Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a31f1adc authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple 



As gre does not have the srckey in the packet gre_pkt_to_tuple
needs to perform a lookup in it's per network namespace tables.

Pass in the proper network namespace to all pkt_to_tuple
implementations to ensure gre (and any similar protocols) can get this
right.

Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent a4ffe319

include/net/netfilter/nf_conntrack.h

+2 −1
Original line number Diff line number Diff line
@@ -191,7 +191,8 @@ int nf_conntrack_hash_check_insert(struct nf_conn *ct); 
bool nf_ct_delete(struct nf_conn *ct, u32 pid, int report);



bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,

		       u_int16_t l3num, struct nf_conntrack_tuple *tuple);

		       u_int16_t l3num, struct net *net,

		       struct nf_conntrack_tuple *tuple);

bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,

			  const struct nf_conntrack_tuple *orig);

include/net/netfilter/nf_conntrack_core.h

+1 −0
Original line number Diff line number Diff line
@@ -41,6 +41,7 @@ void nf_conntrack_cleanup_end(void); 


bool nf_ct_get_tuple(const struct sk_buff *skb, unsigned int nhoff,

		     unsigned int dataoff, u_int16_t l3num, u_int8_t protonum,

		     struct net *net,

		     struct nf_conntrack_tuple *tuple,

		     const struct nf_conntrack_l3proto *l3proto,

		     const struct nf_conntrack_l4proto *l4proto);

include/net/netfilter/nf_conntrack_l4proto.h

+1 −1
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ struct nf_conntrack_l4proto { 
	/* Try to fill in the third arg: dataoff is offset past network protocol

           hdr.  Return true if possible. */

	bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,

			     struct nf_conntrack_tuple *tuple);

			     struct net *net, struct nf_conntrack_tuple *tuple);



	/* Invert the per-proto part of the tuple: ie. turn xmit into reply.

	 * Some packets can't be inverted: return 0 in that case.

net/ipv4/netfilter/nf_conntrack_proto_icmp.c

+2 −2
Original line number Diff line number Diff line
@@ -30,7 +30,7 @@ static inline struct nf_icmp_net *icmp_pernet(struct net *net) 
}



static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,

			      struct nf_conntrack_tuple *tuple)

			      struct net *net, struct nf_conntrack_tuple *tuple)

{

	const struct icmphdr *hp;

	struct icmphdr _hdr;
@@ -144,7 +144,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, 
	if (!nf_ct_get_tuplepr(skb,

			       skb_network_offset(skb) + ip_hdrlen(skb)

						       + sizeof(struct icmphdr),

			       PF_INET, &origtuple)) {

			       PF_INET, net, &origtuple)) {

		pr_debug("icmp_error_message: failed to get tuple\n");

		return -NF_ACCEPT;

	}

net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c

+2 −1
Original line number Diff line number Diff line
@@ -36,6 +36,7 @@ static inline struct nf_icmp_net *icmpv6_pernet(struct net *net) 


static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,

				unsigned int dataoff,

				struct net *net,

				struct nf_conntrack_tuple *tuple)

{

	const struct icmp6hdr *hp;
@@ -159,7 +160,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl, 
			       skb_network_offset(skb)

				+ sizeof(struct ipv6hdr)

				+ sizeof(struct icmp6hdr),

			       PF_INET6, &origtuple)) {

			       PF_INET6, net, &origtuple)) {

		pr_debug("icmpv6_error: Can't get tuple\n");

		return -NF_ACCEPT;

	}