Commit 8edc8131 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: prefer extension check to pointer check

The pointer check usually results in a 'false positive': its likely
that the ctnetlink module is loaded but no event monitoring is enabled.

After recent change to autodetect ctnetlink usage and only allocate
the ecache extension if a listener is active, check if the extension
is present on a given conntrack.

If its not there, there is nothing to report and calls to the
notification framework can be elided.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 90d1daa4
...@@ -60,7 +60,7 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb) ...@@ -60,7 +60,7 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
if (ct) { if (ct) {
if (!nf_ct_is_confirmed(ct)) if (!nf_ct_is_confirmed(ct))
ret = __nf_conntrack_confirm(skb); ret = __nf_conntrack_confirm(skb);
if (likely(ret == NF_ACCEPT)) if (ret == NF_ACCEPT && nf_ct_ecache_exist(ct))
nf_ct_deliver_cached_events(ct); nf_ct_deliver_cached_events(ct);
} }
return ret; return ret;
......
...@@ -36,6 +36,15 @@ nf_ct_ecache_find(const struct nf_conn *ct) ...@@ -36,6 +36,15 @@ nf_ct_ecache_find(const struct nf_conn *ct)
#endif #endif
} }
static inline bool nf_ct_ecache_exist(const struct nf_conn *ct)
{
#ifdef CONFIG_NF_CONNTRACK_EVENTS
return nf_ct_ext_exist(ct, NF_CT_EXT_ECACHE);
#else
return false;
#endif
}
#ifdef CONFIG_NF_CONNTRACK_EVENTS #ifdef CONFIG_NF_CONNTRACK_EVENTS
/* This structure is passed to event handler */ /* This structure is passed to event handler */
...@@ -108,30 +117,20 @@ nf_conntrack_event_report(enum ip_conntrack_events event, struct nf_conn *ct, ...@@ -108,30 +117,20 @@ nf_conntrack_event_report(enum ip_conntrack_events event, struct nf_conn *ct,
u32 portid, int report) u32 portid, int report)
{ {
#ifdef CONFIG_NF_CONNTRACK_EVENTS #ifdef CONFIG_NF_CONNTRACK_EVENTS
const struct net *net = nf_ct_net(ct); if (nf_ct_ecache_exist(ct))
return nf_conntrack_eventmask_report(1 << event, ct, portid, report);
if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
return 0;
return nf_conntrack_eventmask_report(1 << event, ct, portid, report);
#else
return 0;
#endif #endif
return 0;
} }
static inline int static inline int
nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct) nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct)
{ {
#ifdef CONFIG_NF_CONNTRACK_EVENTS #ifdef CONFIG_NF_CONNTRACK_EVENTS
const struct net *net = nf_ct_net(ct); if (nf_ct_ecache_exist(ct))
return nf_conntrack_eventmask_report(1 << event, ct, 0, 0);
if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
return 0;
return nf_conntrack_eventmask_report(1 << event, ct, 0, 0);
#else
return 0;
#endif #endif
return 0;
} }
#ifdef CONFIG_NF_CONNTRACK_EVENTS #ifdef CONFIG_NF_CONNTRACK_EVENTS
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment