Horms wrote:
> Index: net-2.6.19/net/ipv4/netfilter/ipt_REJECT.c
>
============================================================
=======
> ---
net-2.6.19.orig/net/ipv4/netfilter/ipt_REJECT.c 2006-09-19
12:50:43.000000000 +0900
> +++
net-2.6.19/net/ipv4/netfilter/ipt_REJECT.c 2006-09-21
17:55:37.000000000 +0900
>  -38,13 +38,9
> #define DEBUGP(format, args...)
> #endif
>
> -static inline struct rtable *route_reverse(struct
sk_buff *skb,
> - struct tcphdr *tcph, int hook)
> +static inline int send_reset_route(struct sk_buff
**pskb, int hook)
> {
> ...
> - security_skb_classify_flow(skb, &fl);
With this patch we loose the security_skb_classify_flow
call.
I think it is also needed in ip_route_me_harder, if so your
patch seems fine (but I get large rejects with the current
tree, so I'm going to redo it).
Venkat, is it correct to place a security_skb_classify_flow
call in ip_route_me_harder (which also handles currently
unlabeled protocols)?
|