[Devel] [PATCH rh7] net: Add VE_NF_CONNTRACK check in resolve_normal_ct()

Kirill Tkhai Mon, 27 Jul 2015 08:25:57 -0700

This is a missed hunk from diff-ve-net-netfilter-combined.

https://jira.sw.ru/browse/PSBM-35154


Signed-off-by: Kirill Tkhai <[email protected]>
---
 net/netfilter/nf_conntrack_core.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nf_conntrack_core.c 
b/net/netfilter/nf_conntrack_core.c
index dc22438..5766231 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -892,6 +892,9 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
        u16 zone = tmpl ? nf_ct_zone(tmpl) : NF_CT_DEFAULT_ZONE;
        u32 hash;
 
+       if (!net_ipt_permitted(net, VE_NF_CONNTRACK))
+               return NULL;
+
        if (!nf_ct_get_tuple(skb, skb_network_offset(skb),
                             dataoff, l3num, protonum, &tuple, l3proto,
                             l4proto)) {
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH rh7] net: Add VE_NF_CONNTRACK check in resolve_normal_ct()

Reply via email to