From: Ulrich Weber <ulrich.weber@sophos.com>
Date: Thu, 25 Oct 2012 05:34:45 +0000 (+0000)
Subject: netfilter: nf_nat: don't check for port change on ICMP tuples
X-Git-Tag: v3.2.35~67
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c1972f1b4f784560003075e05dcd95c1db8116e;p=pandora-kernel.git

netfilter: nf_nat: don't check for port change on ICMP tuples

commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream.

ICMP tuples have id in src and type/code in dst.
So comparing src.u.all with dst.u.all will always fail here
and ip_xfrm_me_harder() is called for every ICMP packet,
even if there was no NAT.

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
[Pablo Neira Ayuso: Backported to.3.0]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

Reading git-diff-tree failed