diff options
author | Patrick McHardy <kaber@trash.net> | 2012-08-26 19:14:01 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-08-30 03:00:12 +0200 |
commit | 811927ccfe90fbfcfff5253ba7f95057f6cae692 (patch) | |
tree | c0e2606135bef4b786b3ee60126d02d64528c0a4 /net/netfilter/nf_conntrack_ftp.c | |
parent | 2b60af017880f7dc35d1fac65f48fc94f8a3c1ec (diff) |
netfilter: nf_conntrack: restrict NAT helper invocation to IPv4
The NAT helpers currently only handle IPv4 packets correctly. Restrict
invocation of the helpers to IPv4 in preparation of IPv6 NAT.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter/nf_conntrack_ftp.c')
-rw-r--r-- | net/netfilter/nf_conntrack_ftp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index 4bb771d1f57..3e1587e63c0 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c @@ -487,7 +487,8 @@ static int help(struct sk_buff *skb, /* Now, NAT might want to mangle the packet, and register the * (possibly changed) expectation itself. */ nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook); - if (nf_nat_ftp && ct->status & IPS_NAT_MASK) + if (nf_nat_ftp && nf_ct_l3num(ct) == NFPROTO_IPV4 && + ct->status & IPS_NAT_MASK) ret = nf_nat_ftp(skb, ctinfo, search[dir][i].ftptype, matchoff, matchlen, exp); else { |