netfilter: nfnetlink_queue: allow to attach expectations to conntracks

[~andy/linux] / net / netfilter / nfnetlink_queue_core.c

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 971ea145ab3ea33a2d42ad0cf66e7025c1457832..e8c9f3bb779cd6c108409911f348f73f5a1689f7 100644 (file)
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -859,6 +859,7 @@ static const struct nla_policy nfqa_verdict_policy[NFQA_MAX+1] = {
        [NFQA_MARK]             = { .type = NLA_U32 },
        [NFQA_PAYLOAD]          = { .type = NLA_UNSPEC },
        [NFQA_CT]               = { .type = NLA_UNSPEC },
+       [NFQA_EXP]              = { .type = NLA_UNSPEC },
 };
 
 static const struct nla_policy nfqa_verdict_batch_policy[NFQA_MAX+1] = {
@@ -987,9 +988,14 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
        if (entry == NULL)
                return -ENOENT;
 
-       rcu_read_lock();
-       if (nfqa[NFQA_CT] && (queue->flags & NFQA_CFG_F_CONNTRACK))
+       if (nfqa[NFQA_CT]) {
                ct = nfqnl_ct_parse(entry->skb, nfqa[NFQA_CT], &ctinfo);
+               if (ct && nfqa[NFQA_EXP]) {
+                       nfqnl_attach_expect(ct, nfqa[NFQA_EXP],
+                                           NETLINK_CB(skb).portid,
+                                           nlmsg_report(nlh));
+               }
+       }
 
        if (nfqa[NFQA_PAYLOAD]) {
                u16 payload_len = nla_len(nfqa[NFQA_PAYLOAD]);
@@ -1002,7 +1008,6 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
                if (ct)
                        nfqnl_ct_seq_adjust(skb, ct, ctinfo, diff);
        }
-       rcu_read_unlock();
 
        if (nfqa[NFQA_MARK])
                entry->skb->mark = ntohl(nla_get_be32(nfqa[NFQA_MARK]));