net: Add dependence xt_socket match on nf_conntrack_ipv4

Submitted by Kirill Tkhai on Dec. 27, 2017, 8:58 a.m.

Details

Message ID 151436508717.31358.4462914521530728456.stgit@localhost.localdomain
State New
Series "net: Add dependence xt_socket match on nf_conntrack_ipv4"
Headers show

Commit Message

Kirill Tkhai Dec. 27, 2017, 8:58 a.m.
This allows to load conntrack modules on inserting a rule
containing "socket" match.

It seems this may be useful for socket_match() function,
which uses nf_ct_get() to obtain additional information
about skb.

Note, that xt_socket already depends on VE_IP_CONNTRACK
in kernel/kmod.c, so we don't add new dependence
in ve0_ipt_am.

https://jira.sw.ru/browse/PSBM-69269

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 net/netfilter/xt_socket.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 102946ad4a0d..f7bf0ebca1e7 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -485,7 +485,9 @@  static int __init socket_mt_init(void)
 #ifdef XT_SOCKET_HAVE_IPV6
 	nf_defrag_ipv6_enable();
 #endif
-
+#ifdef XT_SOCKET_HAVE_CONNTRACK
+	need_ipv4_conntrack();
+#endif
 	return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
 }
 

Comments

Konstantin Khorenko Dec. 27, 2017, 3:57 p.m.
Need to send to mainstream as well?

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 12/27/2017 11:58 AM, Kirill Tkhai wrote:
> This allows to load conntrack modules on inserting a rule
> containing "socket" match.
>
> It seems this may be useful for socket_match() function,
> which uses nf_ct_get() to obtain additional information
> about skb.
>
> Note, that xt_socket already depends on VE_IP_CONNTRACK
> in kernel/kmod.c, so we don't add new dependence
> in ve0_ipt_am.
>
> https://jira.sw.ru/browse/PSBM-69269
>
> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
> ---
>  net/netfilter/xt_socket.c |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
> index 102946ad4a0d..f7bf0ebca1e7 100644
> --- a/net/netfilter/xt_socket.c
> +++ b/net/netfilter/xt_socket.c
> @@ -485,7 +485,9 @@ static int __init socket_mt_init(void)
>  #ifdef XT_SOCKET_HAVE_IPV6
>  	nf_defrag_ipv6_enable();
>  #endif
> -
> +#ifdef XT_SOCKET_HAVE_CONNTRACK
> +	need_ipv4_conntrack();
> +#endif
>  	return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
>  }
>
>
> .
>
Kirill Tkhai Dec. 28, 2017, 7:05 a.m.
On 27.12.2017 18:57, Konstantin Khorenko wrote:
> Need to send to mainstream as well?

There are signify changes. Maybe I'll analyse that a little bit later.

> On 12/27/2017 11:58 AM, Kirill Tkhai wrote:
>> This allows to load conntrack modules on inserting a rule
>> containing "socket" match.
>>
>> It seems this may be useful for socket_match() function,
>> which uses nf_ct_get() to obtain additional information
>> about skb.
>>
>> Note, that xt_socket already depends on VE_IP_CONNTRACK
>> in kernel/kmod.c, so we don't add new dependence
>> in ve0_ipt_am.
>>
>> https://jira.sw.ru/browse/PSBM-69269
>>
>> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
>> ---
>>  net/netfilter/xt_socket.c |    4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
>> index 102946ad4a0d..f7bf0ebca1e7 100644
>> --- a/net/netfilter/xt_socket.c
>> +++ b/net/netfilter/xt_socket.c
>> @@ -485,7 +485,9 @@ static int __init socket_mt_init(void)
>>  #ifdef XT_SOCKET_HAVE_IPV6
>>      nf_defrag_ipv6_enable();
>>  #endif
>> -
>> +#ifdef XT_SOCKET_HAVE_CONNTRACK
>> +    need_ipv4_conntrack();
>> +#endif
>>      return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
>>  }
>>
>>
>> .
>>