commit 11078c371e2ecfce011d1dffb67888c6fed1b664 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[NETFILTER]: x_tables: add missing try to load conntrack from match/targets

CLUSTERIP, CONNMARK, CONNSECMARK, and connbytes need ip_conntrack or
layer 3 protocol module of nf_conntrack.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Yasuyuki Kozakai and committed by David S. Miller 19 years ago 11078c37 fe0b9294

+48 -2

4 changed files

expand all

unified split

net

ipv4

netfilter

ipt_CLUSTERIP.c

netfilter

xt_CONNMARK.c

xt_CONNSECMARK.c

xt_connbytes.c

net/ipv4/netfilter/ipt_CLUSTERIP.c

··· 447 cipinfo->config = config; 448 } 449 450 return 1; 451 } 452 ··· 466 clusterip_config_entry_put(cipinfo->config); 467 468 clusterip_config_put(cipinfo->config); 469 } 470 471 static struct ipt_target clusterip_tgt = {

··· 447 cipinfo->config = config; 448 } 449 450 + if (nf_ct_l3proto_try_module_get(target->family) < 0) { 451 + printk(KERN_WARNING "can't load conntrack support for " 452 + "proto=%d\n", target->family); 453 + return 0; 454 + } 455 + 456 return 1; 457 } 458 ··· 460 clusterip_config_entry_put(cipinfo->config); 461 462 clusterip_config_put(cipinfo->config); 463 + 464 + nf_ct_l3proto_module_put(target->family); 465 } 466 467 static struct ipt_target clusterip_tgt = {

+13 -1

net/netfilter/xt_CONNMARK.c

··· 96 { 97 struct xt_connmark_target_info *matchinfo = targinfo; 98 99 if (matchinfo->mode == XT_CONNMARK_RESTORE) { 100 if (strcmp(tablename, "mangle") != 0) { 101 printk(KERN_WARNING "CONNMARK: restore can only be " ··· 114 return 0; 115 } 116 return 1; 117 } 118 119 #ifdef CONFIG_COMPAT ··· 158 .name = "CONNMARK", 159 .family = AF_INET, 160 .checkentry = checkentry, 161 .target = target, 162 .targetsize = sizeof(struct xt_connmark_target_info), 163 #ifdef CONFIG_COMPAT ··· 172 .name = "CONNMARK", 173 .family = AF_INET6, 174 .checkentry = checkentry, 175 .target = target, 176 .targetsize = sizeof(struct xt_connmark_target_info), 177 .me = THIS_MODULE ··· 181 182 static int __init xt_connmark_init(void) 183 { 184 - need_conntrack(); 185 return xt_register_targets(xt_connmark_target, 186 ARRAY_SIZE(xt_connmark_target)); 187 }

··· 96 { 97 struct xt_connmark_target_info *matchinfo = targinfo; 98 99 + if (nf_ct_l3proto_try_module_get(target->family) < 0) { 100 + printk(KERN_WARNING "can't load conntrack support for " 101 + "proto=%d\n", target->family); 102 + return 0; 103 + } 104 if (matchinfo->mode == XT_CONNMARK_RESTORE) { 105 if (strcmp(tablename, "mangle") != 0) { 106 printk(KERN_WARNING "CONNMARK: restore can only be " ··· 109 return 0; 110 } 111 return 1; 112 + } 113 + 114 + static void 115 + destroy(const struct xt_target *target, void *targinfo) 116 + { 117 + nf_ct_l3proto_module_put(target->family); 118 } 119 120 #ifdef CONFIG_COMPAT ··· 147 .name = "CONNMARK", 148 .family = AF_INET, 149 .checkentry = checkentry, 150 + .destroy = destroy, 151 .target = target, 152 .targetsize = sizeof(struct xt_connmark_target_info), 153 #ifdef CONFIG_COMPAT ··· 160 .name = "CONNMARK", 161 .family = AF_INET6, 162 .checkentry = checkentry, 163 + .destroy = destroy, 164 .target = target, 165 .targetsize = sizeof(struct xt_connmark_target_info), 166 .me = THIS_MODULE ··· 168 169 static int __init xt_connmark_init(void) 170 { 171 return xt_register_targets(xt_connmark_target, 172 ARRAY_SIZE(xt_connmark_target)); 173 }

+13 -1

net/netfilter/xt_CONNSECMARK.c

··· 93 { 94 struct xt_connsecmark_target_info *info = targinfo; 95 96 switch (info->mode) { 97 case CONNSECMARK_SAVE: 98 case CONNSECMARK_RESTORE: ··· 111 return 1; 112 } 113 114 static struct xt_target xt_connsecmark_target[] = { 115 { 116 .name = "CONNSECMARK", 117 .family = AF_INET, 118 .checkentry = checkentry, 119 .target = target, 120 .targetsize = sizeof(struct xt_connsecmark_target_info), 121 .table = "mangle", ··· 132 .name = "CONNSECMARK", 133 .family = AF_INET6, 134 .checkentry = checkentry, 135 .target = target, 136 .targetsize = sizeof(struct xt_connsecmark_target_info), 137 .table = "mangle", ··· 142 143 static int __init xt_connsecmark_init(void) 144 { 145 - need_conntrack(); 146 return xt_register_targets(xt_connsecmark_target, 147 ARRAY_SIZE(xt_connsecmark_target)); 148 }

··· 93 { 94 struct xt_connsecmark_target_info *info = targinfo; 95 96 + if (nf_ct_l3proto_try_module_get(target->family) < 0) { 97 + printk(KERN_WARNING "can't load conntrack support for " 98 + "proto=%d\n", target->family); 99 + return 0; 100 + } 101 switch (info->mode) { 102 case CONNSECMARK_SAVE: 103 case CONNSECMARK_RESTORE: ··· 106 return 1; 107 } 108 109 + static void 110 + destroy(const struct xt_target *target, void *targinfo) 111 + { 112 + nf_ct_l3proto_module_put(target->family); 113 + } 114 + 115 static struct xt_target xt_connsecmark_target[] = { 116 { 117 .name = "CONNSECMARK", 118 .family = AF_INET, 119 .checkentry = checkentry, 120 + .destroy = destroy, 121 .target = target, 122 .targetsize = sizeof(struct xt_connsecmark_target_info), 123 .table = "mangle", ··· 120 .name = "CONNSECMARK", 121 .family = AF_INET6, 122 .checkentry = checkentry, 123 + .destroy = destroy, 124 .target = target, 125 .targetsize = sizeof(struct xt_connsecmark_target_info), 126 .table = "mangle", ··· 129 130 static int __init xt_connsecmark_init(void) 131 { 132 return xt_register_targets(xt_connsecmark_target, 133 ARRAY_SIZE(xt_connsecmark_target)); 134 }

+14

net/netfilter/xt_connbytes.c

··· 139 sinfo->direction != XT_CONNBYTES_DIR_BOTH) 140 return 0; 141 142 return 1; 143 } 144 145 static struct xt_match xt_connbytes_match[] = { ··· 160 .family = AF_INET, 161 .checkentry = check, 162 .match = match, 163 .matchsize = sizeof(struct xt_connbytes_info), 164 .me = THIS_MODULE 165 }, ··· 169 .family = AF_INET6, 170 .checkentry = check, 171 .match = match, 172 .matchsize = sizeof(struct xt_connbytes_info), 173 .me = THIS_MODULE 174 },

··· 139 sinfo->direction != XT_CONNBYTES_DIR_BOTH) 140 return 0; 141 142 + if (nf_ct_l3proto_try_module_get(match->family) < 0) { 143 + printk(KERN_WARNING "can't load conntrack support for " 144 + "proto=%d\n", match->family); 145 + return 0; 146 + } 147 + 148 return 1; 149 + } 150 + 151 + static void 152 + destroy(const struct xt_match *match, void *matchinfo) 153 + { 154 + nf_ct_l3proto_module_put(match->family); 155 } 156 157 static struct xt_match xt_connbytes_match[] = { ··· 148 .family = AF_INET, 149 .checkentry = check, 150 .match = match, 151 + .destroy = destroy, 152 .matchsize = sizeof(struct xt_connbytes_info), 153 .me = THIS_MODULE 154 }, ··· 156 .family = AF_INET6, 157 .checkentry = check, 158 .match = match, 159 + .destroy = destroy, 160 .matchsize = sizeof(struct xt_connbytes_info), 161 .me = THIS_MODULE 162 },