On Thu, May 04, 2017 at 03:35:44PM +0200, Pablo Neira Ayuso wrote:
> On Thu, May 04, 2017 at 02:34:17PM +0200, Phil Sutter wrote:
> > This allows user space to reliably match kernel generated handles with
> > added rules for reference.
> >
> > Signed-off-by: Phil Sutter <phil@xxxxxx>
> > ---
> > net/netfilter/nf_tables_api.c | 19 ++++++++++++++++++-
> > 1 file changed, 18 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index 1c6482d2c4dcf..71bce5d024409 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -2142,6 +2142,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
> > struct nft_userdata *udata;
> > struct nft_trans *trans = NULL;
> > struct nft_expr *expr;
> > + struct sk_buff *skb2;
> > struct nft_ctx ctx;
> > struct nlattr *tmp;
> > unsigned int size, i, n, ulen = 0, usize = 0;
> > @@ -2281,8 +2282,24 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
> > goto err3;
> > }
> > chain->use++;
> > - return 0;
> >
> > + skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
> > + if (!skb2) {
> > + err = -ENOMEM;
> > + goto err4;
> > + }
> > + err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
> > + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
> > + nfmsg->nfgen_family, table, chain, rule);
> > + if (err < 0)
> > + goto err5;
> > +
> > + return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
>
> You can achieve this already via NLM_F_ECHO.
Oh, thanks for the pointer!
Cheers, Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
