leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a357b3f80b
linux/net/ipv4/netfilter
History
Florian Westphal a357b3f80b netfilter: nat: add dependencies on conntrack module 
MASQUERADE, S/DNAT and REDIRECT already call functions that depend on the
conntrack module.

However, since the conntrack hooks are now registered in a lazy fashion
(i.e., only when needed) a symbol reference is not enough.

Thus, when something is added to a nat table, make sure that it will see
packets by calling nf_ct_netns_get() which will register the conntrack
hooks in the current netns.

An alternative would be to add these dependencies to the NAT table.

However, that has problems when using non-modular builds -- we might
register e.g. ipv6 conntrack before its initcall has run, leading to NULL
deref crashes since its per-netns storage has not yet been allocated.

Adding the dependency in the modules instead has the advantage that nat
table also does not register its hooks until rules are added.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-12-04 21:16:51 +01:00
..
arp_tables.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-03 12:29:53 -05:00
arpt_mangle.c
arptable_filter.c netfilter: arp_tables: register table in initns 2016-04-07 11:58:49 +02:00
ip_tables.c netfilter: x_tables: simplify IS_ERR_OR_NULL to NULL test 2016-11-13 22:26:13 +01:00
ipt_ah.c netfilter: ipv4: whitespace around operators 2015-10-16 19:19:23 +02:00
ipt_CLUSTERIP.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
ipt_ECN.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
ipt_MASQUERADE.c netfilter: nat: add dependencies on conntrack module 2016-12-04 21:16:51 +01:00
ipt_REJECT.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
ipt_rpfilter.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
ipt_SYNPROXY.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
iptable_filter.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_mangle.c netfilter: x_tables: simplify ip{6}table_mangle_hook() 2016-07-01 16:37:02 +02:00
iptable_nat.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_raw.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_security.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
Kconfig netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
Makefile netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
nf_conntrack_l3proto_ipv4.c netfilter: conntrack: remove unused init_net hook 2016-12-04 21:16:41 +01:00
nf_conntrack_proto_icmp.c netfilter: Remove explicit rcu_read_lock in nf_hook_slow 2016-09-24 21:29:53 +02:00
nf_defrag_ipv4.c netfilter: nf_defrag_ipv4: Drop redundant ip_send_check() 2016-03-02 20:05:22 +01:00
nf_dup_ipv4.c netfilter: nf_dup4: remove redundant checksum recalculation 2016-08-12 00:42:47 +02:00
nf_log_arp.c netfilter: nft_log: complete NFTA_LOG_FLAGS attr support 2016-09-25 23:16:43 +02:00
nf_log_ipv4.c netfilter: nf_log: get rid of XT_LOG_* macros 2016-09-25 23:16:45 +02:00
nf_nat_h323.c netfilter: nf_nat_h323: fix crash in nf_ct_unlink_expect_report() 2014-02-05 17:46:05 +01:00
nf_nat_l3proto_ipv4.c netfilter: Allow calling into nat helper without skb_dst. 2016-03-14 23:47:27 +01:00
nf_nat_masquerade_ipv4.c ipv4: Don't do expensive useless work during inetdev destroy. 2016-03-13 23:28:35 -04:00
nf_nat_pptp.c netfilter: Fix removal of GRE expectation entries created by PPTP 2015-11-09 13:32:14 +01:00
nf_nat_proto_gre.c netfilter: gre: Use consistent GRE and PTTP header structure instead of the ones defined by netfilter 2016-09-07 10:36:52 +02:00
nf_nat_proto_icmp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_snmp_basic.c net ipv4: use preferred log methods 2015-11-18 13:37:20 -05:00
nf_reject_ipv4.c netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP 2016-06-24 11:03:22 +02:00
nf_socket_ipv4.c netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
nf_tables_arp.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nf_tables_ipv4.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nft_chain_nat_ipv4.c netfilter: Pass priv instead of nf_hook_ops to netfilter hooks 2015-09-18 22:00:16 +02:00
nft_chain_route_ipv4.c netfilter: nft_chain_route: re-route before skb is queued to userspace 2016-09-06 18:02:37 +02:00
nft_dup_ipv4.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-11-15 10:54:36 -05:00
nft_fib_ipv4.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00
nft_masq_ipv4.c netfilter: update Arturo Borrero Gonzalez email address 2016-12-04 20:45:25 +01:00
nft_redir_ipv4.c netfilter: update Arturo Borrero Gonzalez email address 2016-12-04 20:45:25 +01:00
nft_reject_ipv4.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00