[PATCH] netfilter: ctnetlink: don't add null bindings if no nat requested

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] netfilter: ctnetlink: don't add null bindings if no nat requested
@ 2014-04-28 19:07 Florian Westphal
  2014-04-29 19:03 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2014-04-28 19:07 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

commit 0eba801b64cc8284d9024c7ece30415a2b981a72 tried to fix a race
where nat initialisation can happen after ctnetlink-created conntrack
has been created.

However, it causes the nat module(s) to be loaded needlessly on
systems that are not using NAT.

Fortunately, we do not have to create null bindings in that case.

conntracks injected via ctnetlink always have the CONFIRMED bit set,
which prevents addition of the nat extension in nf_nat_ipv4/6_fn().

We only need to make sure that either no nat extension is added
or that we've created both src and dst manips.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_netlink.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index ccc46fa..5857963 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1336,6 +1336,9 @@ ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
 #ifdef CONFIG_NF_NAT_NEEDED
 	int ret;

+	if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
+		return 0;
+
 	ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
 					cda[CTA_NAT_DST]);
 	if (ret < 0)
-- 
1.8.1.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] netfilter: ctnetlink: don't add null bindings if no nat requested
  2014-04-28 19:07 [PATCH] netfilter: ctnetlink: don't add null bindings if no nat requested Florian Westphal
@ 2014-04-29 19:03 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2014-04-29 19:03 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Mon, Apr 28, 2014 at 09:07:31PM +0200, Florian Westphal wrote:
> commit 0eba801b64cc8284d9024c7ece30415a2b981a72 tried to fix a race
> where nat initialisation can happen after ctnetlink-created conntrack
> has been created.
> 
> However, it causes the nat module(s) to be loaded needlessly on
> systems that are not using NAT.
> 
> Fortunately, we do not have to create null bindings in that case.
> 
> conntracks injected via ctnetlink always have the CONFIRMED bit set,
> which prevents addition of the nat extension in nf_nat_ipv4/6_fn().
> 
> We only need to make sure that either no nat extension is added
> or that we've created both src and dst manips.

Thanks Florian, applied.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-04-29 19:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-28 19:07 [PATCH] netfilter: ctnetlink: don't add null bindings if no nat requested Florian Westphal
2014-04-29 19:03 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).