| Message ID | 1474907071-13591-3-git-send-email-aconole@bytheb.org |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
Aaron Conole <aconole@bytheb.org> wrote: > When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle > the request for registration properly by dropping the hook. This > releases the entry during the set. > > Signed-off-by: Aaron Conole <aconole@bytheb.org> > --- > net/netfilter/core.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/netfilter/core.c b/net/netfilter/core.c > index e58e420..1d0a4c9 100644 > --- a/net/netfilter/core.c > +++ b/net/netfilter/core.c > @@ -90,10 +90,14 @@ static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg, > { > switch (reg->pf) { > case NFPROTO_NETDEV: > +#ifdef CONFIG_NETFILTER_INGRESS > /* We already checked in nf_register_net_hook() that this is > * used from ingress. > */ > rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry); > +#else > + kfree(entry); > +#endif > break; This looks dodgy (its correct though). I'd propose to add a test to nf_register_net_hook() to bail with -EOPNOSTUPP instead of this "#else kfree()" if we get NFPROTO_NETDEV pf with CONFIG_NETFILTER_INGRESS=n build instead. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Florian Westphal <fw@strlen.de> writes: > Aaron Conole <aconole@bytheb.org> wrote: >> When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle >> the request for registration properly by dropping the hook. This >> releases the entry during the set. >> >> Signed-off-by: Aaron Conole <aconole@bytheb.org> >> --- >> net/netfilter/core.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/net/netfilter/core.c b/net/netfilter/core.c >> index e58e420..1d0a4c9 100644 >> --- a/net/netfilter/core.c >> +++ b/net/netfilter/core.c >> @@ -90,10 +90,14 @@ static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg, >> { >> switch (reg->pf) { >> case NFPROTO_NETDEV: >> +#ifdef CONFIG_NETFILTER_INGRESS >> /* We already checked in nf_register_net_hook() that this is >> * used from ingress. >> */ >> rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry); >> +#else >> + kfree(entry); >> +#endif >> break; > > This looks dodgy (its correct though). > > I'd propose to add a test to nf_register_net_hook() > to bail with -EOPNOSTUPP instead of this "#else kfree()" if we get > NFPROTO_NETDEV pf with CONFIG_NETFILTER_INGRESS=n build instead. Okay, I'll spin a new version. Thanks for the review, Florian! -Aaron -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/core.c b/net/netfilter/core.c index e58e420..1d0a4c9 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -90,10 +90,14 @@ static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg, { switch (reg->pf) { case NFPROTO_NETDEV: +#ifdef CONFIG_NETFILTER_INGRESS /* We already checked in nf_register_net_hook() that this is * used from ingress. */ rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry); +#else + kfree(entry); +#endif break; default: rcu_assign_pointer(net->nf.hooks[reg->pf][reg->hooknum],
When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle the request for registration properly by dropping the hook. This releases the entry during the set. Signed-off-by: Aaron Conole <aconole@bytheb.org> --- net/netfilter/core.c | 4 ++++ 1 file changed, 4 insertions(+)