netfilter: nf_defrag: move NF_CONNTRACK bits into #ifdef

We cannot access the skb->_nfct field when CONFIG_NF_CONNTRACK is
disabled:

net/ipv4/netfilter/nf_defrag_ipv4.c: In function 'ipv4_conntrack_defrag':
net/ipv4/netfilter/nf_defrag_ipv4.c:83:9: error: 'struct sk_buff' has no member named '_nfct'
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c: In function 'ipv6_defrag':
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68:9: error: 'struct sk_buff' has no member named '_nfct'

Both functions already have an #ifdef for this, so let's move the
check in there.

Fixes: 902d6a4c2a4f ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index cbd987f6b1f812223a2bf9709e4c754658052d77..a0d3ad60a41132822eb54845c9fbfe8098e161fc 100644 (file)
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -78,9 +78,11 @@ static unsigned int ipv4_conntrack_defrag(void *priv,
        if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
                return NF_ACCEPT;
 #endif
+       if (skb->_nfct == IP_CT_UNTRACKED)
+               return NF_ACCEPT;
 #endif
        /* Gather fragments. */
-       if (skb->_nfct != IP_CT_UNTRACKED && ip_is_fragment(ip_hdr(skb))) {
+       if (ip_is_fragment(ip_hdr(skb))) {
                enum ip_defrag_users user =
                        nf_ct_defrag_user(state->hook, skb);
 

diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
index 87b503a8f5efe63131b24e2642dd743d433b038c..c87b48359e8f482d6e8deb91a19502b484f718ed 100644 (file)
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
@@ -63,10 +63,10 @@ static unsigned int ipv6_defrag(void *priv,
        /* Previously seen (loopback)?  */
        if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
                return NF_ACCEPT;
-#endif
 
        if (skb->_nfct == IP_CT_UNTRACKED)
                return NF_ACCEPT;
+#endif
 
        err = nf_ct_frag6_gather(state->net, skb,
                                 nf_ct6_defrag_user(state->hook, skb));