[Devel] [PATCH 2/2] net: Do not allow conntrack if netlink conntrack is requested
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Mon Oct 3 09:13:47 PDT 2016
On 10/03/2016 05:16 PM, Kirill Tkhai wrote:
> The scheme with allowing conntracks suggestes to allow conntrack
> only after a rule is inserted. But this place is not inserting
> a rule, it's a manual conntrack creation.
>
> Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
> net/netfilter/nf_conntrack_netlink.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index aad05a0..d6b6465 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1617,7 +1617,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
> struct nf_conntrack_helper *helper;
> struct nf_conn_tstamp *tstamp;
>
> - allow_conntrack_allocation(net);
> ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
> if (IS_ERR(ct))
> return ERR_PTR(-ENOMEM);
>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the Devel
mailing list