netfilter: nft_ct: unnecessary to require dir when use ct l3proto/protocol

Currently, if the user want to match ct l3proto, we must specify the direction, for example: # nft add rule filter input ct original l3proto ipv4 ^^^^^^^^ Otherwise, error message will be reported: # nft add rule filter input ct l3proto ipv4 nft add rule filter input ct l3proto ipv4 <cmdline>:1:1-38: Error: Could not process rule: Invalid argument add rule filter input ct l3proto ipv4 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Actually, there's no need to require NFTA_CT_DIRECTION attr, because ct l3proto and protocol are unrelated to direction. And for compatibility, even if the user specify the NFTA_CT_DIRECTION attr, do not report error, just skip it. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Liping Zhang <liping.zhang@spreadtrum.com> 2016-09-22 10:28:51 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-25 08:54:02 -0400
commit: d767ff2c84f19be1aa403762f34eebbb403caf6d (patch)
tree: fd0b02f9d67749c6ada59b7db5558e92ed5fd604 /net
parent: 8d11350f5f33378efc5f905bee325f3e76d6bcca (diff)
1 files changed, 9 insertions, 10 deletions
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 51e180f2a003..825fbbc62f48 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -128,15 +128,18 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
                memcpy(dest, &count, sizeof(count));
                return;
        }
+        case NFT_CT_L3PROTOCOL:
+                *dest = nf_ct_l3num(ct);
+                return;
+        case NFT_CT_PROTOCOL:
+                *dest = nf_ct_protonum(ct);
+                return;
        default:
                break;
        }
        tuple = &ct->tuplehash[priv->dir].tuple;
        switch (priv->key) {
-        case NFT_CT_L3PROTOCOL:
-                *dest = nf_ct_l3num(ct);
-                return;
        case NFT_CT_SRC:
                memcpy(dest, tuple->src.u3.all,
                       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
@@ -145,9 +148,6 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
                memcpy(dest, tuple->dst.u3.all,
                       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
                return;
-        case NFT_CT_PROTOCOL:
-                *dest = nf_ct_protonum(ct);
-                return;
        case NFT_CT_PROTO_SRC:
                *dest = (__force __u16)tuple->src.u.all;
                return;
@@ -283,8 +283,9 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
        case NFT_CT_L3PROTOCOL:
        case NFT_CT_PROTOCOL:
-                if (tb[NFTA_CT_DIRECTION] == NULL)
+                /* For compatibility, do not report error if NFTA_CT_DIRECTION
-                        return -EINVAL;
+                 * attribute is specified.
+                 */
                len = sizeof(u8);
                break;
        case NFT_CT_SRC:
@@ -432,8 +433,6 @@ static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
                goto nla_put_failure;
        switch (priv->key) {
-        case NFT_CT_L3PROTOCOL:
-        case NFT_CT_PROTOCOL:
        case NFT_CT_SRC:
        case NFT_CT_DST:
        case NFT_CT_PROTO_SRC:
author	Liping Zhang <liping.zhang@spreadtrum.com>	2016-09-22 10:28:51 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-09-25 08:54:02 -0400
commit	d767ff2c84f19be1aa403762f34eebbb403caf6d (patch)
tree	fd0b02f9d67749c6ada59b7db5558e92ed5fd604 /net
parent	8d11350f5f33378efc5f905bee325f3e76d6bcca (diff)