From: Florian Westphal <fw@strlen.de>
Date: Thu, 20 Jan 2011 09:23:26 +0000 (+0100)
Subject: netfilter: do not omit re-route check on NF_QUEUE verdict
X-Git-Tag: v2.6.39-rc1~468^2~511
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=28a51ba59a1a983d63d4775e9bb8230fe0fb3b29;p=pandora-kernel.git

netfilter: do not omit re-route check on NF_QUEUE verdict

ret != NF_QUEUE only works in the "--queue-num 0" case; for
queues > 0 the test should be '(ret & NF_VERDICT_MASK) != NF_QUEUE'.

However, NF_QUEUE no longer DROPs the skb unconditionally if queueing
fails (due to NF_VERDICT_FLAG_QUEUE_BYPASS verdict flag), so the
re-route test should also be performed if this flag is set in the
verdict.

The full test would then look something like

&& ((ret & NF_VERDICT_MASK) == NF_QUEUE && (ret & NF_VERDICT_FLAG_QUEUE_BYPASS))

This is rather ugly, so just remove the NF_QUEUE test altogether.

The only effect is that we might perform an unnecessary route lookup
in the NF_QUEUE case.

ip6table_mangle did not have such a check.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---

Reading git-diff-tree failed