patch-2.4.22 linux-2.4.22/net/ipv4/netfilter/ip_nat_core.c

• Lines: 47
• Date: 2003-08-25 04:44:44.000000000 -0700
• Orig file: linux-2.4.21/net/ipv4/netfilter/ip_nat_core.c
• Orig date: 2003-06-13 07:51:39.000000000 -0700

diff -urN linux-2.4.21/net/ipv4/netfilter/ip_nat_core.c linux-2.4.22/net/ipv4/netfilter/ip_nat_core.c
@@ -756,6 +756,11 @@
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	int is_tcp = (*pskb)->nh.iph->protocol == IPPROTO_TCP;
 
+	/* Skip everything and don't call helpers if there are no
+	 * manips for this connection */
+	if (info->num_manips == 0)
+		return NF_ACCEPT;
+
 	/* Need nat lock to protect against modification, but neither
 	   conntrack (referenced) and helper (deleted with
 	   synchronize_bh()) can vanish. */
@@ -796,6 +801,7 @@
 		struct ip_conntrack_expect *exp = NULL;
 		struct list_head *cur_item;
 		int ret = NF_ACCEPT;
+		int helper_called = 0;
 
 		DEBUGP("do_bindings: helper existing for (%p)\n", ct);
 
@@ -814,19 +820,21 @@
 				continue;
 
 			if (exp_for_packet(exp, pskb)) {
-				/* FIXME: May be true multiple times in the case of UDP!! */
-				DEBUGP("calling nat helper (exp=%p) for packet\n",
-					exp);
+				/* FIXME: May be true multiple times in the
+				 * case of UDP!! */
+				DEBUGP("calling nat helper (exp=%p) for	packet\n", exp);
 				ret = helper->help(ct, exp, info, ctinfo, 
 						   hooknum, pskb);
 				if (ret != NF_ACCEPT) {
 					READ_UNLOCK(&ip_conntrack_lock);
 					return ret;
 				}
+				helper_called = 1;
 			}
 		}
-		/* Helper might want to manip the packet even when there is no expectation */
-		if (!exp && helper->flags & IP_NAT_HELPER_F_ALWAYS) {
+		/* Helper might want to manip the packet even when there is no
+		 * matching expectation for this packet */
+		if (!helper_called && helper->flags & IP_NAT_HELPER_F_ALWAYS) {
 			DEBUGP("calling nat helper for packet without expectation\n");
 			ret = helper->help(ct, NULL, info, ctinfo, 
 					   hooknum, pskb);