tim.gardner@xxxxxxxxxxxxx wrote:
From: Tim Gardner <tim.gardner@xxxxxxxxxxxxx> Check at runtime that CT tracking is enabled, and force it to be enabled if not. This is in preparation for deprecating CONFIG_NF_CT_ACCT. Signed-off-by: Tim Gardner <tim.gardner@xxxxxxxxxxxxx> --- net/netfilter/xt_connbytes.c | 13 ++++++++++++- 1 files changed, 12 insertions(+), 1 deletions(-) diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index 7351783..d703355 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c @@ -21,7 +21,7 @@ static bool connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par) { const struct xt_connbytes_info *sinfo = par->matchinfo; - const struct nf_conn *ct; + struct nf_conn *ct; enum ip_conntrack_info ctinfo; u_int64_t what = 0; /* initialize to make gcc happy */ u_int64_t bytes = 0; @@ -32,6 +32,17 @@ connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par) if (!ct) return false;+ /*+ * This filter cannot function correctly unless connection tracking + * accounting is enabled, so complain about it until someone notices. + * It _should_ only print one warning message. + */ + if (unlikely(nf_ct_acct_enabled(ct) == false)) { + if (net_ratelimit()) + pr_warning("ipt_connbytes: Force enabling CT accounting\n"); + nf_ct_set_acct(ct, true); + }
This should be checked once the rule is added in ->checkentry(), not once for every packet. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
