Re: [PATCH v7] netfilter: nf_conntrack_sip: fix expectation clash

[Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>]

This patch looks nice now.

One more change and we go:

On Tue, Jun 18, 2019 at 04:32:50PM +0800, xiao ruizhu wrote:
> diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
> index 59c1880..7df6228 100644
> --- a/net/netfilter/nf_conntrack_expect.c
> +++ b/net/netfilter/nf_conntrack_expect.c
> @@ -252,13 +252,22 @@ static inline int expect_clash(const struct nf_conntrack_expect *a,
>  static inline int expect_matches(const struct nf_conntrack_expect *a,
>  				 const struct nf_conntrack_expect *b)
>  {
> -	return a->master == b->master &&
> -	       nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
> +	return nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
>  	       nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
>  	       net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) &&
>  	       nf_ct_zone_equal_any(a->master, nf_ct_zone(b->master));
>  }
>  
> +static bool master_matches(const struct nf_conntrack_expect *a,
> +			   const struct nf_conntrack_expect *b,
> +			   unsigned int flags)
> +{
> +	if (flags & NF_CT_EXP_F_CHECK_MASTER)

rename this to NF_CT_EXP_F_SKIP_MASTER.

Since semantics here is to skip the master check, rather than checking
for it.

> +		return true;
> +
> +	return a->master == b->master;
> +}

Thanks.