Laszlo Attila Toth wrote:
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,8 @@
+#ifndef _XT_SOCKET_H_match
+#define _XT_SOCKET_H_match
+
+struct xt_socket_match_info1 {
+ __u8 transparent;
+};
Please use a bitmask.
static bool
-socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
+ bool check_transparent)
{
const struct iphdr *iph = ip_hdr(skb);
struct udphdr _hdr, *hp = NULL;
@@ -142,10 +145,22 @@ socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
saddr, daddr, sport, dport, par->in, false);
if (sk != NULL) {
bool wildcard = (sk->sk_state != TCP_TIME_WAIT && inet_sk(sk)->rcv_saddr == 0);
+ bool transparent = (sk->sk_state != TCP_TIME_WAIT &&
+ inet_sk(sk)->transparent) ||
+ (sk->sk_state == TCP_TIME_WAIT &&
+ inet_twsk(sk)->tw_transparent);
+ const struct xt_socket_match_info1 *info = NULL;
This is not particulary well readable. Please do the initializations
seperately from the definitions.
+
+ if (check_transparent)
+ info = par->matchinfo;
How about just passing par->matchinfo to socket_match()?
nf_tproxy_put_sock(sk);
+
if (wildcard)
sk = NULL;
+ else if (check_transparent && info->transparent &&
+ !transparent)
+ sk = NULL;
Please add a comment what this is doing exactly. And why do the lookup
at all in this case?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
