You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
143 lines
3.4 KiB
143 lines
3.4 KiB
7 years ago
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
Date: Fri, 3 Nov 2017 16:26:32 +0100
|
||
|
Subject: [PATCH] netfilter: conntrack: move nf_ct_netns_{get,put}() to core
|
||
|
|
||
|
So we can call this from other expression that need conntrack in place
|
||
|
to work.
|
||
|
|
||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
Acked-by: Florian Westphal <fw@strlen.de>
|
||
|
---
|
||
|
|
||
|
--- a/net/netfilter/nf_conntrack_proto.c
|
||
|
+++ b/net/netfilter/nf_conntrack_proto.c
|
||
|
@@ -125,7 +125,7 @@ void nf_ct_l3proto_module_put(unsigned s
|
||
|
}
|
||
|
EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);
|
||
|
|
||
|
-int nf_ct_netns_get(struct net *net, u8 nfproto)
|
||
|
+static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
|
||
|
{
|
||
|
const struct nf_conntrack_l3proto *l3proto;
|
||
|
int ret;
|
||
|
@@ -150,9 +150,33 @@ int nf_ct_netns_get(struct net *net, u8
|
||
|
|
||
|
return ret;
|
||
|
}
|
||
|
+
|
||
|
+int nf_ct_netns_get(struct net *net, u8 nfproto)
|
||
|
+{
|
||
|
+ int err;
|
||
|
+
|
||
|
+ if (nfproto == NFPROTO_INET) {
|
||
|
+ err = nf_ct_netns_do_get(net, NFPROTO_IPV4);
|
||
|
+ if (err < 0)
|
||
|
+ goto err1;
|
||
|
+ err = nf_ct_netns_do_get(net, NFPROTO_IPV6);
|
||
|
+ if (err < 0)
|
||
|
+ goto err2;
|
||
|
+ } else {
|
||
|
+ err = nf_ct_netns_do_get(net, nfproto);
|
||
|
+ if (err < 0)
|
||
|
+ goto err1;
|
||
|
+ }
|
||
|
+ return 0;
|
||
|
+
|
||
|
+err2:
|
||
|
+ nf_ct_netns_put(net, NFPROTO_IPV4);
|
||
|
+err1:
|
||
|
+ return err;
|
||
|
+}
|
||
|
EXPORT_SYMBOL_GPL(nf_ct_netns_get);
|
||
|
|
||
|
-void nf_ct_netns_put(struct net *net, u8 nfproto)
|
||
|
+static void nf_ct_netns_do_put(struct net *net, u8 nfproto)
|
||
|
{
|
||
|
const struct nf_conntrack_l3proto *l3proto;
|
||
|
|
||
|
@@ -171,6 +195,15 @@ void nf_ct_netns_put(struct net *net, u8
|
||
|
|
||
|
nf_ct_l3proto_module_put(nfproto);
|
||
|
}
|
||
|
+
|
||
|
+void nf_ct_netns_put(struct net *net, uint8_t nfproto)
|
||
|
+{
|
||
|
+ if (nfproto == NFPROTO_INET) {
|
||
|
+ nf_ct_netns_do_put(net, NFPROTO_IPV4);
|
||
|
+ nf_ct_netns_do_put(net, NFPROTO_IPV6);
|
||
|
+ } else
|
||
|
+ nf_ct_netns_do_put(net, nfproto);
|
||
|
+}
|
||
|
EXPORT_SYMBOL_GPL(nf_ct_netns_put);
|
||
|
|
||
|
const struct nf_conntrack_l4proto *
|
||
|
--- a/net/netfilter/nft_ct.c
|
||
|
+++ b/net/netfilter/nft_ct.c
|
||
|
@@ -312,39 +312,6 @@ static const struct nla_policy nft_ct_po
|
||
|
[NFTA_CT_SREG] = { .type = NLA_U32 },
|
||
|
};
|
||
|
|
||
|
-static int nft_ct_netns_get(struct net *net, uint8_t family)
|
||
|
-{
|
||
|
- int err;
|
||
|
-
|
||
|
- if (family == NFPROTO_INET) {
|
||
|
- err = nf_ct_netns_get(net, NFPROTO_IPV4);
|
||
|
- if (err < 0)
|
||
|
- goto err1;
|
||
|
- err = nf_ct_netns_get(net, NFPROTO_IPV6);
|
||
|
- if (err < 0)
|
||
|
- goto err2;
|
||
|
- } else {
|
||
|
- err = nf_ct_netns_get(net, family);
|
||
|
- if (err < 0)
|
||
|
- goto err1;
|
||
|
- }
|
||
|
- return 0;
|
||
|
-
|
||
|
-err2:
|
||
|
- nf_ct_netns_put(net, NFPROTO_IPV4);
|
||
|
-err1:
|
||
|
- return err;
|
||
|
-}
|
||
|
-
|
||
|
-static void nft_ct_netns_put(struct net *net, uint8_t family)
|
||
|
-{
|
||
|
- if (family == NFPROTO_INET) {
|
||
|
- nf_ct_netns_put(net, NFPROTO_IPV4);
|
||
|
- nf_ct_netns_put(net, NFPROTO_IPV6);
|
||
|
- } else
|
||
|
- nf_ct_netns_put(net, family);
|
||
|
-}
|
||
|
-
|
||
|
#ifdef CONFIG_NF_CONNTRACK_ZONES
|
||
|
static void nft_ct_tmpl_put_pcpu(void)
|
||
|
{
|
||
|
@@ -489,7 +456,7 @@ static int nft_ct_get_init(const struct
|
||
|
if (err < 0)
|
||
|
return err;
|
||
|
|
||
|
- err = nft_ct_netns_get(ctx->net, ctx->afi->family);
|
||
|
+ err = nf_ct_netns_get(ctx->net, ctx->afi->family);
|
||
|
if (err < 0)
|
||
|
return err;
|
||
|
|
||
|
@@ -583,7 +550,7 @@ static int nft_ct_set_init(const struct
|
||
|
if (err < 0)
|
||
|
goto err1;
|
||
|
|
||
|
- err = nft_ct_netns_get(ctx->net, ctx->afi->family);
|
||
|
+ err = nf_ct_netns_get(ctx->net, ctx->afi->family);
|
||
|
if (err < 0)
|
||
|
goto err1;
|
||
|
|
||
|
@@ -606,7 +573,7 @@ static void nft_ct_set_destroy(const str
|
||
|
struct nft_ct *priv = nft_expr_priv(expr);
|
||
|
|
||
|
__nft_ct_set_destroy(ctx, priv);
|
||
|
- nft_ct_netns_put(ctx->net, ctx->afi->family);
|
||
|
+ nf_ct_netns_put(ctx->net, ctx->afi->family);
|
||
|
}
|
||
|
|
||
|
static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
|