netfilter: connmark: ignore skbs with magic untracked conntrack objects

[linux-2.6-microblaze.git] / net / netfilter / xt_connmark.c

diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 69f78e9..b83e158 100644 (file)
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -44,7 +44,7 @@ connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
        u_int32_t newmark;
 
        ct = nf_ct_get(skb, &ctinfo);
-       if (ct == NULL)
+       if (ct == NULL || nf_ct_is_untracked(ct))
                return XT_CONTINUE;
 
        switch (info->mode) {
@@ -97,7 +97,7 @@ connmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
        const struct nf_conn *ct;
 
        ct = nf_ct_get(skb, &ctinfo);
-       if (ct == NULL)
+       if (ct == NULL || nf_ct_is_untracked(ct))
                return false;
 
        return ((ct->mark & info->mask) == info->mark) ^ info->invert;