Hi Pablo,
here's a possible fix for xt_cgroups that was previously reported
by Daniel Mack.
The first patch refactors common helpers, which is later on being
used by the actual fix. Please see individual patches for more
details.
I have based the changes on nf-next as they're rather big, they
are, however, on top of Eric's a94070000388 ("netfilter: xt_socket:
prepare for TCP_NEW_SYN_RECV support") from net-next to avoid ugly
merge conflicts in xt_socket.
If you nevertheless think it's more suited for nf, or I should
ignore the above conflicting commit, I'd be happy to rebase.
Thanks a lot!
Daniel Borkmann (2):
netfilter: x_tables: refactor lookup helpers from xt_socket
netfilter: x_tables: fix NF_INET_LOCAL_IN sk lookups
net/netfilter/Kconfig | 5 +
net/netfilter/xt_cgroup.c | 86 ++++++++++---
net/netfilter/xt_sk_helper.h | 282 +++++++++++++++++++++++++++++++++++++++++
net/netfilter/xt_socket.c | 293 +++----------------------------------------
4 files changed, 373 insertions(+), 293 deletions(-)
create mode 100644 net/netfilter/xt_sk_helper.h
--
1.9.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
