tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: Pass net into nf_xfrm_me_harder
Instead of calling dev_net on a likley looking network device
pass state->net into nf_xfrm_me_harder.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Eric W. Biederman
and committed by
Pablo Neira Ayuso
c7af6483
06198b34
+7
-7
+1
-1
include/net/netfilter/nf_nat_core.h
+1
-1
include/net/netfilter/nf_nat_core.h
···
10
10
unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
11
11
unsigned int hooknum, struct sk_buff *skb);
12
12
13
-
int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family);
13
+
int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family);
14
14
15
15
static inline int nf_nat_initialized(struct nf_conn *ct,
16
16
enum nf_nat_manip_type manip)
+2
-2
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+2
-2
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
···
396
396
(ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
397
397
ct->tuplehash[dir].tuple.src.u.all !=
398
398
ct->tuplehash[!dir].tuple.dst.u.all)) {
399
-
err = nf_xfrm_me_harder(skb, AF_INET);
399
+
err = nf_xfrm_me_harder(state->net, skb, AF_INET);
400
400
if (err < 0)
401
401
ret = NF_DROP_ERR(err);
402
402
}
···
440
440
ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
441
441
ct->tuplehash[dir].tuple.dst.u.all !=
442
442
ct->tuplehash[!dir].tuple.src.u.all) {
443
-
err = nf_xfrm_me_harder(skb, AF_INET);
443
+
err = nf_xfrm_me_harder(state->net, skb, AF_INET);
444
444
if (err < 0)
445
445
ret = NF_DROP_ERR(err);
446
446
}
+2
-2
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+2
-2
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
···
403
403
(ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
404
404
ct->tuplehash[dir].tuple.src.u.all !=
405
405
ct->tuplehash[!dir].tuple.dst.u.all)) {
406
-
err = nf_xfrm_me_harder(skb, AF_INET6);
406
+
err = nf_xfrm_me_harder(state->net, skb, AF_INET6);
407
407
if (err < 0)
408
408
ret = NF_DROP_ERR(err);
409
409
}
···
446
446
ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
447
447
ct->tuplehash[dir].tuple.dst.u.all !=
448
448
ct->tuplehash[!dir].tuple.src.u.all) {
449
-
err = nf_xfrm_me_harder(skb, AF_INET6);
449
+
err = nf_xfrm_me_harder(state->net, skb, AF_INET6);
450
450
if (err < 0)
451
451
ret = NF_DROP_ERR(err);
452
452
}
+2
-2
net/netfilter/nf_nat_core.c
+2
-2
net/netfilter/nf_nat_core.c
···
83
83
rcu_read_unlock();
84
84
}
85
85
86
-
int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family)
86
+
int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family)
87
87
{
88
88
struct flowi fl;
89
89
unsigned int hh_len;
···
99
99
dst = ((struct xfrm_dst *)dst)->route;
100
100
dst_hold(dst);
101
101
102
-
dst = xfrm_lookup(dev_net(dst->dev), dst, &fl, skb->sk, 0);
102
+
dst = xfrm_lookup(net, dst, &fl, skb->sk, 0);
103
103
if (IS_ERR(dst))
104
104
return PTR_ERR(dst);
105
105