Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Thu, Jul 21, 2016 at 12:51:17PM +0200, Florian Westphal wrote:
> > xt_connlabel is the only user so move it.
> >
> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> > ---
> > include/net/netfilter/nf_conntrack_labels.h | 2 --
> > net/netfilter/nf_conntrack_labels.c | 17 -----------------
> > net/netfilter/xt_connlabel.c | 29 ++++++++++++++++-------------
> > 3 files changed, 16 insertions(+), 32 deletions(-)
> >
> [...]
> > @@ -40,10 +32,21 @@ connlabel_mt(const struct sk_buff *skb, struct xt_action_param *par)
> > if (ct == NULL || nf_ct_is_untracked(ct))
> > return invert;
> >
> > - if (info->options & XT_CONNLABEL_OP_SET)
> > - return (nf_connlabel_set(ct, info->bit) == 0) ^ invert;
> > + labels = nf_ct_labels_find(ct);
> > + if (!labels)
> > + return invert;
> > +
> > + if (test_bit(info->bit, labels->bits))
> > + return !invert;
> > +
> > + if (info->options & XT_CONNLABEL_OP_SET) {
> > + if (!test_and_set_bit(info->bit, labels->bits))
> > + nf_conntrack_event_cache(IPCT_LABEL, ct);
> > +
> > + return !invert;
> > + }
>
> This patch inverts the existing logic, right? So this is first testing
> for the bit, then setting it.
No, this should have no user-visible change (if it does thats a bug);
nf_connlabel_set() also had a test_bit().
The only change after the patches are applied is that if we have
a valid conntrack with the extension present then a set op will
always succeed (before we had to test if the label->bit[] area was large
enough).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
