diff mbox

[PATCHv3,nf-next] netfilter: nfnetlink_queue: check NFQA_CFG_F_CONNTRACK config flag

Message ID 20151007042347.GB23203@gmail.com
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

Ken-ichirou MATSUZAWA Oct. 7, 2015, 4:23 a.m. UTC 
This patch enables to check if GLUE_CT is enabled and try to load
dependent, nf_conntrack_netlink module when NFQA_CFG_F_CONNTRACK
config flag is received. Then returns error either case is failed.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 net/netfilter/nfnetlink_queue.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)
diff mbox

Patch

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index a659e57..583a7a0 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1225,6 +1225,23 @@  nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
 			goto err_out_unlock;
 		}
 #endif
+		if (flags & mask & NFQA_CFG_F_CONNTRACK &&
+		    !rcu_dereference(nfnl_ct_hook)) {
+#ifdef CONFIG_MODULES
+			rcu_read_unlock();
+			nfnl_unlock(NFNL_SUBSYS_QUEUE);
+			request_module("ip_conntrack_netlink");
+			nfnl_lock(NFNL_SUBSYS_QUEUE);
+			rcu_read_lock();
+			if (rcu_dereference(nfnl_ct_hook)) {
+				ret = -EAGAIN;
+				goto err_out_unlock;
+			}
+#endif
+			ret = -EOPNOTSUPP;
+			goto err_out_unlock;
+		}
+
 		spin_lock_bh(&queue->lock);
 		queue->flags &= ~mask;
 		queue->flags |= flags & mask;