Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> static int __init nf_nat_init(void)
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 74a04638ef03..28e4fae98f60 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -227,6 +227,30 @@ find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id)
> return entry;
> }
>
> +static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict)
> +{
> + enum ip_conntrack_info ctinfo;
> + struct nf_ct_hook *ct_hook;
> + struct nf_conn *ct;
> + int err;
> +
> + ct = nf_ct_get(entry->skb, &ctinfo);
> + if (ct && !nf_ct_is_confirmed(ct) &&
> + verdict != NF_STOLEN && verdict != NF_DROP) {
Why not verdict == NF_ACCEPT?
> static void
> nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, unsigned long data)
> {
> @@ -237,7 +261,7 @@ nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, unsigned long data)
> if (!cmpfn || cmpfn(entry, data)) {
> list_del(&entry->list);
> queue->queue_total--;
> - nf_reinject(entry, NF_DROP);
> + nfqnl_reinject(entry, NF_DROP);
> }
> }
> spin_unlock_bh(&queue->lock);
> @@ -686,7 +710,7 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
> err_out_unlock:
> spin_unlock_bh(&queue->lock);
> if (failopen)
> - nf_reinject(entry, NF_ACCEPT);
> + nfqnl_reinject(entry, NF_ACCEPT);
I think failopen can use nf_reinject since we didn't queue packet to
userspace.
> @@ -1208,7 +1233,7 @@ static int nfqnl_recv_verdict(struct net *net, struct sock *ctnl,
> if (nfqa[NFQA_MARK])
> entry->skb->mark = ntohl(nla_get_be32(nfqa[NFQA_MARK]));
>
> - nf_reinject(entry, verdict);
> + nfqnl_reinject(entry, verdict);
I wonder if we should make nfqnl_reinject dependent on
nfqa[NFQA_PAYLOAD] ?
(i.e., should we munge payload in case userspcae already did so?)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
