* [PATCH 1/2] netfilter: reset nf_trace in nf_reset @ 2013-03-22 5:48 Gao feng 2013-03-22 5:48 ` [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined Gao feng 2013-03-25 19:31 ` [PATCH 1/2] netfilter: reset nf_trace in nf_reset Pablo Neira Ayuso 0 siblings, 2 replies; 4+ messages in thread From: Gao feng @ 2013-03-22 5:48 UTC (permalink / raw) To: netfilter-devel, netdev; +Cc: Gao feng We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- include/linux/skbuff.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 441f5bf..72b3967 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2641,6 +2641,9 @@ static inline void nf_reset(struct sk_buff *skb) nf_bridge_put(skb->nf_bridge); skb->nf_bridge = NULL; #endif +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) + skb->nf_trace = 0; +#endif } /* Note: This doesn't put any conntrack and bridge info in dst. */ -- 1.7.11.7 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined 2013-03-22 5:48 [PATCH 1/2] netfilter: reset nf_trace in nf_reset Gao feng @ 2013-03-22 5:48 ` Gao feng 2013-04-01 23:21 ` Pablo Neira Ayuso 2013-03-25 19:31 ` [PATCH 1/2] netfilter: reset nf_trace in nf_reset Pablo Neira Ayuso 1 sibling, 1 reply; 4+ messages in thread From: Gao feng @ 2013-03-22 5:48 UTC (permalink / raw) To: netfilter-devel, netdev; +Cc: Gao feng Inder to reduce codes, Use IS_ENABLE to replace the if defined. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- net/ipv4/ip_output.c | 3 +-- net/ipv4/netfilter/ip_tables.c | 6 ++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 5e12dca..147abf5 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -430,8 +430,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) to->tc_index = from->tc_index; #endif nf_copy(to, from); -#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ - defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) to->nf_trace = from->nf_trace; #endif #if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE) diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 3efcf87..1b433aa 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -182,8 +182,7 @@ ipt_get_target_c(const struct ipt_entry *e) return ipt_get_target((struct ipt_entry *)e); } -#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ - defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) static const char *const hooknames[] = { [NF_INET_PRE_ROUTING] = "PREROUTING", [NF_INET_LOCAL_IN] = "INPUT", @@ -361,8 +360,7 @@ ipt_do_table(struct sk_buff *skb, t = ipt_get_target(e); IP_NF_ASSERT(t->u.kernel.target); -#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ - defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) /* The packet is traced: log it */ if (unlikely(skb->nf_trace)) trace_packet(skb, hook, in, out, -- 1.7.11.7 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined 2013-03-22 5:48 ` [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined Gao feng @ 2013-04-01 23:21 ` Pablo Neira Ayuso 0 siblings, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2013-04-01 23:21 UTC (permalink / raw) To: Gao feng; +Cc: netfilter-devel, netdev On Fri, Mar 22, 2013 at 01:48:42PM +0800, Gao feng wrote: > Inder to reduce codes, Use IS_ENABLE to replace the > if defined. Applied, thanks. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] netfilter: reset nf_trace in nf_reset 2013-03-22 5:48 [PATCH 1/2] netfilter: reset nf_trace in nf_reset Gao feng 2013-03-22 5:48 ` [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined Gao feng @ 2013-03-25 19:31 ` Pablo Neira Ayuso 1 sibling, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2013-03-25 19:31 UTC (permalink / raw) To: Gao feng; +Cc: netfilter-devel, netdev On Fri, Mar 22, 2013 at 01:48:41PM +0800, Gao feng wrote: > We forgot to clear the nf_trace of sk_buff in nf_reset, > When we use veth device, this nf_trace information will > be leaked from one net namespace to another net namespace. Applied to the nf tree, thanks Gao. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-04-01 23:21 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-03-22 5:48 [PATCH 1/2] netfilter: reset nf_trace in nf_reset Gao feng 2013-03-22 5:48 ` [PATCH 2/2] netfilter: TRACE: use IS_ENABLE to replace if defined Gao feng 2013-04-01 23:21 ` Pablo Neira Ayuso 2013-03-25 19:31 ` [PATCH 1/2] netfilter: reset nf_trace in nf_reset Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).