Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> +static int __init nf_flow_offload_module_init(void)
> +{
> + struct rhashtable_params params = flow_offload_rhash_params;
> + struct nf_hook_ops flow_offload_hook = {
> + .hook = nf_flow_offload_hook,
> + .pf = NFPROTO_NETDEV,
> + .hooknum = NF_NETDEV_INGRESS,
> + .priority = -100,
Magic number. Should this be documented in nft?
Alternatively we could reject NETDEV_INGRESS base chains from
userspace if prio < 0 to prevent userspace rules from messing
with this flow offlaod infrastructure.
I guess the rationale of using auto-builtin hook is to avoid
forcing users to configure this with nftables rules?
> + rtnl_lock();
> + for_each_netdev(&init_net, dev) {
> + entry = kmalloc(sizeof(*entry), GFP_KERNEL);
> + if (!entry) {
> + rtnl_unlock();
> + return -ENOMEM;
This would need error unwinding (Unregistering the already-registered
hooks).
> + err = nf_register_net_hook(&init_net, &entry->ops);
> + if (err < 0)
> + return err;
And here as well.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
