commit 11078c371e2ecfce011d1dffb67888c6fed1b664 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[NETFILTER]: x_tables: add missing try to load conntrack from match/targets

CLUSTERIP, CONNMARK, CONNSECMARK, and connbytes need ip_conntrack or
layer 3 protocol module of nf_conntrack.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Yasuyuki Kozakai and committed by David S. Miller 19 years ago 11078c37 fe0b9294

+48 -2

4 changed files

expand all

unified split

net

ipv4

netfilter

ipt_CLUSTERIP.c

netfilter

xt_CONNMARK.c

xt_CONNSECMARK.c

xt_connbytes.c

net/ipv4/netfilter/ipt_CLUSTERIP.c

··· 447 447 cipinfo->config = config; 448 448 } 449 449 450 + if (nf_ct_l3proto_try_module_get(target->family) < 0) { 451 + printk(KERN_WARNING "can't load conntrack support for " 452 + "proto=%d\n", target->family); 453 + return 0; 454 + } 455 + 450 456 return 1; 451 457 } 452 458 ··· 466 460 clusterip_config_entry_put(cipinfo->config); 467 461 468 462 clusterip_config_put(cipinfo->config); 463 + 464 + nf_ct_l3proto_module_put(target->family); 469 465 } 470 466 471 467 static struct ipt_target clusterip_tgt = {

+13 -1

net/netfilter/xt_CONNMARK.c

··· 96 96 { 97 97 struct xt_connmark_target_info *matchinfo = targinfo; 98 98 99 + if (nf_ct_l3proto_try_module_get(target->family) < 0) { 100 + printk(KERN_WARNING "can't load conntrack support for " 101 + "proto=%d\n", target->family); 102 + return 0; 103 + } 99 104 if (matchinfo->mode == XT_CONNMARK_RESTORE) { 100 105 if (strcmp(tablename, "mangle") != 0) { 101 106 printk(KERN_WARNING "CONNMARK: restore can only be " ··· 114 109 return 0; 115 110 } 116 111 return 1; 112 + } 113 + 114 + static void 115 + destroy(const struct xt_target *target, void *targinfo) 116 + { 117 + nf_ct_l3proto_module_put(target->family); 117 118 } 118 119 119 120 #ifdef CONFIG_COMPAT ··· 158 147 .name = "CONNMARK", 159 148 .family = AF_INET, 160 149 .checkentry = checkentry, 150 + .destroy = destroy, 161 151 .target = target, 162 152 .targetsize = sizeof(struct xt_connmark_target_info), 163 153 #ifdef CONFIG_COMPAT ··· 172 160 .name = "CONNMARK", 173 161 .family = AF_INET6, 174 162 .checkentry = checkentry, 163 + .destroy = destroy, 175 164 .target = target, 176 165 .targetsize = sizeof(struct xt_connmark_target_info), 177 166 .me = THIS_MODULE ··· 181 168 182 169 static int __init xt_connmark_init(void) 183 170 { 184 - need_conntrack(); 185 171 return xt_register_targets(xt_connmark_target, 186 172 ARRAY_SIZE(xt_connmark_target)); 187 173 }

+13 -1

net/netfilter/xt_CONNSECMARK.c

··· 93 93 { 94 94 struct xt_connsecmark_target_info *info = targinfo; 95 95 96 + if (nf_ct_l3proto_try_module_get(target->family) < 0) { 97 + printk(KERN_WARNING "can't load conntrack support for " 98 + "proto=%d\n", target->family); 99 + return 0; 100 + } 96 101 switch (info->mode) { 97 102 case CONNSECMARK_SAVE: 98 103 case CONNSECMARK_RESTORE: ··· 111 106 return 1; 112 107 } 113 108 109 + static void 110 + destroy(const struct xt_target *target, void *targinfo) 111 + { 112 + nf_ct_l3proto_module_put(target->family); 113 + } 114 + 114 115 static struct xt_target xt_connsecmark_target[] = { 115 116 { 116 117 .name = "CONNSECMARK", 117 118 .family = AF_INET, 118 119 .checkentry = checkentry, 120 + .destroy = destroy, 119 121 .target = target, 120 122 .targetsize = sizeof(struct xt_connsecmark_target_info), 121 123 .table = "mangle", ··· 132 120 .name = "CONNSECMARK", 133 121 .family = AF_INET6, 134 122 .checkentry = checkentry, 123 + .destroy = destroy, 135 124 .target = target, 136 125 .targetsize = sizeof(struct xt_connsecmark_target_info), 137 126 .table = "mangle", ··· 142 129 143 130 static int __init xt_connsecmark_init(void) 144 131 { 145 - need_conntrack(); 146 132 return xt_register_targets(xt_connsecmark_target, 147 133 ARRAY_SIZE(xt_connsecmark_target)); 148 134 }

+14

net/netfilter/xt_connbytes.c

··· 139 139 sinfo->direction != XT_CONNBYTES_DIR_BOTH) 140 140 return 0; 141 141 142 + if (nf_ct_l3proto_try_module_get(match->family) < 0) { 143 + printk(KERN_WARNING "can't load conntrack support for " 144 + "proto=%d\n", match->family); 145 + return 0; 146 + } 147 + 142 148 return 1; 149 + } 150 + 151 + static void 152 + destroy(const struct xt_match *match, void *matchinfo) 153 + { 154 + nf_ct_l3proto_module_put(match->family); 143 155 } 144 156 145 157 static struct xt_match xt_connbytes_match[] = { ··· 160 148 .family = AF_INET, 161 149 .checkentry = check, 162 150 .match = match, 151 + .destroy = destroy, 163 152 .matchsize = sizeof(struct xt_connbytes_info), 164 153 .me = THIS_MODULE 165 154 }, ··· 169 156 .family = AF_INET6, 170 157 .checkentry = check, 171 158 .match = match, 159 + .destroy = destroy, 172 160 .matchsize = sizeof(struct xt_connbytes_info), 173 161 .me = THIS_MODULE 174 162 },