netfilter: ctnetlink: don't add null bindings if no nat requested

commit 0eba801b64cc8284d9024c7ece30415a2b981a72 tried to fix a race
where nat initialisation can happen after ctnetlink-created conntrack
has been created.

However, it causes the nat module(s) to be loaded needlessly on
systems that are not using NAT.

Fortunately, we do not have to create null bindings in that case.

conntracks injected via ctnetlink always have the CONFIRMED bit set,
which prevents addition of the nat extension in nf_nat_ipv4/6_fn().

We only need to make sure that either no nat extension is added
or that we've created both src and dst manips.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_netlink.c | 3 +++
 1 file changed, 3 insertions(+)

On Mon, Apr 28, 2014 at 09:07:31PM +0200, Florian Westphal wrote:
> commit 0eba801b64cc8284d9024c7ece30415a2b981a72 tried to fix a race
> where nat initialisation can happen after ctnetlink-created conntrack
> has been created.
> 
> However, it causes the nat module(s) to be loaded needlessly on
> systems that are not using NAT.
> 
> Fortunately, we do not have to create null bindings in that case.
> 
> conntracks injected via ctnetlink always have the CONFIRMED bit set,
> which prevents addition of the nat extension in nf_nat_ipv4/6_fn().
> 
> We only need to make sure that either no nat extension is added
> or that we've created both src and dst manips.

Thanks Florian, applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html