* [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks
@ 2013-05-23 8:42 Pablo Neira Ayuso
2013-05-23 8:42 ` [PATCH 2/3] netfilter: don't panic on error while walking through the init path Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2013-05-23 8:42 UTC (permalink / raw)
To: netfilter-devel
This patch adds the capability to attach expectations to unconfirmed
conntrack entries. This patch is required by the DHCPv6 helper in
user-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 4 ++++
include/uapi/linux/netfilter/nfnetlink_conntrack.h | 1 +
net/netfilter/nf_conntrack_core.c | 20 ++++++++++++++++++++
net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++++--
4 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 644d9c2..d172fc5 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -180,6 +180,10 @@ extern struct nf_conntrack_tuple_hash *
__nf_conntrack_find(struct net *net, u16 zone,
const struct nf_conntrack_tuple *tuple);
+struct nf_conntrack_tuple_hash *
+nf_ct_unconfirmed_find(struct net *net, u16 zone,
+ const struct nf_conntrack_tuple *tuple);
+
extern int nf_conntrack_hash_check_insert(struct nf_conn *ct);
extern void nf_ct_delete_from_lists(struct nf_conn *ct);
extern void nf_ct_dying_timeout(struct nf_conn *ct);
diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
index 08fabc6..8f7c2fe 100644
--- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
@@ -187,6 +187,7 @@ enum ctattr_expect {
CTA_EXPECT_CLASS,
CTA_EXPECT_NAT,
CTA_EXPECT_FN,
+ CTA_EXPECT_MASTER_STATUS,
__CTA_EXPECT_MAX
};
#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index ebb81d6..a6e5764 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -401,6 +401,26 @@ nf_conntrack_find_get(struct net *net, u16 zone,
}
EXPORT_SYMBOL_GPL(nf_conntrack_find_get);
+struct nf_conntrack_tuple_hash *
+nf_ct_unconfirmed_find(struct net *net, u16 zone,
+ const struct nf_conntrack_tuple *tuple)
+{
+ struct nf_conntrack_tuple_hash *h, *ret = NULL;
+ struct hlist_nulls_node *n;
+
+ rcu_read_lock();
+ hlist_nulls_for_each_entry_rcu(h, n, &net->ct.unconfirmed, hnnode) {
+ if (nf_ct_tuple_equal(tuple, &h->tuple) &&
+ nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)) == zone) {
+ ret = h;
+ break;
+ }
+ }
+ rcu_read_unlock();
+ return ret;
+}
+EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_find);
+
static void __nf_conntrack_hash_insert(struct nf_conn *ct,
unsigned int hash,
unsigned int repl_hash)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 6d0f8a1..3596682 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2742,7 +2742,7 @@ ctnetlink_create_expect(struct net *net, u16 zone,
struct nf_conn *ct;
struct nf_conn_help *help;
struct nf_conntrack_helper *helper = NULL;
- u_int32_t class = 0;
+ u_int32_t class = 0, master_status;
int err = 0;
/* caller guarantees that those three CTA_EXPECT_* exist */
@@ -2756,8 +2756,18 @@ ctnetlink_create_expect(struct net *net, u16 zone,
if (err < 0)
return err;
+ if (cda[CTA_EXPECT_MASTER_STATUS]) {
+ master_status =
+ ntohl(nla_get_be32(cda[CTA_EXPECT_MASTER_STATUS]));
+ } else
+ master_status = IPS_CONFIRMED;
+
/* Look for master conntrack of this expectation */
- h = nf_conntrack_find_get(net, zone, &master_tuple);
+ if (master_status & IPS_CONFIRMED)
+ h = nf_conntrack_find_get(net, zone, &master_tuple);
+ else
+ h = nf_ct_unconfirmed_find(net, zone, &master_tuple);
+
if (!h)
return -ENOENT;
ct = nf_ct_tuplehash_to_ctrack(h);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/3] netfilter: don't panic on error while walking through the init path
2013-05-23 8:42 [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks Pablo Neira Ayuso
@ 2013-05-23 8:42 ` Pablo Neira Ayuso
2013-05-23 8:50 ` Gao feng
2013-05-23 8:42 ` [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation Pablo Neira Ayuso
2013-05-23 9:34 ` [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks Gao feng
2 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2013-05-23 8:42 UTC (permalink / raw)
To: netfilter-devel
Don't panic if we hit an error while adding the nf_log or pernet
netfilter support, just bail out.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/core.c | 19 ++++++++++++++-----
net/netfilter/nf_log.c | 5 +----
2 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 07c865a..3905104 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -304,15 +304,24 @@ static struct pernet_operations netfilter_net_ops = {
void __init netfilter_init(void)
{
- int i, h;
+ int i, h, ret;
+
for (i = 0; i < ARRAY_SIZE(nf_hooks); i++) {
for (h = 0; h < NF_MAX_HOOKS; h++)
INIT_LIST_HEAD(&nf_hooks[i][h]);
}
- if (register_pernet_subsys(&netfilter_net_ops) < 0)
- panic("cannot create netfilter proc entry");
+ ret = register_pernet_subsys(&netfilter_net_ops);
+ if (ret < 0)
+ goto err;
+
+ ret = netfilter_log_init();
+ if (ret < 0)
+ goto err_pernet;
- if (netfilter_log_init() < 0)
- panic("cannot initialize nf_log");
+ return 0;
+err_pernet:
+ unregister_pernet_subsys(&netfilter_net_ops);
+err:
+ return ret;
}
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 388656d..bd5474a 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -368,10 +368,7 @@ static int __net_init nf_log_net_init(struct net *net)
return 0;
out_sysctl:
- /* For init_net: errors will trigger panic, don't unroll on error. */
- if (!net_eq(net, &init_net))
- remove_proc_entry("nf_log", net->nf.proc_netfilter);
-
+ remove_proc_entry("nf_log", net->nf.proc_netfilter);
return ret;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation
2013-05-23 8:42 [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks Pablo Neira Ayuso
2013-05-23 8:42 ` [PATCH 2/3] netfilter: don't panic on error while walking through the init path Pablo Neira Ayuso
@ 2013-05-23 8:42 ` Pablo Neira Ayuso
2013-05-23 8:59 ` Gao feng
2013-05-23 9:34 ` [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks Gao feng
2 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2013-05-23 8:42 UTC (permalink / raw)
To: netfilter-devel
This target has been superseded by NFLOG. Spot a warning
so we prepare removal in a couple of years.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netns/x_tables.h | 6 ++++++
net/bridge/netfilter/ebt_ulog.c | 6 ++++++
net/ipv4/netfilter/Kconfig | 2 +-
net/ipv4/netfilter/ipt_ULOG.c | 6 ++++++
4 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index c24060e..02fe40f 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -15,5 +15,11 @@ struct netns_xt {
struct ebt_table *frame_filter;
struct ebt_table *frame_nat;
#endif
+#if IS_ENABLED(CONFIG_IP_NF_TARGET_ULOG)
+ bool ulog_warn_deprecated;
+#endif
+#if IS_ENABLED(CONFIG_BRIDGE_EBT_ULOG)
+ bool ebt_ulog_warn_deprecated;
+#endif
};
#endif
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index fc1905c..bfc40c7 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -267,6 +267,12 @@ static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
{
struct ebt_ulog_info *uloginfo = par->targinfo;
+ if (!par->net->nf.ebt_ulog_warn_deprecated) {
+ pr_info("ebt_ulog is deprecated and it will be removed soon, "
+ "use ebt_nflog instead\n");
+ par->net->nf.ebt_ulog_warn_deprecated = true;
+ }
+
if (uloginfo->nlgroup > 31)
return -EINVAL;
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index e7916c1..4e90280 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -111,7 +111,7 @@ config IP_NF_TARGET_REJECT
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_ULOG
- tristate "ULOG target support"
+ tristate "ULOG target support (obsolete)"
default m if NETFILTER_ADVANCED=n
---help---
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index f8a222cb..c1953d0 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -325,6 +325,12 @@ static int ulog_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_ulog_info *loginfo = par->targinfo;
+ if (!par->net->xt.ulog_warn_deprecated) {
+ pr_info("ULOG is deprecated and it will be removed soon, "
+ "use NFLOG instead\n");
+ par->net->xt.ulog_warn_deprecated = true;
+ }
+
if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
pr_debug("prefix not null-terminated\n");
return -EINVAL;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] netfilter: don't panic on error while walking through the init path
2013-05-23 8:42 ` [PATCH 2/3] netfilter: don't panic on error while walking through the init path Pablo Neira Ayuso
@ 2013-05-23 8:50 ` Gao feng
2013-05-23 11:09 ` Pablo Neira Ayuso
0 siblings, 1 reply; 8+ messages in thread
From: Gao feng @ 2013-05-23 8:50 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On 05/23/2013 04:42 PM, Pablo Neira Ayuso wrote:
> Don't panic if we hit an error while adding the nf_log or pernet
> netfilter support, just bail out.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
> net/netfilter/core.c | 19 ++++++++++++++-----
> net/netfilter/nf_log.c | 5 +----
> 2 files changed, 15 insertions(+), 9 deletions(-)
>
> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> index 07c865a..3905104 100644
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> @@ -304,15 +304,24 @@ static struct pernet_operations netfilter_net_ops = {
>
> void __init netfilter_init(void)
> {
> - int i, h;
> + int i, h, ret;
> +
> for (i = 0; i < ARRAY_SIZE(nf_hooks); i++) {
> for (h = 0; h < NF_MAX_HOOKS; h++)
> INIT_LIST_HEAD(&nf_hooks[i][h]);
> }
>
> - if (register_pernet_subsys(&netfilter_net_ops) < 0)
> - panic("cannot create netfilter proc entry");
> + ret = register_pernet_subsys(&netfilter_net_ops);
> + if (ret < 0)
> + goto err;
> +
> + ret = netfilter_log_init();
> + if (ret < 0)
> + goto err_pernet;
>
> - if (netfilter_log_init() < 0)
> - panic("cannot initialize nf_log");
> + return 0;
> +err_pernet:
> + unregister_pernet_subsys(&netfilter_net_ops);
> +err:
> + return ret;
> }
> diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
> index 388656d..bd5474a 100644
> --- a/net/netfilter/nf_log.c
> +++ b/net/netfilter/nf_log.c
> @@ -368,10 +368,7 @@ static int __net_init nf_log_net_init(struct net *net)
> return 0;
>
> out_sysctl:
> - /* For init_net: errors will trigger panic, don't unroll on error. */
> - if (!net_eq(net, &init_net))
> - remove_proc_entry("nf_log", net->nf.proc_netfilter);
> -
> + remove_proc_entry("nf_log", net->nf.proc_netfilter);
> return ret;
> }
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation
2013-05-23 8:42 ` [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation Pablo Neira Ayuso
@ 2013-05-23 8:59 ` Gao feng
2013-05-23 11:09 ` Pablo Neira Ayuso
0 siblings, 1 reply; 8+ messages in thread
From: Gao feng @ 2013-05-23 8:59 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On 05/23/2013 04:42 PM, Pablo Neira Ayuso wrote:
> This target has been superseded by NFLOG. Spot a warning
> so we prepare removal in a couple of years.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> include/net/netns/x_tables.h | 6 ++++++
> net/bridge/netfilter/ebt_ulog.c | 6 ++++++
> net/ipv4/netfilter/Kconfig | 2 +-
> net/ipv4/netfilter/ipt_ULOG.c | 6 ++++++
> 4 files changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
> index c24060e..02fe40f 100644
> --- a/include/net/netns/x_tables.h
> +++ b/include/net/netns/x_tables.h
> @@ -15,5 +15,11 @@ struct netns_xt {
> struct ebt_table *frame_filter;
> struct ebt_table *frame_nat;
> #endif
> +#if IS_ENABLED(CONFIG_IP_NF_TARGET_ULOG)
> + bool ulog_warn_deprecated;
> +#endif
> +#if IS_ENABLED(CONFIG_BRIDGE_EBT_ULOG)
> + bool ebt_ulog_warn_deprecated;
> +#endif
> };
> #endif
> diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
> index fc1905c..bfc40c7 100644
> --- a/net/bridge/netfilter/ebt_ulog.c
> +++ b/net/bridge/netfilter/ebt_ulog.c
> @@ -267,6 +267,12 @@ static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
> {
> struct ebt_ulog_info *uloginfo = par->targinfo;
>
> + if (!par->net->nf.ebt_ulog_warn_deprecated) {
par->net->xt.ebt_ulog_warn_deprecated?
anyway
Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
> + pr_info("ebt_ulog is deprecated and it will be removed soon, "
> + "use ebt_nflog instead\n");
> + par->net->nf.ebt_ulog_warn_deprecated = true;
> + }
> +
> if (uloginfo->nlgroup > 31)
> return -EINVAL;
>
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index e7916c1..4e90280 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -111,7 +111,7 @@ config IP_NF_TARGET_REJECT
> To compile it as a module, choose M here. If unsure, say N.
>
> config IP_NF_TARGET_ULOG
> - tristate "ULOG target support"
> + tristate "ULOG target support (obsolete)"
> default m if NETFILTER_ADVANCED=n
> ---help---
>
> diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
> index f8a222cb..c1953d0 100644
> --- a/net/ipv4/netfilter/ipt_ULOG.c
> +++ b/net/ipv4/netfilter/ipt_ULOG.c
> @@ -325,6 +325,12 @@ static int ulog_tg_check(const struct xt_tgchk_param *par)
> {
> const struct ipt_ulog_info *loginfo = par->targinfo;
>
> + if (!par->net->xt.ulog_warn_deprecated) {
> + pr_info("ULOG is deprecated and it will be removed soon, "
> + "use NFLOG instead\n");
> + par->net->xt.ulog_warn_deprecated = true;
> + }
> +
> if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
> pr_debug("prefix not null-terminated\n");
> return -EINVAL;
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks
2013-05-23 8:42 [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks Pablo Neira Ayuso
2013-05-23 8:42 ` [PATCH 2/3] netfilter: don't panic on error while walking through the init path Pablo Neira Ayuso
2013-05-23 8:42 ` [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation Pablo Neira Ayuso
@ 2013-05-23 9:34 ` Gao feng
2 siblings, 0 replies; 8+ messages in thread
From: Gao feng @ 2013-05-23 9:34 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On 05/23/2013 04:42 PM, Pablo Neira Ayuso wrote:
> This patch adds the capability to attach expectations to unconfirmed
> conntrack entries. This patch is required by the DHCPv6 helper in
> user-space.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> include/net/netfilter/nf_conntrack.h | 4 ++++
> include/uapi/linux/netfilter/nfnetlink_conntrack.h | 1 +
> net/netfilter/nf_conntrack_core.c | 20 ++++++++++++++++++++
> net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++++--
> 4 files changed, 37 insertions(+), 2 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
> index 644d9c2..d172fc5 100644
> --- a/include/net/netfilter/nf_conntrack.h
> +++ b/include/net/netfilter/nf_conntrack.h
> @@ -180,6 +180,10 @@ extern struct nf_conntrack_tuple_hash *
> __nf_conntrack_find(struct net *net, u16 zone,
> const struct nf_conntrack_tuple *tuple);
>
> +struct nf_conntrack_tuple_hash *
> +nf_ct_unconfirmed_find(struct net *net, u16 zone,
> + const struct nf_conntrack_tuple *tuple);
> +
> extern int nf_conntrack_hash_check_insert(struct nf_conn *ct);
> extern void nf_ct_delete_from_lists(struct nf_conn *ct);
> extern void nf_ct_dying_timeout(struct nf_conn *ct);
> diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> index 08fabc6..8f7c2fe 100644
> --- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> +++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> @@ -187,6 +187,7 @@ enum ctattr_expect {
> CTA_EXPECT_CLASS,
> CTA_EXPECT_NAT,
> CTA_EXPECT_FN,
> + CTA_EXPECT_MASTER_STATUS,
> __CTA_EXPECT_MAX
> };
> #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index ebb81d6..a6e5764 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -401,6 +401,26 @@ nf_conntrack_find_get(struct net *net, u16 zone,
> }
> EXPORT_SYMBOL_GPL(nf_conntrack_find_get);
>
> +struct nf_conntrack_tuple_hash *
> +nf_ct_unconfirmed_find(struct net *net, u16 zone,
> + const struct nf_conntrack_tuple *tuple)
> +{
> + struct nf_conntrack_tuple_hash *h, *ret = NULL;
> + struct hlist_nulls_node *n;
> +
> + rcu_read_lock();
> + hlist_nulls_for_each_entry_rcu(h, n, &net->ct.unconfirmed, hnnode) {
> + if (nf_ct_tuple_equal(tuple, &h->tuple) &&
> + nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)) == zone) {
> + ret = h;
Shouldn't we get reference of nf_ct_tuplehash_to_ctrack(h) here?
ctnetlink_create_expect will call nf_ct_put to release the reference finally.
or I miss something?
> + break;
> + }
> + }
> + rcu_read_unlock();
> + return ret;
> +}
> +EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_find);
> +
> static void __nf_conntrack_hash_insert(struct nf_conn *ct,
> unsigned int hash,
> unsigned int repl_hash)
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 6d0f8a1..3596682 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -2742,7 +2742,7 @@ ctnetlink_create_expect(struct net *net, u16 zone,
> struct nf_conn *ct;
> struct nf_conn_help *help;
> struct nf_conntrack_helper *helper = NULL;
> - u_int32_t class = 0;
> + u_int32_t class = 0, master_status;
> int err = 0;
>
> /* caller guarantees that those three CTA_EXPECT_* exist */
> @@ -2756,8 +2756,18 @@ ctnetlink_create_expect(struct net *net, u16 zone,
> if (err < 0)
> return err;
>
> + if (cda[CTA_EXPECT_MASTER_STATUS]) {
> + master_status =
> + ntohl(nla_get_be32(cda[CTA_EXPECT_MASTER_STATUS]));
> + } else
> + master_status = IPS_CONFIRMED;
> +
> /* Look for master conntrack of this expectation */
> - h = nf_conntrack_find_get(net, zone, &master_tuple);
> + if (master_status & IPS_CONFIRMED)
> + h = nf_conntrack_find_get(net, zone, &master_tuple);
> + else
> + h = nf_ct_unconfirmed_find(net, zone, &master_tuple);
> +
> if (!h)
> return -ENOENT;
> ct = nf_ct_tuplehash_to_ctrack(h);
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] netfilter: don't panic on error while walking through the init path
2013-05-23 8:50 ` Gao feng
@ 2013-05-23 11:09 ` Pablo Neira Ayuso
0 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2013-05-23 11:09 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel
On Thu, May 23, 2013 at 04:50:48PM +0800, Gao feng wrote:
> On 05/23/2013 04:42 PM, Pablo Neira Ayuso wrote:
> > Don't panic if we hit an error while adding the nf_log or pernet
> > netfilter support, just bail out.
> >
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > ---
>
> Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
Applied.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation
2013-05-23 8:59 ` Gao feng
@ 2013-05-23 11:09 ` Pablo Neira Ayuso
0 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2013-05-23 11:09 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel
On Thu, May 23, 2013 at 04:59:12PM +0800, Gao feng wrote:
> On 05/23/2013 04:42 PM, Pablo Neira Ayuso wrote:
> > This target has been superseded by NFLOG. Spot a warning
> > so we prepare removal in a couple of years.
> >
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > ---
> > include/net/netns/x_tables.h | 6 ++++++
> > net/bridge/netfilter/ebt_ulog.c | 6 ++++++
> > net/ipv4/netfilter/Kconfig | 2 +-
> > net/ipv4/netfilter/ipt_ULOG.c | 6 ++++++
> > 4 files changed, 19 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
> > index c24060e..02fe40f 100644
> > --- a/include/net/netns/x_tables.h
> > +++ b/include/net/netns/x_tables.h
> > @@ -15,5 +15,11 @@ struct netns_xt {
> > struct ebt_table *frame_filter;
> > struct ebt_table *frame_nat;
> > #endif
> > +#if IS_ENABLED(CONFIG_IP_NF_TARGET_ULOG)
> > + bool ulog_warn_deprecated;
> > +#endif
> > +#if IS_ENABLED(CONFIG_BRIDGE_EBT_ULOG)
> > + bool ebt_ulog_warn_deprecated;
> > +#endif
> > };
> > #endif
> > diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
> > index fc1905c..bfc40c7 100644
> > --- a/net/bridge/netfilter/ebt_ulog.c
> > +++ b/net/bridge/netfilter/ebt_ulog.c
> > @@ -267,6 +267,12 @@ static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
> > {
> > struct ebt_ulog_info *uloginfo = par->targinfo;
> >
> > + if (!par->net->nf.ebt_ulog_warn_deprecated) {
>
> par->net->xt.ebt_ulog_warn_deprecated?
Fixed and applied, thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2013-05-23 11:09 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-23 8:42 [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks Pablo Neira Ayuso
2013-05-23 8:42 ` [PATCH 2/3] netfilter: don't panic on error while walking through the init path Pablo Neira Ayuso
2013-05-23 8:50 ` Gao feng
2013-05-23 11:09 ` Pablo Neira Ayuso
2013-05-23 8:42 ` [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation Pablo Neira Ayuso
2013-05-23 8:59 ` Gao feng
2013-05-23 11:09 ` Pablo Neira Ayuso
2013-05-23 9:34 ` [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks Gao feng
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.