diff options
| author | Florian Westphal | 2011-01-20 10:23:26 +0100 |
|---|---|---|
| committer | Patrick McHardy | 2011-01-20 10:23:26 +0100 |
| commit | 28a51ba59a1a983d63d4775e9bb8230fe0fb3b29 (patch) | |
| tree | 8cb43af6028065dcdbc4418bbb30767729edc579 /net/netfilter | |
| parent | Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/... (diff) | |
| download | kernel-qcow2-linux-28a51ba59a1a983d63d4775e9bb8230fe0fb3b29.tar.gz kernel-qcow2-linux-28a51ba59a1a983d63d4775e9bb8230fe0fb3b29.tar.xz kernel-qcow2-linux-28a51ba59a1a983d63d4775e9bb8230fe0fb3b29.zip | |
netfilter: do not omit re-route check on NF_QUEUE verdict
ret != NF_QUEUE only works in the "--queue-num 0" case; for
queues > 0 the test should be '(ret & NF_VERDICT_MASK) != NF_QUEUE'.
However, NF_QUEUE no longer DROPs the skb unconditionally if queueing
fails (due to NF_VERDICT_FLAG_QUEUE_BYPASS verdict flag), so the
re-route test should also be performed if this flag is set in the
verdict.
The full test would then look something like
&& ((ret & NF_VERDICT_MASK) == NF_QUEUE && (ret & NF_VERDICT_FLAG_QUEUE_BYPASS))
This is rather ugly, so just remove the NF_QUEUE test altogether.
The only effect is that we might perform an unnecessary route lookup
in the NF_QUEUE case.
ip6table_mangle did not have such a check.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter')
0 files changed, 0 insertions, 0 deletions