tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: deprecate NF_STOP
NF_STOP is only used by br_netfilter these days, and it can be emulated
with a combination of NF_STOLEN plus explicit call to the ->okfn()
function as Florian suggests.
To retain binary compatibility with userspace nf_queue application, we
have to keep NF_STOP around, so libnetfilter_queue userspace userspace
applications still work if they use NF_STOP for some exotic reason.
Out of tree modules using NF_STOP would break, but we don't care about
those.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+6
-4
+1
-1
include/uapi/linux/netfilter.h
+1
-1
include/uapi/linux/netfilter.h
···
13
13
#define NF_STOLEN 2
14
14
#define NF_QUEUE 3
15
15
#define NF_REPEAT 4
16
-
#define NF_STOP 5
16
+
#define NF_STOP 5 /* Deprecated, for userspace nf_queue compatibility. */
17
17
#define NF_MAX_VERDICT NF_STOP
18
18
19
19
/* we overload the higher bits for encoding auxiliary data such as the queue
+4
-2
net/bridge/br_netfilter_hooks.c
+4
-2
net/bridge/br_netfilter_hooks.c
···
845
845
struct sk_buff *skb,
846
846
const struct nf_hook_state *state)
847
847
{
848
-
if (skb->nf_bridge && !skb->nf_bridge->in_prerouting)
849
-
return NF_STOP;
848
+
if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) {
849
+
state->okfn(state->net, state->sk, skb);
850
+
return NF_STOLEN;
851
+
}
850
852
851
853
return NF_ACCEPT;
852
854
}
+1
-1
net/netfilter/core.c
+1
-1
net/netfilter/core.c
···
333
333
entry = rcu_dereference(state->hook_entries);
334
334
next_hook:
335
335
verdict = nf_iterate(skb, state, &entry);
336
-
if (verdict == NF_ACCEPT || verdict == NF_STOP) {
336
+
if (verdict == NF_ACCEPT) {
337
337
ret = 1;
338
338
} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
339
339
kfree_skb(skb);