Apr 2008 09:15:51 +0000 (11:15 +0200)
commitb42a86943a959c62228ae7a6b42904baf3f5aaf4
treed6c74123cfdd8ccd784f8383446a19d260c9bddftree | snapshot
parent36a5b5eee78c4a405d708b6a95125e51a8d73eb4commit | diff
[NETFILTER]: nf_nat: don't add NAT extension for confirmed conntracks

Adding extensions to confirmed conntracks is not allowed to avoid races
on reallocation. Don't setup NAT for confirmed conntracks in case NAT
module is loaded late.

The has one side-effect, the connections existing before the NAT module
was loaded won't enter the bysource hash. The only case where this actually
makes a difference is in case of SNAT to a multirange where the IP before
NAT is also part of the range. Since old connections don't enter the
bysource hash the first new connection from the IP will have a new address
selected. This shouldn't matter at all.

Signed-off-by: Patrick McHardy <kaber@trash.net>
include/net/netfilter/nf_nat_rule.h diff | blob | history
net/ipv4/netfilter/nf_nat_rule.c diff | blob | history
net/ipv4/netfilter/nf_nat_standalone.c diff | blob | history
Linux Kernel Source Tree.