diff mbox

[Resolved,UMA,issue] netfilter: icmp: Enhance the return value check of nf_nat_icmp(v6)_reply_translation

Message ID BAY403-EAS1715250DCF2909E7CF2126B95470@phx.gbl
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

Feng Gao Sept. 20, 2015, 12:39 a.m. UTC 
It could enhance the codes readability and save one extra instruction than
before

Signed-off-by: Feng Gao <gfree.wind@gmail.com>
---
 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c |    6 +++---
 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c |    6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

 		/* Fall thru... (Only ICMPs can be IP_CT_IS_REPLY) */
 	case IP_CT_NEW:
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Pablo Neira Ayuso Sept. 24, 2015, 10:13 a.m. UTC | #1 
On Thu, Sep 24, 2015 at 12:24:41PM +0800, Feng Gao wrote:
> Hi Pablo,
> 
> How about this patch?
> If it is ok, I have more confidence to try to commit more patches.

The patch format looks good, patchwork is catching it.

I'll go back to the pending list of patches as soon as the netns bunch
gets merged mainstream.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
index 22f4579..f5c0754 100644
--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
@@ -294,11 +294,11 @@  nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct
sk_buff *skb,
 	case IP_CT_RELATED:
 	case IP_CT_RELATED_REPLY:
 		if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
-			if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
+			if (nf_nat_icmp_reply_translation(skb, ct, ctinfo,
 							   ops->hooknum))
-				return NF_DROP;
-			else
 				return NF_ACCEPT;
+			else
+				return NF_DROP;
 		}
 		/* Fall thru... (Only ICMPs can be IP_CT_IS_REPLY) */
 	case IP_CT_NEW:
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index 70fbaed..40c0a49 100644
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -302,12 +302,12 @@  nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct
sk_buff *skb,
 					  &nexthdr, &frag_off);
 
 		if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) {
-			if (!nf_nat_icmpv6_reply_translation(skb, ct,
ctinfo,
+			if (nf_nat_icmpv6_reply_translation(skb, ct, ctinfo,
 							     ops->hooknum,
 							     hdrlen))
-				return NF_DROP;
-			else
 				return NF_ACCEPT;
+			else
+				return NF_DROP;
 		}