[PATCH 7/6] netfilter: nft_ct: load both IPv4 and IPv6 conntrack modules for NFPROTO_INET

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org
Subject: [PATCH 7/6] netfilter: nft_ct: load both IPv4 and IPv6 conntrack modules for NFPROTO_INET
Date: Mon, 6 Jan 2014 18:09:49 +0000	[thread overview]
Message-ID: <20140106180948.GB27979@macbook.localnet> (raw)
In-Reply-To: <1388751378-23272-1-git-send-email-kaber@trash.net>

commit 71bcc5bde767f1a6da04391b0d9595f30e3f720b
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 6 17:58:02 2014 +0000

    netfilter: nft_ct: load both IPv4 and IPv6 conntrack modules for NFPROTO_INET
    
    The ct expression can currently not be used in the inet family since
    we don't have a conntrack module for NFPROTO_INET, so
    nf_ct_l3proto_try_module_get() fails. Add some manual handling to
    load the modules for both NFPROTO_IPV4 and NFPROTO_IPV6 if the
    ct expression is used in the inet family.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 955f4e6..78bf57c 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -129,6 +129,39 @@ static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
 	[NFTA_CT_DIRECTION]	= { .type = NLA_U8 },
 };
 
+static int nft_ct_l3proto_try_module_get(uint8_t family)
+{
+	int err;
+
+	if (family == NFPROTO_INET) {
+		err = nf_ct_l3proto_try_module_get(NFPROTO_IPV4);
+		if (err < 0)
+			goto err1;
+		err = nf_ct_l3proto_try_module_get(NFPROTO_IPV6);
+		if (err < 0)
+			goto err2;
+	} else {
+		err = nf_ct_l3proto_try_module_get(family);
+		if (err < 0)
+			goto err1;
+	}
+	return 0;
+
+err2:
+	nf_ct_l3proto_module_put(NFPROTO_IPV4);
+err1:
+	return err;
+}
+
+static void nft_ct_l3proto_module_put(uint8_t family)
+{
+	if (family == NFPROTO_INET) {
+		nf_ct_l3proto_module_put(NFPROTO_IPV4);
+		nf_ct_l3proto_module_put(NFPROTO_IPV6);
+	} else
+		nf_ct_l3proto_module_put(family);
+}
+
 static int nft_ct_init(const struct nft_ctx *ctx,
 		       const struct nft_expr *expr,
 		       const struct nlattr * const tb[])
@@ -179,7 +212,7 @@ static int nft_ct_init(const struct nft_ctx *ctx,
 		return -EOPNOTSUPP;
 	}
 
-	err = nf_ct_l3proto_try_module_get(ctx->afi->family);
+	err = nft_ct_l3proto_try_module_get(ctx->afi->family);
 	if (err < 0)
 		return err;
 	priv->family = ctx->afi->family;
@@ -195,7 +228,7 @@ static int nft_ct_init(const struct nft_ctx *ctx,
 	return 0;
 
 err1:
-	nf_ct_l3proto_module_put(ctx->afi->family);
+	nft_ct_l3proto_module_put(ctx->afi->family);
 	return err;
 }
 
@@ -203,7 +236,7 @@ static void nft_ct_destroy(const struct nft_expr *expr)
 {
 	struct nft_ct *priv = nft_expr_priv(expr);
 
-	nf_ct_l3proto_module_put(priv->family);
+	nft_ct_l3proto_module_put(priv->family);
 }
 
 static int nft_ct_dump(struct sk_buff *skb, const struct nft_expr *expr)

next prev parent reply	other threads:[~2014-01-06 18:09 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-03 12:16 [RFC PATCH 0/6] netfilter: nf_tables: add mixed IPv4/IPv6 table support Patrick McHardy
2014-01-03 12:16 ` [PATCH 1/6] netfilter: nf_tables: make chain types override the default AF functions Patrick McHardy
2014-01-03 12:16 ` [PATCH 2/6] netfilter: nf_tables: add hook ops to struct nft_pktinfo Patrick McHardy
2014-01-03 12:16 ` [PATCH 3/6] netfilter: nf_tables: add support for multi family tables Patrick McHardy
2014-01-03 12:16 ` [PATCH 4/6] netfilter: nf_tables: add "inet" table for IPv4/IPv6 Patrick McHardy
2014-01-03 12:16 ` [PATCH 5/6] netfilter: nf_tables: add nfproto support to meta expression Patrick McHardy
2014-01-03 12:16 ` [PATCH 6/6] netfilter: nft_meta: add l4proto support Patrick McHardy
2014-01-05 20:39 ` [RFC PATCH 0/6] netfilter: nf_tables: add mixed IPv4/IPv6 table support Pablo Neira Ayuso
2014-01-05 21:02   ` Patrick McHardy
2014-01-06 18:09 ` Patrick McHardy [this message]
2014-01-07 23:03   ` [PATCH 7/6] netfilter: nft_ct: load both IPv4 and IPv6 conntrack modules for NFPROTO_INET Pablo Neira Ayuso
2014-01-07 23:03 ` [RFC PATCH 0/6] netfilter: nf_tables: add mixed IPv4/IPv6 table support Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:955f4e6 dfblob:78bf57c )
 OR (
bs:"[PATCH 7/6] netfilter: nft_ct: load both IPv4 and IPv6 conntrack modules for NFPROTO_INET" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140106180948.GB27979@macbook.localnet \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.