On Tue, Mar 24, 2015 at 04:30:29PM +0100, Daniel Borkmann wrote:
> diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
> index 7198d66..cd2468d 100644
> --- a/net/netfilter/xt_cgroup.c
> +++ b/net/netfilter/xt_cgroup.c
> @@ -16,8 +16,11 @@
> #include <linux/module.h>
> #include <linux/netfilter/x_tables.h>
> #include <linux/netfilter/xt_cgroup.h>
> +
> #include <net/sock.h>
>
> +#include "xt_sk_helper.h"
> +
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Daniel Borkmann <dborkman@xxxxxxxxxx>");
> MODULE_DESCRIPTION("Xtables: process control group matching");
> @@ -34,38 +37,85 @@ static int cgroup_mt_check(const struct xt_mtchk_param *par)
> return 0;
> }
>
> -static bool
> -cgroup_mt(const struct sk_buff *skb, struct xt_action_param *par)
> +static bool cgroup_mt(const struct sk_buff *skb,
> + const struct xt_action_param *par,
> + struct sock *(*cgroup_mt_slow)(const struct sk_buff *skb,
> + const struct net_device *indev))
> {
> const struct xt_cgroup_info *info = par->matchinfo;
> + struct sock *sk = skb->sk;
> + u32 sk_classid;
> +
> + if (sk) {
> + sk_classid = sk->sk_classid;
> + } else {
> + if (par->in != NULL)
> + sk = cgroup_mt_slow(skb, par->in);
Is this working with timewait sock?
> + if (sk == NULL)
> + return false;
> +
> + sk_classid = sk->sk_classid;
> + sock_gen_put(sk);
> + }
> +
> + return (info->id == sk_classid) ^ info->invert;
> +}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
