[NETFILTER]: nf_nat: remove obsolete check for ICMP redirects

Locally generated ICMP packets have a reference to the conntrack entry of the original packet manually attached by icmp_send(). Therefore the check for locally originated untracked ICMP redirects can never be true. Signed-off-by: Patrick McHardy <kaber@trash.net>

[NETFILTER]: nf_nat: remove obsolete check for ICMP redirects
Locally generated ICMP packets have a reference to the conntrack entry of the original packet manually attached by icmp_send(). Therefore the check for locally originated untracked ICMP redirects can never be true. Signed-off-by: Patrick McHardy <kaber@trash.net>
42cf800c · Patrick McHardy · 9d908a69 · 42cf800c
Commit 42cf800c authored Apr 14, 2008 by Patrick McHardy
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 14 deletions

net/ipv4/netfilter/nf_nat_standalone.c net/ipv4/netfilter/nf_nat_standalone.c +1 -14

No files found.
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -93,21 +93,8 @@ nf_nat_fn(unsigned int hooknum,
 	   have dropped it.  Hence it's the user's responsibilty to
 	   packet filter it out, or implement conntrack/NAT for that
 	   protocol. 8) --RR */
-	if (!ct) {
+	if (!ct)
-		/* Exception: ICMP redirect to new connection (not in
-		   hash table yet).  We must not let this through, in
-		   case we're doing NAT to the same network. */
-		if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
-			struct icmphdr _hdr, *hp;
-			hp = skb_header_pointer(skb, ip_hdrlen(skb),
-						sizeof(_hdr), &_hdr);
-			if (hp != NULL &&
-			    hp->type == ICMP_REDIRECT)
-				return NF_DROP;
-		}
 		return NF_ACCEPT;
-	}
 	/* Don't try to NAT if this packet is not conntracked */
 	if (ct == &nf_conntrack_untracked)