From patchwork Fri May 9 10:56:02 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 347377 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id AEEE1140112 for ; Fri, 9 May 2014 20:56:45 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755019AbaEIK4T (ORCPT ); Fri, 9 May 2014 06:56:19 -0400 Received: from mail.us.es ([193.147.175.20]:40267 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752674AbaEIK4R (ORCPT ); Fri, 9 May 2014 06:56:17 -0400 Received: (qmail 8262 invoked from network); 9 May 2014 12:56:16 +0200 Received: from unknown (HELO us.es) (192.168.2.16) by us.es with SMTP; 9 May 2014 12:56:16 +0200 Received: (qmail 8427 invoked by uid 507); 9 May 2014 10:56:16 -0000 X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus6 (envelope-from , uid 501) with qmail-scanner-2.10 (clamdscan: 0.98.1/18951. spamassassin: 3.3.2. Clear:RC:1(127.0.0.1):SA:0(-101.2/7.5):. Processed in 3.83333 secs); 09 May 2014 10:56:16 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus6 X-Spam-Level: X-Spam-Status: No, score=-101.2 required=7.5 tests=BAYES_50,SMTPAUTH_US, USER_IN_WHITELIST autolearn=disabled version=3.3.2 X-Spam-ASN: AS12715 87.216.0.0/16 X-Envelope-From: pablo@netfilter.org Received: from unknown (HELO antivirus6) (127.0.0.1) by us.es with SMTP; 9 May 2014 10:56:12 -0000 Received: from 192.168.1.13 (192.168.1.13) by antivirus6 (F-Secure/fsigk_smtp/412/antivirus6); Fri, 09 May 2014 12:56:12 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/412/antivirus6) Received: (qmail 24373 invoked from network); 9 May 2014 12:56:12 +0200 Received: from 186.169.216.87.static.jazztel.es (HELO localhost.localdomain) (pneira@us.es@87.216.169.186) by mail.us.es with SMTP; 9 May 2014 12:56:12 +0200 From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 1/6] netfilter: ctnetlink: don't add null bindings if no nat requested Date: Fri, 9 May 2014 12:56:02 +0200 Message-Id: <1399632967-4423-2-git-send-email-pablo@netfilter.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1399632967-4423-1-git-send-email-pablo@netfilter.org> References: <1399632967-4423-1-git-send-email-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Florian Westphal commit 0eba801b64cc8284d9024c7ece30415a2b981a72 tried to fix a race where nat initialisation can happen after ctnetlink-created conntrack has been created. However, it causes the nat module(s) to be loaded needlessly on systems that are not using NAT. Fortunately, we do not have to create null bindings in that case. conntracks injected via ctnetlink always have the CONFIRMED bit set, which prevents addition of the nat extension in nf_nat_ipv4/6_fn(). We only need to make sure that either no nat extension is added or that we've created both src and dst manips. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_netlink.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index ccc46fa..5857963 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1336,6 +1336,9 @@ ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[]) #ifdef CONFIG_NF_NAT_NEEDED int ret; + if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) + return 0; + ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, cda[CTA_NAT_DST]); if (ret < 0)