forked from Minki/linux
netfilter: prefer extension check to pointer check
The pointer check usually results in a 'false positive': its likely that the ctnetlink module is loaded but no event monitoring is enabled. After recent change to autodetect ctnetlink usage and only allocate the ecache extension if a listener is active, check if the extension is present on a given conntrack. If its not there, there is nothing to report and calls to the notification framework can be elided. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
90d1daa458
commit
8edc813111
@ -60,7 +60,7 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
|
||||
if (ct) {
|
||||
if (!nf_ct_is_confirmed(ct))
|
||||
ret = __nf_conntrack_confirm(skb);
|
||||
if (likely(ret == NF_ACCEPT))
|
||||
if (ret == NF_ACCEPT && nf_ct_ecache_exist(ct))
|
||||
nf_ct_deliver_cached_events(ct);
|
||||
}
|
||||
return ret;
|
||||
|
@ -36,6 +36,15 @@ nf_ct_ecache_find(const struct nf_conn *ct)
|
||||
#endif
|
||||
}
|
||||
|
||||
static inline bool nf_ct_ecache_exist(const struct nf_conn *ct)
|
||||
{
|
||||
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
||||
return nf_ct_ext_exist(ct, NF_CT_EXT_ECACHE);
|
||||
#else
|
||||
return false;
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
||||
|
||||
/* This structure is passed to event handler */
|
||||
@ -108,30 +117,20 @@ nf_conntrack_event_report(enum ip_conntrack_events event, struct nf_conn *ct,
|
||||
u32 portid, int report)
|
||||
{
|
||||
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
||||
const struct net *net = nf_ct_net(ct);
|
||||
|
||||
if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
|
||||
return 0;
|
||||
|
||||
return nf_conntrack_eventmask_report(1 << event, ct, portid, report);
|
||||
#else
|
||||
return 0;
|
||||
if (nf_ct_ecache_exist(ct))
|
||||
return nf_conntrack_eventmask_report(1 << event, ct, portid, report);
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int
|
||||
nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct)
|
||||
{
|
||||
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
||||
const struct net *net = nf_ct_net(ct);
|
||||
|
||||
if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
|
||||
return 0;
|
||||
|
||||
return nf_conntrack_eventmask_report(1 << event, ct, 0, 0);
|
||||
#else
|
||||
return 0;
|
||||
if (nf_ct_ecache_exist(ct))
|
||||
return nf_conntrack_eventmask_report(1 << event, ct, 0, 0);
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
||||
|
Loading…
Reference in New Issue
Block a user