Eric Dumazet wrote:
> Le vendredi 19 février 2010 à 08:06 +0100, Patrick McHardy a écrit :
>> netfilter: restore POST_ROUTING hook in NF_HOOK_COND
>>
>> Commit 2249065 ("netfilter: get rid of the grossness in netfilter.h")
>> inverted the logic for conditional hook invocation, breaking the
>> POST_ROUTING hook invoked by ip_output().
>>
>> Correct the logic and remove an unnecessary initialization.
>>
>> Reported-by: Stephen Hemminger <shemminger@xxxxxxxxxx>
>> Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
>>
>> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
>> index 7007945..89341c3 100644
>> --- a/include/linux/netfilter.h
>> +++ b/include/linux/netfilter.h
>> @@ -212,8 +212,9 @@ NF_HOOK_COND(uint8_t pf, unsigned int hook, struct sk_buff *skb,
>> struct net_device *in, struct net_device *out,
>> int (*okfn)(struct sk_buff *), bool cond)
>> {
>> - int ret = 1;
>> - if (cond ||
>> + int ret;
>> +
>> + if (!cond ||
>> (ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, INT_MIN) == 1))
>> ret = okfn(skb);
>> return ret;
>
> I dont quite get it
>
> Original code was :
>
>
> #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
> ({int __ret; \
> if ((cond) || (__ret = nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, INT_MIN)) == 1)\
> __ret = (okfn)(skb); \
> __ret;})
>
>
> There was no condition inversion.
Right, I quoted the wrong patch, it was actually broken in
23f3733 ("netfilter: reduce NF_HOOK by one argument"), which
moved the cond check from nf_hook_thresh() to NF_HOOK_COND().
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
