On Fri, 19 Feb 2010 08:27:33 +0100
Patrick McHardy <kaber@xxxxxxxxx> wrote:
> Eric Dumazet wrote:
> > Le vendredi 19 février 2010 à 08:06 +0100, Patrick McHardy a écrit :
> >> netfilter: restore POST_ROUTING hook in NF_HOOK_COND
> >>
> >> Commit 2249065 ("netfilter: get rid of the grossness in netfilter.h")
> >> inverted the logic for conditional hook invocation, breaking the
> >> POST_ROUTING hook invoked by ip_output().
> >>
> >> Correct the logic and remove an unnecessary initialization.
> >>
> >> Reported-by: Stephen Hemminger <shemminger@xxxxxxxxxx>
> >> Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
> >>
> >> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
> >> index 7007945..89341c3 100644
> >> --- a/include/linux/netfilter.h
> >> +++ b/include/linux/netfilter.h
> >> @@ -212,8 +212,9 @@ NF_HOOK_COND(uint8_t pf, unsigned int hook, struct sk_buff *skb,
> >> struct net_device *in, struct net_device *out,
> >> int (*okfn)(struct sk_buff *), bool cond)
> >> {
> >> - int ret = 1;
> >> - if (cond ||
> >> + int ret;
> >> +
> >> + if (!cond ||
> >> (ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, INT_MIN) == 1))
> >> ret = okfn(skb);
> >> return ret;
> >
> > I dont quite get it
> >
> > Original code was :
> >
> >
> > #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
> > ({int __ret; \
> > if ((cond) || (__ret = nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, INT_MIN)) == 1)\
> > __ret = (okfn)(skb); \
> > __ret;})
> >
> >
> > There was no condition inversion.
>
> Right, I quoted the wrong patch, it was actually broken in
> 23f3733 ("netfilter: reduce NF_HOOK by one argument"), which
> moved the cond check from nf_hook_thresh() to NF_HOOK_COND().
Yes, this fixes the problem I was seeing.
Acked-by: Stephen Hemminger <shemminger@xxxxxxxxxx>
--
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
