diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2011-01-18 16:27:56 +0100 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2011-01-18 16:27:56 +0100 |
| commit | 94d117a1c78df38abdea0c09ef00c205b923b567 (patch) | |
| tree | dae2d28e1627c95fd785cdb960bc9eb2b8b2838d /net | |
| parent | a8fc0d9b3401cb5e42a437293db383998290157d (diff) | |
| download | linux-3.10-94d117a1c78df38abdea0c09ef00c205b923b567.tar.gz linux-3.10-94d117a1c78df38abdea0c09ef00c205b923b567.tar.bz2 linux-3.10-94d117a1c78df38abdea0c09ef00c205b923b567.zip | |
netfilter: ipt_CLUSTERIP: remove "no conntrack!"
When a packet is meant to be handled by another node of the cluster,
silently drop it instead of flooding kernel log.
Note : INVALID packets are also dropped without notice.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/ipt_CLUSTERIP.c | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 1e26a489765..403ca57f601 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -300,13 +300,8 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par) * that the ->target() function isn't called after ->destroy() */ ct = nf_ct_get(skb, &ctinfo); - if (ct == NULL) { - pr_info("no conntrack!\n"); - /* FIXME: need to drop invalid ones, since replies - * to outgoing connections of other nodes will be - * marked as INVALID */ + if (ct == NULL) return NF_DROP; - } /* special case: ICMP error handling. conntrack distinguishes between * error messages (RELATED) and information requests (see below) */ |