This patch enables to check GLUE_CT is enabled or not when
NFQA_CFG_F_CONNTRACK config flag is received. And try to load
nf_conntrack_netlink module, and l3proto module if family is
specified. Then returns error either case is failed.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@xxxxxxxxxxxxx>
---
net/netfilter/nfnetlink_queue.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index a659e57..99c9c8c 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -34,6 +34,7 @@
#include <net/tcp_states.h>
#include <net/netfilter/nf_queue.h>
#include <net/netns/generic.h>
+#include <net/netfilter/nf_conntrack.h>
#include <linux/atomic.h>
@@ -1225,6 +1226,24 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
goto err_out_unlock;
}
#endif
+ if (flags & mask & NFQA_CFG_F_CONNTRACK) {
+ if (!rcu_access_pointer(nfnl_ct_hook))
+#ifdef CONFIG_MODULES
+ if (request_module("ip_conntrack_netlink") ||
+ !rcu_access_pointer(nfnl_ct_hook))
+#endif
+ {
+ ret = -EOPNOTSUPP;
+ goto err_out_unlock;
+ }
+
+ if (nfmsg->nfgen_family &&
+ nf_ct_l3proto_try_module_get(nfmsg->nfgen_family)) {
+ ret = -EPROTONOSUPPORT;
+ goto err_out_unlock;
+ }
+ }
+
spin_lock_bh(&queue->lock);
queue->flags &= ~mask;
queue->flags |= flags & mask;
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
