From: Tim Gardner <tim.gardner@xxxxxxxxxxxxx>
Check at runtime that CT tracking is enabled, and force it
to be enabled if not.
This is in preparation for deprecating CONFIG_NF_CT_ACCT.
Signed-off-by: Tim Gardner <tim.gardner@xxxxxxxxxxxxx>
---
net/netfilter/xt_connbytes.c | 13 ++++++++++++-
1 files changed, 12 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 7351783..d703355 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -21,7 +21,7 @@ static bool
connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_connbytes_info *sinfo = par->matchinfo;
- const struct nf_conn *ct;
+ struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
u_int64_t what = 0; /* initialize to make gcc happy */
u_int64_t bytes = 0;
@@ -32,6 +32,17 @@ connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
if (!ct)
return false;
+ /*
+ * This filter cannot function correctly unless connection tracking
+ * accounting is enabled, so complain about it until someone notices.
+ * It _should_ only print one warning message.
+ */
+ if (unlikely(nf_ct_acct_enabled(ct) == false)) {
+ if (net_ratelimit())
+ pr_warning("ipt_connbytes: Force enabling CT accounting\n");
+ nf_ct_set_acct(ct, true);
+ }
+
counters = nf_conn_acct_find(ct);
if (!counters)
return false;
--
1.7.0.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
