netfilter: xtables: fix conntrack match v1 ipt-save output (3a042929) · Commits · 戴 / test

net/netfilter/xt_conntrack.c

+17 −44

Original line number	Diff line number	Diff line
		@@ -113,7 +113,8 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
		}

		static bool
		conntrack_mt(const struct sk_buff skb, const struct xt_match_param par)
		conntrack_mt(const struct sk_buff skb, const struct xt_match_param par,
		u16 state_mask, u16 status_mask)
		{
		const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
		enum ip_conntrack_info ctinfo;
		@@ -136,7 +137,7 @@ conntrack_mt(const struct sk_buff skb, const struct xt_match_param par)
		if (test_bit(IPS_DST_NAT_BIT, &ct->status))
		statebit \|= XT_CONNTRACK_STATE_DNAT;
		}
		if (!!(info->state_mask & statebit) ^
		if (!!(state_mask & statebit) ^
		!(info->invert_flags & XT_CONNTRACK_STATE))
		return false;
		}
		@@ -172,7 +173,7 @@ conntrack_mt(const struct sk_buff skb, const struct xt_match_param par)
		return false;

		if ((info->match_flags & XT_CONNTRACK_STATUS) &&
		(!!(info->status_mask & ct->status) ^
		(!!(status_mask & ct->status) ^
		!(info->invert_flags & XT_CONNTRACK_STATUS)))
		return false;

		@@ -192,11 +193,17 @@ conntrack_mt(const struct sk_buff skb, const struct xt_match_param par)
		static bool
		conntrack_mt_v1(const struct sk_buff skb, const struct xt_match_param par)
		{
		const struct xt_conntrack_mtinfo2 const info = par->matchinfo;
		struct xt_match_param newpar = *par;
		const struct xt_conntrack_mtinfo1 *info = par->matchinfo;

		newpar.matchinfo = *info;
		return conntrack_mt(skb, &newpar);
		return conntrack_mt(skb, par, info->state_mask, info->status_mask);
		}

		static bool
		conntrack_mt_v2(const struct sk_buff skb, const struct xt_match_param par)
		{
		const struct xt_conntrack_mtinfo2 *info = par->matchinfo;

		return conntrack_mt(skb, par, info->state_mask, info->status_mask);
		}

		static bool conntrack_mt_check(const struct xt_mtchk_param *par)
		@@ -209,45 +216,11 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
		return true;
		}

		static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
		{
		struct xt_conntrack_mtinfo1 *info = par->matchinfo;
		struct xt_conntrack_mtinfo2 *up;
		int ret = conntrack_mt_check(par);

		if (ret < 0)
		return ret;

		up = kmalloc(sizeof(*up), GFP_KERNEL);
		if (up == NULL) {
		nf_ct_l3proto_module_put(par->family);
		return -ENOMEM;
		}

		/*
		* The strategy here is to minimize the overhead of v1 matching,
		* by prebuilding a v2 struct and putting the pointer into the
		* v1 dataspace.
		*/
		memcpy(up, info, offsetof(typeof(*info), state_mask));
		up->state_mask = info->state_mask;
		up->status_mask = info->status_mask;
		(void *)info = up;
		return true;
		}

		static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
		{
		nf_ct_l3proto_module_put(par->family);
		}

		static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
		{
		struct xt_conntrack_mtinfo2 **info = par->matchinfo;
		kfree(*info);
		conntrack_mt_destroy(par);
		}

		static struct xt_match conntrack_mt_reg[] __read_mostly = {
		{
		.name = "conntrack",
		@@ -255,8 +228,8 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
		.family = NFPROTO_UNSPEC,
		.matchsize = sizeof(struct xt_conntrack_mtinfo1),
		.match = conntrack_mt_v1,
		.checkentry = conntrack_mt_check_v1,
		.destroy = conntrack_mt_destroy_v1,
		.checkentry = conntrack_mt_check,
		.destroy = conntrack_mt_destroy,
		.me = THIS_MODULE,
		},
		{
		@@ -264,7 +237,7 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
		.revision = 2,
		.family = NFPROTO_UNSPEC,
		.matchsize = sizeof(struct xt_conntrack_mtinfo2),
		.match = conntrack_mt,
		.match = conntrack_mt_v2,
		.checkentry = conntrack_mt_check,
		.destroy = conntrack_mt_destroy,
		.me = THIS_MODULE,

Admin message