diff options
| author | Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> | 2006-12-12 03:29:02 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-13 19:48:21 -0500 |
| commit | 11078c371e2ecfce011d1dffb67888c6fed1b664 (patch) | |
| tree | 7e45dea57e53396a3fa80e2c2f6901dab608fb0b /net | |
| parent | fe0b9294c9f951a64c768f8a5879154235efe63f (diff) | |
[NETFILTER]: x_tables: add missing try to load conntrack from match/targets
CLUSTERIP, CONNMARK, CONNSECMARK, and connbytes need ip_conntrack or
layer 3 protocol module of nf_conntrack.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 | ||||
| -rw-r--r-- | net/netfilter/xt_CONNMARK.c | 14 | ||||
| -rw-r--r-- | net/netfilter/xt_CONNSECMARK.c | 14 | ||||
| -rw-r--r-- | net/netfilter/xt_connbytes.c | 14 |
4 files changed, 48 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index fef56ae61abe..b1c11160b9de 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
| @@ -447,6 +447,12 @@ checkentry(const char *tablename, | |||
| 447 | cipinfo->config = config; | 447 | cipinfo->config = config; |
| 448 | } | 448 | } |
| 449 | 449 | ||
| 450 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | ||
| 451 | printk(KERN_WARNING "can't load conntrack support for " | ||
| 452 | "proto=%d\n", target->family); | ||
| 453 | return 0; | ||
| 454 | } | ||
| 455 | |||
| 450 | return 1; | 456 | return 1; |
| 451 | } | 457 | } |
| 452 | 458 | ||
| @@ -460,6 +466,8 @@ static void destroy(const struct xt_target *target, void *targinfo) | |||
| 460 | clusterip_config_entry_put(cipinfo->config); | 466 | clusterip_config_entry_put(cipinfo->config); |
| 461 | 467 | ||
| 462 | clusterip_config_put(cipinfo->config); | 468 | clusterip_config_put(cipinfo->config); |
| 469 | |||
| 470 | nf_ct_l3proto_module_put(target->family); | ||
| 463 | } | 471 | } |
| 464 | 472 | ||
| 465 | static struct ipt_target clusterip_tgt = { | 473 | static struct ipt_target clusterip_tgt = { |
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c index b5548239d412..0534bfa65cce 100644 --- a/net/netfilter/xt_CONNMARK.c +++ b/net/netfilter/xt_CONNMARK.c | |||
| @@ -96,6 +96,11 @@ checkentry(const char *tablename, | |||
| 96 | { | 96 | { |
| 97 | struct xt_connmark_target_info *matchinfo = targinfo; | 97 | struct xt_connmark_target_info *matchinfo = targinfo; |
| 98 | 98 | ||
| 99 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | ||
| 100 | printk(KERN_WARNING "can't load conntrack support for " | ||
| 101 | "proto=%d\n", target->family); | ||
| 102 | return 0; | ||
| 103 | } | ||
| 99 | if (matchinfo->mode == XT_CONNMARK_RESTORE) { | 104 | if (matchinfo->mode == XT_CONNMARK_RESTORE) { |
| 100 | if (strcmp(tablename, "mangle") != 0) { | 105 | if (strcmp(tablename, "mangle") != 0) { |
| 101 | printk(KERN_WARNING "CONNMARK: restore can only be " | 106 | printk(KERN_WARNING "CONNMARK: restore can only be " |
| @@ -111,6 +116,12 @@ checkentry(const char *tablename, | |||
| 111 | return 1; | 116 | return 1; |
| 112 | } | 117 | } |
| 113 | 118 | ||
| 119 | static void | ||
| 120 | destroy(const struct xt_target *target, void *targinfo) | ||
| 121 | { | ||
| 122 | nf_ct_l3proto_module_put(target->family); | ||
| 123 | } | ||
| 124 | |||
| 114 | #ifdef CONFIG_COMPAT | 125 | #ifdef CONFIG_COMPAT |
| 115 | struct compat_xt_connmark_target_info { | 126 | struct compat_xt_connmark_target_info { |
| 116 | compat_ulong_t mark, mask; | 127 | compat_ulong_t mark, mask; |
| @@ -147,6 +158,7 @@ static struct xt_target xt_connmark_target[] = { | |||
| 147 | .name = "CONNMARK", | 158 | .name = "CONNMARK", |
| 148 | .family = AF_INET, | 159 | .family = AF_INET, |
| 149 | .checkentry = checkentry, | 160 | .checkentry = checkentry, |
| 161 | .destroy = destroy, | ||
| 150 | .target = target, | 162 | .target = target, |
| 151 | .targetsize = sizeof(struct xt_connmark_target_info), | 163 | .targetsize = sizeof(struct xt_connmark_target_info), |
| 152 | #ifdef CONFIG_COMPAT | 164 | #ifdef CONFIG_COMPAT |
| @@ -160,6 +172,7 @@ static struct xt_target xt_connmark_target[] = { | |||
| 160 | .name = "CONNMARK", | 172 | .name = "CONNMARK", |
| 161 | .family = AF_INET6, | 173 | .family = AF_INET6, |
| 162 | .checkentry = checkentry, | 174 | .checkentry = checkentry, |
| 175 | .destroy = destroy, | ||
| 163 | .target = target, | 176 | .target = target, |
| 164 | .targetsize = sizeof(struct xt_connmark_target_info), | 177 | .targetsize = sizeof(struct xt_connmark_target_info), |
| 165 | .me = THIS_MODULE | 178 | .me = THIS_MODULE |
| @@ -168,7 +181,6 @@ static struct xt_target xt_connmark_target[] = { | |||
| 168 | 181 | ||
| 169 | static int __init xt_connmark_init(void) | 182 | static int __init xt_connmark_init(void) |
| 170 | { | 183 | { |
| 171 | need_conntrack(); | ||
| 172 | return xt_register_targets(xt_connmark_target, | 184 | return xt_register_targets(xt_connmark_target, |
| 173 | ARRAY_SIZE(xt_connmark_target)); | 185 | ARRAY_SIZE(xt_connmark_target)); |
| 174 | } | 186 | } |
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index 467386266674..a3fe3c334b09 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c | |||
| @@ -93,6 +93,11 @@ static int checkentry(const char *tablename, const void *entry, | |||
| 93 | { | 93 | { |
| 94 | struct xt_connsecmark_target_info *info = targinfo; | 94 | struct xt_connsecmark_target_info *info = targinfo; |
| 95 | 95 | ||
| 96 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | ||
| 97 | printk(KERN_WARNING "can't load conntrack support for " | ||
| 98 | "proto=%d\n", target->family); | ||
| 99 | return 0; | ||
| 100 | } | ||
| 96 | switch (info->mode) { | 101 | switch (info->mode) { |
| 97 | case CONNSECMARK_SAVE: | 102 | case CONNSECMARK_SAVE: |
| 98 | case CONNSECMARK_RESTORE: | 103 | case CONNSECMARK_RESTORE: |
| @@ -106,11 +111,18 @@ static int checkentry(const char *tablename, const void *entry, | |||
| 106 | return 1; | 111 | return 1; |
| 107 | } | 112 | } |
| 108 | 113 | ||
| 114 | static void | ||
| 115 | destroy(const struct xt_target *target, void *targinfo) | ||
| 116 | { | ||
| 117 | nf_ct_l3proto_module_put(target->family); | ||
| 118 | } | ||
| 119 | |||
| 109 | static struct xt_target xt_connsecmark_target[] = { | 120 | static struct xt_target xt_connsecmark_target[] = { |
| 110 | { | 121 | { |
| 111 | .name = "CONNSECMARK", | 122 | .name = "CONNSECMARK", |
| 112 | .family = AF_INET, | 123 | .family = AF_INET, |
| 113 | .checkentry = checkentry, | 124 | .checkentry = checkentry, |
| 125 | .destroy = destroy, | ||
| 114 | .target = target, | 126 | .target = target, |
| 115 | .targetsize = sizeof(struct xt_connsecmark_target_info), | 127 | .targetsize = sizeof(struct xt_connsecmark_target_info), |
| 116 | .table = "mangle", | 128 | .table = "mangle", |
| @@ -120,6 +132,7 @@ static struct xt_target xt_connsecmark_target[] = { | |||
| 120 | .name = "CONNSECMARK", | 132 | .name = "CONNSECMARK", |
| 121 | .family = AF_INET6, | 133 | .family = AF_INET6, |
| 122 | .checkentry = checkentry, | 134 | .checkentry = checkentry, |
| 135 | .destroy = destroy, | ||
| 123 | .target = target, | 136 | .target = target, |
| 124 | .targetsize = sizeof(struct xt_connsecmark_target_info), | 137 | .targetsize = sizeof(struct xt_connsecmark_target_info), |
| 125 | .table = "mangle", | 138 | .table = "mangle", |
| @@ -129,7 +142,6 @@ static struct xt_target xt_connsecmark_target[] = { | |||
| 129 | 142 | ||
| 130 | static int __init xt_connsecmark_init(void) | 143 | static int __init xt_connsecmark_init(void) |
| 131 | { | 144 | { |
| 132 | need_conntrack(); | ||
| 133 | return xt_register_targets(xt_connsecmark_target, | 145 | return xt_register_targets(xt_connsecmark_target, |
| 134 | ARRAY_SIZE(xt_connsecmark_target)); | 146 | ARRAY_SIZE(xt_connsecmark_target)); |
| 135 | } | 147 | } |
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index dcc497ea8183..d93cb096a675 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c | |||
| @@ -139,15 +139,28 @@ static int check(const char *tablename, | |||
| 139 | sinfo->direction != XT_CONNBYTES_DIR_BOTH) | 139 | sinfo->direction != XT_CONNBYTES_DIR_BOTH) |
| 140 | return 0; | 140 | return 0; |
| 141 | 141 | ||
| 142 | if (nf_ct_l3proto_try_module_get(match->family) < 0) { | ||
| 143 | printk(KERN_WARNING "can't load conntrack support for " | ||
| 144 | "proto=%d\n", match->family); | ||
| 145 | return 0; | ||
| 146 | } | ||
| 147 | |||
| 142 | return 1; | 148 | return 1; |
| 143 | } | 149 | } |
| 144 | 150 | ||
| 151 | static void | ||
| 152 | destroy(const struct xt_match *match, void *matchinfo) | ||
| 153 | { | ||
| 154 | nf_ct_l3proto_module_put(match->family); | ||
| 155 | } | ||
| 156 | |||
| 145 | static struct xt_match xt_connbytes_match[] = { | 157 | static struct xt_match xt_connbytes_match[] = { |
| 146 | { | 158 | { |
| 147 | .name = "connbytes", | 159 | .name = "connbytes", |
| 148 | .family = AF_INET, | 160 | .family = AF_INET, |
| 149 | .checkentry = check, | 161 | .checkentry = check, |
| 150 | .match = match, | 162 | .match = match, |
| 163 | .destroy = destroy, | ||
| 151 | .matchsize = sizeof(struct xt_connbytes_info), | 164 | .matchsize = sizeof(struct xt_connbytes_info), |
| 152 | .me = THIS_MODULE | 165 | .me = THIS_MODULE |
| 153 | }, | 166 | }, |
| @@ -156,6 +169,7 @@ static struct xt_match xt_connbytes_match[] = { | |||
| 156 | .family = AF_INET6, | 169 | .family = AF_INET6, |
| 157 | .checkentry = check, | 170 | .checkentry = check, |
| 158 | .match = match, | 171 | .match = match, |
| 172 | .destroy = destroy, | ||
| 159 | .matchsize = sizeof(struct xt_connbytes_info), | 173 | .matchsize = sizeof(struct xt_connbytes_info), |
| 160 | .me = THIS_MODULE | 174 | .me = THIS_MODULE |
| 161 | }, | 175 | }, |