On Thu, May 04, 2017 at 02:34:17PM +0200, Phil Sutter wrote:
> This allows user space to reliably match kernel generated handles with
> added rules for reference.
>
> Signed-off-by: Phil Sutter <phil@xxxxxx>
> ---
> net/netfilter/nf_tables_api.c | 19 ++++++++++++++++++-
> 1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 1c6482d2c4dcf..71bce5d024409 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -2142,6 +2142,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
> struct nft_userdata *udata;
> struct nft_trans *trans = NULL;
> struct nft_expr *expr;
> + struct sk_buff *skb2;
> struct nft_ctx ctx;
> struct nlattr *tmp;
> unsigned int size, i, n, ulen = 0, usize = 0;
> @@ -2281,8 +2282,24 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
> goto err3;
> }
> chain->use++;
> - return 0;
>
> + skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
> + if (!skb2) {
> + err = -ENOMEM;
> + goto err4;
> + }
> + err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
> + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
> + nfmsg->nfgen_family, table, chain, rule);
> + if (err < 0)
> + goto err5;
> +
> + return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
You can achieve this already via NLM_F_ECHO.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
