Strona główna Odkrywaj Pomoc
Zaloguj się
GfA
/
linux_kernel
5
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Przeglądaj źródła

netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions

so that conntrack core will add the needed hooks in this namespace.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal 8 lat temu
rodzic
a357b3f80b
commit
20afd42397
7 zmienionych plików z 40 dodań i 3 usunięć
Zunifikowany widok Pokaż statystyki zmian
  1. 7 0
      net/ipv4/netfilter/nft_masq_ipv4.c
  2. 7 0
      net/ipv4/netfilter/nft_redir_ipv4.c
  3. 7 0
      net/ipv6/netfilter/nft_masq_ipv6.c
  4. 7 0
      net/ipv6/netfilter/nft_redir_ipv6.c
  5. 1 1
      net/netfilter/nft_masq.c
  6. 10 1
      net/netfilter/nft_nat.c
  7. 1 1
      net/netfilter/nft_redir.c

+ 7 - 0
net/ipv4/netfilter/nft_masq_ipv4.c
Wyświetl plik 

@@ -35,12 +35,19 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
 
 						    &range, nft_out(pkt));
 
 						    &range, nft_out(pkt));
 
 }
 
 }
 
 
 
+static void
 
+nft_masq_ipv4_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 
+{
 
+	nf_ct_netns_put(ctx->net, NFPROTO_IPV4);
 
+}
 
+
 
 static struct nft_expr_type nft_masq_ipv4_type;
 
 static struct nft_expr_type nft_masq_ipv4_type;
 
 static const struct nft_expr_ops nft_masq_ipv4_ops = {
 
 static const struct nft_expr_ops nft_masq_ipv4_ops = {
 
 	.type		= &nft_masq_ipv4_type,
 
 	.type		= &nft_masq_ipv4_type,
 
 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_masq)),
 
 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_masq)),
 
 	.eval		= nft_masq_ipv4_eval,
 
 	.eval		= nft_masq_ipv4_eval,
 
 	.init		= nft_masq_init,
 
 	.init		= nft_masq_init,
 
+	.destroy	= nft_masq_ipv4_destroy,
 
 	.dump		= nft_masq_dump,
 
 	.dump		= nft_masq_dump,
 
 	.validate	= nft_masq_validate,
 
 	.validate	= nft_masq_validate,
 
 };
 
 };

+ 7 - 0
net/ipv4/netfilter/nft_redir_ipv4.c
Wyświetl plik 

@@ -38,12 +38,19 @@ static void nft_redir_ipv4_eval(const struct nft_expr *expr,
 
 	regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr, nft_hook(pkt));
 
 	regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr, nft_hook(pkt));
 
 }
 
 }
 
 
 
+static void
 
+nft_redir_ipv4_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 
+{
 
+	nf_ct_netns_put(ctx->net, NFPROTO_IPV4);
 
+}
 
+
 
 static struct nft_expr_type nft_redir_ipv4_type;
 
 static struct nft_expr_type nft_redir_ipv4_type;
 
 static const struct nft_expr_ops nft_redir_ipv4_ops = {
 
 static const struct nft_expr_ops nft_redir_ipv4_ops = {
 
 	.type		= &nft_redir_ipv4_type,
 
 	.type		= &nft_redir_ipv4_type,
 
 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_redir)),
 
 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_redir)),
 
 	.eval		= nft_redir_ipv4_eval,
 
 	.eval		= nft_redir_ipv4_eval,
 
 	.init		= nft_redir_init,
 
 	.init		= nft_redir_init,
 
+	.destroy	= nft_redir_ipv4_destroy,
 
 	.dump		= nft_redir_dump,
 
 	.dump		= nft_redir_dump,
 
 	.validate	= nft_redir_validate,
 
 	.validate	= nft_redir_validate,
 
 };
 
 };

+ 7 - 0
net/ipv6/netfilter/nft_masq_ipv6.c
Wyświetl plik 

@@ -36,12 +36,19 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
 
 						    nft_out(pkt));
 
 						    nft_out(pkt));
 
 }
 
 }
 
 
 
+static void
 
+nft_masq_ipv6_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 
+{
 
+	nf_ct_netns_put(ctx->net, NFPROTO_IPV6);
 
+}
 
+
 
 static struct nft_expr_type nft_masq_ipv6_type;
 
 static struct nft_expr_type nft_masq_ipv6_type;
 
 static const struct nft_expr_ops nft_masq_ipv6_ops = {
 
 static const struct nft_expr_ops nft_masq_ipv6_ops = {
 
 	.type		= &nft_masq_ipv6_type,
 
 	.type		= &nft_masq_ipv6_type,
 
 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_masq)),
 
 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_masq)),
 
 	.eval		= nft_masq_ipv6_eval,
 
 	.eval		= nft_masq_ipv6_eval,
 
 	.init		= nft_masq_init,
 
 	.init		= nft_masq_init,
 
+	.destroy	= nft_masq_ipv6_destroy,
 
 	.dump		= nft_masq_dump,
 
 	.dump		= nft_masq_dump,
 
 	.validate	= nft_masq_validate,
 
 	.validate	= nft_masq_validate,
 
 };
 
 };

+ 7 - 0
net/ipv6/netfilter/nft_redir_ipv6.c
Wyświetl plik 

@@ -39,12 +39,19 @@ static void nft_redir_ipv6_eval(const struct nft_expr *expr,
 
 		nf_nat_redirect_ipv6(pkt->skb, &range, nft_hook(pkt));
 
 		nf_nat_redirect_ipv6(pkt->skb, &range, nft_hook(pkt));
 
 }
 
 }
 
 
 
+static void
 
+nft_redir_ipv6_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 
+{
 
+	nf_ct_netns_put(ctx->net, NFPROTO_IPV6);
 
+}
 
+
 
 static struct nft_expr_type nft_redir_ipv6_type;
 
 static struct nft_expr_type nft_redir_ipv6_type;
 
 static const struct nft_expr_ops nft_redir_ipv6_ops = {
 
 static const struct nft_expr_ops nft_redir_ipv6_ops = {
 
 	.type		= &nft_redir_ipv6_type,
 
 	.type		= &nft_redir_ipv6_type,
 
 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_redir)),
 
 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_redir)),
 
 	.eval		= nft_redir_ipv6_eval,
 
 	.eval		= nft_redir_ipv6_eval,
 
 	.init		= nft_redir_init,
 
 	.init		= nft_redir_init,
 
+	.destroy	= nft_redir_ipv6_destroy,
 
 	.dump		= nft_redir_dump,
 
 	.dump		= nft_redir_dump,
 
 	.validate	= nft_redir_validate,
 
 	.validate	= nft_redir_validate,
 
 };
 
 };

+ 1 - 1
net/netfilter/nft_masq.c
Wyświetl plik 

@@ -77,7 +77,7 @@ int nft_masq_init(const struct nft_ctx *ctx,
 
 		}
 
 		}
 
 	}
 
 	}
 
 
 
-	return 0;
 
+	return nf_ct_netns_get(ctx->net, ctx->afi->family);
 
 }
 
 }
 
 EXPORT_SYMBOL_GPL(nft_masq_init);
 
 EXPORT_SYMBOL_GPL(nft_masq_init);

+ 10 - 1
net/netfilter/nft_nat.c
Wyświetl plik 

@@ -209,7 +209,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
 
 			return -EINVAL;
 
 			return -EINVAL;
 
 	}
 
 	}
 
 
 
-	return 0;
 
+	return nf_ct_netns_get(ctx->net, family);
 
 }
 
 }
 
 
 
 static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
 
 static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
 
@@ -257,12 +257,21 @@ nla_put_failure:
 
 	return -1;
 
 	return -1;
 
 }
 
 }
 
 
 
+static void
 
+nft_nat_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 
+{
 
+	const struct nft_nat *priv = nft_expr_priv(expr);
 
+
 
+	nf_ct_netns_put(ctx->net, priv->family);
 
+}
 
+
 
 static struct nft_expr_type nft_nat_type;
 
 static struct nft_expr_type nft_nat_type;
 
 static const struct nft_expr_ops nft_nat_ops = {
 
 static const struct nft_expr_ops nft_nat_ops = {
 
 	.type           = &nft_nat_type,
 
 	.type           = &nft_nat_type,
 
 	.size           = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
 
 	.size           = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
 
 	.eval           = nft_nat_eval,
 
 	.eval           = nft_nat_eval,
 
 	.init           = nft_nat_init,
 
 	.init           = nft_nat_init,
 
+	.destroy        = nft_nat_destroy,
 
 	.dump           = nft_nat_dump,
 
 	.dump           = nft_nat_dump,
 
 	.validate	= nft_nat_validate,
 
 	.validate	= nft_nat_validate,
 
 };
 
 };

+ 1 - 1
net/netfilter/nft_redir.c
Wyświetl plik 

@@ -79,7 +79,7 @@ int nft_redir_init(const struct nft_ctx *ctx,
 
 			return -EINVAL;
 
 			return -EINVAL;
 
 	}
 
 	}
 
 
 
-	return 0;
 
+	return nf_ct_netns_get(ctx->net, ctx->afi->family);
 
 }
 
 }
 
 EXPORT_SYMBOL_GPL(nft_redir_init);
 
 EXPORT_SYMBOL_GPL(nft_redir_init);