On Thu, Jul 21, 2016 at 12:51:17PM +0200, Florian Westphal wrote:
> xt_connlabel is the only user so move it.
>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> include/net/netfilter/nf_conntrack_labels.h | 2 --
> net/netfilter/nf_conntrack_labels.c | 17 -----------------
> net/netfilter/xt_connlabel.c | 29 ++++++++++++++++-------------
> 3 files changed, 16 insertions(+), 32 deletions(-)
>
[...]
> @@ -40,10 +32,21 @@ connlabel_mt(const struct sk_buff *skb, struct xt_action_param *par)
> if (ct == NULL || nf_ct_is_untracked(ct))
> return invert;
>
> - if (info->options & XT_CONNLABEL_OP_SET)
> - return (nf_connlabel_set(ct, info->bit) == 0) ^ invert;
> + labels = nf_ct_labels_find(ct);
> + if (!labels)
> + return invert;
> +
> + if (test_bit(info->bit, labels->bits))
> + return !invert;
> +
> + if (info->options & XT_CONNLABEL_OP_SET) {
> + if (!test_and_set_bit(info->bit, labels->bits))
> + nf_conntrack_event_cache(IPCT_LABEL, ct);
> +
> + return !invert;
> + }
This patch inverts the existing logic, right? So this is first testing
for the bit, then setting it.
Before this patch, I remember because of what we discussed wrt. the
translation to nftables, was actually the opposite.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
