| Message ID | 20210322235628.2204-6-pablo@netfilter.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 2babb46c8c825e5039bbf0c273d82df3210dd43b |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next,01/10] netfilter: flowtable: separate replace, destroy and stats to different workqueues | expand |
| Context | Check | Description |
|---|---|---|
| netdev/apply | success | Patch already applied to net-next |
| netdev/tree_selection | success | Clearly marked for net-next |
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 2b8ee5dcef64..95adf74515ea 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -266,10 +266,6 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, iph = ip_hdr(skb); thoff = iph->ihl * 4; - if (skb_try_make_writable(skb, thoff + hdrsize)) - return NF_DROP; - - iph = ip_hdr(skb); if (nf_flow_state_check(flow, iph->protocol, skb, thoff)) return NF_ACCEPT; @@ -280,6 +276,10 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, return NF_ACCEPT; } + if (skb_try_make_writable(skb, thoff + hdrsize)) + return NF_DROP; + + iph = ip_hdr(skb); if (nf_flow_nat_ip(flow, skb, thoff, dir, iph) < 0) return NF_DROP;
For consistency with the IPv6 flowtable datapath and to make sure the skbuff is writable right before the NAT header updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_flow_table_ip.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)