diff options
| author | Jan Engelhardt <jengelh@computergmbh.de> | 2007-11-30 08:01:50 -0500 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2007-11-30 08:01:50 -0500 |
| commit | 67b4af297033f5f65999885542f95ba7b562848a (patch) | |
| tree | fc719bd0cd194a496d05ff5e0816cbc06e9d1727 /net | |
| parent | 9dc0564e862b1b9a4677dec2c736b12169e03e99 (diff) | |
[NETFILTER]: fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK
Fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK
When xt_CONNMARK is used outside the mangle table and the user specified
"--restore-mark", the connmark_tg_check() function will (correctly)
error out, but (incorrectly) forgets to release the L3 conntrack module.
Same for xt_CONNSECMARK.
Fix is to move the call to acquire the L3 module after the basic
constraint checks.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/xt_CONNMARK.c | 10 | ||||
| -rw-r--r-- | net/netfilter/xt_CONNSECMARK.c | 10 |
2 files changed, 10 insertions, 10 deletions
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c index 856793e8db7a..0621ca7de3b0 100644 --- a/net/netfilter/xt_CONNMARK.c +++ b/net/netfilter/xt_CONNMARK.c | |||
| @@ -86,11 +86,6 @@ checkentry(const char *tablename, | |||
| 86 | { | 86 | { |
| 87 | const struct xt_connmark_target_info *matchinfo = targinfo; | 87 | const struct xt_connmark_target_info *matchinfo = targinfo; |
| 88 | 88 | ||
| 89 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | ||
| 90 | printk(KERN_WARNING "can't load conntrack support for " | ||
| 91 | "proto=%d\n", target->family); | ||
| 92 | return false; | ||
| 93 | } | ||
| 94 | if (matchinfo->mode == XT_CONNMARK_RESTORE) { | 89 | if (matchinfo->mode == XT_CONNMARK_RESTORE) { |
| 95 | if (strcmp(tablename, "mangle") != 0) { | 90 | if (strcmp(tablename, "mangle") != 0) { |
| 96 | printk(KERN_WARNING "CONNMARK: restore can only be " | 91 | printk(KERN_WARNING "CONNMARK: restore can only be " |
| @@ -103,6 +98,11 @@ checkentry(const char *tablename, | |||
| 103 | printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n"); | 98 | printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n"); |
| 104 | return false; | 99 | return false; |
| 105 | } | 100 | } |
| 101 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | ||
| 102 | printk(KERN_WARNING "can't load conntrack support for " | ||
| 103 | "proto=%d\n", target->family); | ||
| 104 | return false; | ||
| 105 | } | ||
| 106 | return true; | 106 | return true; |
| 107 | } | 107 | } |
| 108 | 108 | ||
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index 021b5c8d20e2..d8feba9bdb48 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c | |||
| @@ -90,11 +90,6 @@ static bool checkentry(const char *tablename, const void *entry, | |||
| 90 | { | 90 | { |
| 91 | const struct xt_connsecmark_target_info *info = targinfo; | 91 | const struct xt_connsecmark_target_info *info = targinfo; |
| 92 | 92 | ||
| 93 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | ||
| 94 | printk(KERN_WARNING "can't load conntrack support for " | ||
| 95 | "proto=%d\n", target->family); | ||
| 96 | return false; | ||
| 97 | } | ||
| 98 | switch (info->mode) { | 93 | switch (info->mode) { |
| 99 | case CONNSECMARK_SAVE: | 94 | case CONNSECMARK_SAVE: |
| 100 | case CONNSECMARK_RESTORE: | 95 | case CONNSECMARK_RESTORE: |
| @@ -105,6 +100,11 @@ static bool checkentry(const char *tablename, const void *entry, | |||
| 105 | return false; | 100 | return false; |
| 106 | } | 101 | } |
| 107 | 102 | ||
| 103 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | ||
| 104 | printk(KERN_WARNING "can't load conntrack support for " | ||
| 105 | "proto=%d\n", target->family); | ||
| 106 | return false; | ||
| 107 | } | ||
| 108 | return true; | 108 | return true; |
| 109 | } | 109 | } |
| 110 | 110 | ||