@@ -1517,11 +1517,11 @@ extract_l3_ipv4(struct conn_key *key, const void *data, size_t size,
return false;
}
- *new_data = (char *) data + ip_len;
- }
+ if (IP_IS_FRAGMENT(ip->ip_frag_off)) {
+ return false;
+ }
- if (IP_IS_FRAGMENT(ip->ip_frag_off)) {
- return false;
+ *new_data = (char *) data + ip_len;
}
if (validate_checksum && csum(data, ip_len) != 0) {
@@ -1561,14 +1561,14 @@ extract_l3_ipv6(struct conn_key *key, const void *data, size_t size,
return false;
}
- if (new_data) {
- *new_data = data;
- }
-
if (nw_frag) {
return false;
}
+ if (new_data) {
+ *new_data = data;
+ }
+
key->src.addr.ipv6 = ip6->ip6_src;
key->dst.addr.ipv6 = ip6->ip6_dst;
key->nw_proto = nw_proto;
The functions extract_l3_ipv4 and extract_l3_ipv6 check for unsupported ip fragments and return early. The checks were after an assignment that would not be needed when early return happens. This is slightly inefficient, but mostly reads poorly. Hence, reorder the ip fragment checks before the assignments. Signed-off-by: Darrell Ball <dlu998@gmail.com> --- lib/conntrack.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)