# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
#   2005/02/18 01:11:06+01:00 kaber@coreworks.de 
#   [NETFILTER]: Prevent NAT from seeing fragments
#   
#   The path for loopback is:
#   LOCAL_OUT: conntrack defrags
#   POST_ROUTING: conntrack refrags
#   PRE_ROUTING: skip conntrack defrag because skb->nfct != NULL
#   PRE_ROUTING: NAT gets hit by fragments
#   
#   Always defrag on loopback if NAT is compiled in.
#   
#   Signed-off-by: Patrick McHardy <kaber@trash.net>
#   Acked-by: Rusty Russel <rusty@rustcorp.com.au>
# 
# net/ipv4/netfilter/ip_conntrack_standalone.c
#   2005/02/18 01:10:55+01:00 kaber@coreworks.de +2 -0
#   [NETFILTER]: Prevent NAT from seeing fragments
#   
#   The path for loopback is:
#   LOCAL_OUT: conntrack defrags
#   POST_ROUTING: conntrack refrags
#   PRE_ROUTING: skip conntrack defrag because skb->nfct != NULL
#   PRE_ROUTING: NAT gets hit by fragments
#   
#   Always defrag on loopback if NAT is compiled in.
#   
#   Signed-off-by: Patrick McHardy <kaber@trash.net>
#   Acked-by: Rusty Russel <rusty@rustcorp.com.au>
# 
diff -Nru a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-02-18 01:15:36 +01:00
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-02-18 01:15:36 +01:00
@@ -384,10 +384,12 @@
 				        const struct net_device *out,
 				        int (*okfn)(struct sk_buff *))
 {
+#if !defined(CONFIG_IP_NF_NAT) && !defined(CONFIG_IP_NF_NAT_MODULE)
 	/* Previously seen (loopback)?  Ignore.  Do this before
            fragment check. */
 	if ((*pskb)->nfct)
 		return NF_ACCEPT;
+#endif
 
 	/* Gather fragments. */
 	if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {