Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

David S. Miller 16 years ago 41499bd6 622e0ca1

+16 -10

4 changed files

expand all

include

linux

netfilter

x_tables.h

net

netfilter

nf_conntrack_core.h

net

netfilter

nf_conntrack_core.c

nf_conntrack_sip.c

+1 -1

include/linux/netfilter/x_tables.h

··· 333 333 /* Called when user tries to insert an entry of this type: 334 334 hook_mask is a bitmask of hooks from which it can be 335 335 called. */ 336 - /* Should return true or false, or an error code (-Exxxx). */ 336 + /* Should return 0 on success or an error code otherwise (-Exxxx). */ 337 337 int (*checkentry)(const struct xt_tgchk_param *); 338 338 339 339 /* Called when entry of this type deleted. */

+1 -1

include/net/netfilter/nf_conntrack_core.h

··· 61 61 int ret = NF_ACCEPT; 62 62 63 63 if (ct && ct != &nf_conntrack_untracked) { 64 - if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) 64 + if (!nf_ct_is_confirmed(ct)) 65 65 ret = __nf_conntrack_confirm(skb); 66 66 if (likely(ret == NF_ACCEPT)) 67 67 nf_ct_deliver_cached_events(ct);

+10

net/netfilter/nf_conntrack_core.c

··· 424 424 425 425 spin_lock_bh(&nf_conntrack_lock); 426 426 427 + /* We have to check the DYING flag inside the lock to prevent 428 + a race against nf_ct_get_next_corpse() possibly called from 429 + user context, else we insert an already 'dead' hash, blocking 430 + further use of that particular connection -JM */ 431 + 432 + if (unlikely(nf_ct_is_dying(ct))) { 433 + spin_unlock_bh(&nf_conntrack_lock); 434 + return NF_ACCEPT; 435 + } 436 + 427 437 /* See if there's one in the list already, including reverse: 428 438 NAT could have grabbed it without realizing, since we're 429 439 not in the hash. If there is, we lost race. */

+4 -8

net/netfilter/nf_conntrack_sip.c

··· 1393 1393 1394 1394 nf_ct_refresh(ct, skb, sip_timeout * HZ); 1395 1395 1396 - if (skb_is_nonlinear(skb)) { 1397 - pr_debug("Copy of skbuff not supported yet.\n"); 1398 - return NF_ACCEPT; 1399 - } 1396 + if (unlikely(skb_linearize(skb))) 1397 + return NF_DROP; 1400 1398 1401 1399 dptr = skb->data + dataoff; 1402 1400 datalen = skb->len - dataoff; ··· 1453 1455 1454 1456 nf_ct_refresh(ct, skb, sip_timeout * HZ); 1455 1457 1456 - if (skb_is_nonlinear(skb)) { 1457 - pr_debug("Copy of skbuff not supported yet.\n"); 1458 - return NF_ACCEPT; 1459 - } 1458 + if (unlikely(skb_linearize(skb))) 1459 + return NF_DROP; 1460 1460 1461 1461 dptr = skb->data + dataoff; 1462 1462 datalen = skb->len - dataoff;