[NETFILTER]: move check for already tracked/untracked before fragment check

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index 4ff182371a3df3405dd866703a50ec77eef4bd49..67caf5f43daf6e37e3c7db03e2949c957b96f8c8 100644 (file)
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -688,6 +688,12 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
        int set_reply;
        int ret;
 
+       /* Previously seen (loopback or untracked)?  Ignore. */
+       if ((*pskb)->nfct) {
+               CONNTRACK_STAT_INC(ignore);
+               return NF_ACCEPT;
+       }
+
        /* Never happen */
        if ((*pskb)->nh.iph->frag_off & htons(IP_OFFSET)) {
                if (net_ratelimit()) {
@@ -715,12 +721,6 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
        }
 #endif
 
-       /* Previously seen (loopback or untracked)?  Ignore. */
-       if ((*pskb)->nfct) {
-               CONNTRACK_STAT_INC(ignore);
-               return NF_ACCEPT;
-       }
-
        proto = ip_ct_find_proto((*pskb)->nh.iph->protocol);
 
        /* It may be an special packet, error, unclean...