[NETFILTER] nf_conntrack: Add missing code to TCP conntrack module

Looks like the nf_conntrack TCP code was slightly mismerged: it does not contain an else branch present in the IPv4 version. Let's add that code and make the testsuite happy. Signed-off-by: N KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: N Harald Welte <laforge@netfilter.org> Signed-off-by: N David S. Miller <davem@davemloft.net>

[NETFILTER] nf_conntrack: Add missing code to TCP conntrack module
Looks like the nf_conntrack TCP code was slightly mismerged: it does not contain an else branch present in the IPv4 version. Let's add that code and make the testsuite happy. Signed-off-by: N KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: N Harald Welte <laforge@netfilter.org> Signed-off-by: N David S. Miller <davem@davemloft.net>
3746a2b1 · KOVACS Krisztian · David S. Miller · 56558208 · 3746a2b1
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

net/netfilter/nf_conntrack_proto_tcp.c net/netfilter/nf_conntrack_proto_tcp.c +6 -0

未找到文件。
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -970,6 +970,12 @@ static int tcp_packet(struct nf_conn *conntrack,
 		    		conntrack->timeout.function((unsigned long)
 		    					    conntrack);
 		    	return -NF_REPEAT;
+		} else {
+			write_unlock_bh(&tcp_lock);
+			if (LOG_INVALID(IPPROTO_TCP))
+				nf_log_packet(pf, 0, skb, NULL, NULL,
+					      NULL, "nf_ct_tcp: invalid SYN");
+			return -NF_ACCEPT;
 		}
 	case TCP_CONNTRACK_CLOSE:
 		if (index == TCP_RST_SET