diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-02-15 17:34:20 -0800 |
|---|---|---|
| committer | Joe Stringer <joe@ovn.org> | 2017-03-02 15:51:38 -0800 |
| commit | a6d28f7c35b20023132a294ae37a5ede199d40ed (patch) | |
| tree | 6febeedf08d8fd35508a0b390179bf0025e7bd7d /datapath/linux | |
| parent | 6c0bf0917f4396bec09b7041ccd92ef0e7e2bd2e (diff) | |
| download | openvswitch-a6d28f7c35b20023132a294ae37a5ede199d40ed.tar.gz | |
datapath: handle NF_REPEAT from nf_conntrack_in()
Upstream commit:
commit 08733a0cb7decce40bbbd0331a0449465f13c444
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu Nov 3 10:56:43 2016 +0100
netfilter: handle NF_REPEAT from nf_conntrack_in()
NF_REPEAT is only needed from nf_conntrack_in() under a very specific
case required by the TCP protocol tracker, we can handle this case
without returning to the core hook path. Handling of NF_REPEAT from the
nf_reinject() is left untouched.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[Committer notes]
Shift the functionality into the compat code, protected by v4.10
version check. This allows the datapath/conntrack.c to match
upstream.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Signed-off-by: Joe Stringer <joe@ovn.org>
Diffstat (limited to 'datapath/linux')
| -rw-r--r-- | datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h index 09a53c325..16b57a647 100644 --- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h +++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h @@ -67,4 +67,25 @@ static inline bool rpl_nf_ct_get_tuple(const struct sk_buff *skb, #define nf_ct_get_tuple rpl_nf_ct_get_tuple #endif /* HAVE_NF_CT_GET_TUPLEPR_TAKES_STRUCT_NET */ +/* Commit 08733a0cb7de ("netfilter: handle NF_REPEAT from nf_conntrack_in()") + * introduced behavioural changes to this function which cannot be detected + * in the headers. Unconditionally backport to kernels older than the one which + * contains this commit. */ +#if LINUX_VERSION_CODE < KERNEL_VERSION(4,10,0) +static unsigned int rpl_nf_conntrack_in(struct net *net, u_int8_t pf, + unsigned int hooknum, + struct sk_buff *skb) +{ + int err; + + /* Repeat if requested, see nf_iterate(). */ + do { + err = nf_conntrack_in(net, pf, hooknum, skb); + } while (err == NF_REPEAT); + + return err; +} +#define nf_conntrack_in rpl_nf_conntrack_in +#endif /* < 4.10 */ + #endif /* _NF_CONNTRACK_CORE_WRAPPER_H */ |