* [PATCH 1/2] netfilter: reset nf_trace in nf_reset @ 2013-03-22 5:48 Gao feng 2013-03-22 5:48 ` [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined Gao feng 2013-03-25 19:31 ` [PATCH 1/2] netfilter: reset nf_trace in nf_reset Pablo Neira Ayuso 0 siblings, 2 replies; 4+ messages in thread From: Gao feng @ 2013-03-22 5:48 UTC (permalink / raw) To: netfilter-devel, netdev; +Cc: Gao feng We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- include/linux/skbuff.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 441f5bf..72b3967 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2641,6 +2641,9 @@ static inline void nf_reset(struct sk_buff *skb) nf_bridge_put(skb->nf_bridge); skb->nf_bridge = NULL; #endif +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) + skb->nf_trace = 0; +#endif } /* Note: This doesn't put any conntrack and bridge info in dst. */ -- 1.7.11.7 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined 2013-03-22 5:48 [PATCH 1/2] netfilter: reset nf_trace in nf_reset Gao feng @ 2013-03-22 5:48 ` Gao feng 2013-04-01 23:21 ` Pablo Neira Ayuso 2013-03-25 19:31 ` [PATCH 1/2] netfilter: reset nf_trace in nf_reset Pablo Neira Ayuso 1 sibling, 1 reply; 4+ messages in thread From: Gao feng @ 2013-03-22 5:48 UTC (permalink / raw) To: netfilter-devel, netdev; +Cc: Gao feng Inder to reduce codes, Use IS_ENABLE to replace the if defined. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- net/ipv4/ip_output.c | 3 +-- net/ipv4/netfilter/ip_tables.c | 6 ++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 5e12dca..147abf5 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -430,8 +430,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) to->tc_index = from->tc_index; #endif nf_copy(to, from); -#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ - defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) to->nf_trace = from->nf_trace; #endif #if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE) diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 3efcf87..1b433aa 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -182,8 +182,7 @@ ipt_get_target_c(const struct ipt_entry *e) return ipt_get_target((struct ipt_entry *)e); } -#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ - defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) static const char *const hooknames[] = { [NF_INET_PRE_ROUTING] = "PREROUTING", [NF_INET_LOCAL_IN] = "INPUT", @@ -361,8 +360,7 @@ ipt_do_table(struct sk_buff *skb, t = ipt_get_target(e); IP_NF_ASSERT(t->u.kernel.target); -#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ - defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) /* The packet is traced: log it */ if (unlikely(skb->nf_trace)) trace_packet(skb, hook, in, out, -- 1.7.11.7 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined 2013-03-22 5:48 ` [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined Gao feng @ 2013-04-01 23:21 ` Pablo Neira Ayuso 0 siblings, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2013-04-01 23:21 UTC (permalink / raw) To: Gao feng; +Cc: netfilter-devel, netdev On Fri, Mar 22, 2013 at 01:48:42PM +0800, Gao feng wrote: > Inder to reduce codes, Use IS_ENABLE to replace the > if defined. Applied, thanks. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] netfilter: reset nf_trace in nf_reset 2013-03-22 5:48 [PATCH 1/2] netfilter: reset nf_trace in nf_reset Gao feng 2013-03-22 5:48 ` [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined Gao feng @ 2013-03-25 19:31 ` Pablo Neira Ayuso 1 sibling, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2013-03-25 19:31 UTC (permalink / raw) To: Gao feng; +Cc: netfilter-devel, netdev On Fri, Mar 22, 2013 at 01:48:41PM +0800, Gao feng wrote: > We forgot to clear the nf_trace of sk_buff in nf_reset, > When we use veth device, this nf_trace information will > be leaked from one net namespace to another net namespace. Applied to the nf tree, thanks Gao. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-04-01 23:21 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-03-22 5:48 [PATCH 1/2] netfilter: reset nf_trace in nf_reset Gao feng 2013-03-22 5:48 ` [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined Gao feng 2013-04-01 23:21 ` Pablo Neira Ayuso 2013-03-25 19:31 ` [PATCH 1/2] netfilter: reset nf_trace in nf_reset Pablo Neira Ayuso
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.