netfilter: conntrack: dccp: try not to drop skb in conntrack

It would be better not to drop skb in conntrack unless we have good
alternatives. So we can treat the result of testing skb's header
pointer as nf_conntrack_tcp_packet() does.

Signed-off-by: Jason Xing <kernelxing@tencent.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Jason Xing 2024-03-25 10:59:38 +08:00 committed by Pablo Neira Ayuso
parent 4a3540a8bf
commit 40616789ec

View File

@ -525,7 +525,7 @@ int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb,
dh = skb_header_pointer(skb, dataoff, sizeof(*dh), &_dh.dh); dh = skb_header_pointer(skb, dataoff, sizeof(*dh), &_dh.dh);
if (!dh) if (!dh)
return NF_DROP; return -NF_ACCEPT;
if (dccp_error(dh, skb, dataoff, state)) if (dccp_error(dh, skb, dataoff, state))
return -NF_ACCEPT; return -NF_ACCEPT;
@ -533,7 +533,7 @@ int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb,
/* pull again, including possible 48 bit sequences and subtype header */ /* pull again, including possible 48 bit sequences and subtype header */
dh = dccp_header_pointer(skb, dataoff, dh, &_dh); dh = dccp_header_pointer(skb, dataoff, dh, &_dh);
if (!dh) if (!dh)
return NF_DROP; return -NF_ACCEPT;
type = dh->dccph_type; type = dh->dccph_type;
if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh, state)) if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh, state))