[Devel] [PATCH 13/14] net: Mark conntrack users in nftables
Alexander Mikhalitsyn
alexander.mikhalitsyn at virtuozzo.com
Fri Apr 30 15:45:41 MSK 2021
From: Kirill Tkhai <ktkhai at virtuozzo.com>
Allow conntracks to be allocated in case of these
rules are inserted.
https://jira.sw.ru/browse/PSBM-51050
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
Reviewed-by: Andrei Vagin <avagin at virtuozzo.com>
(cherry picked from commit 60931ce1ffcf08e4f7d0d528a3cf8ddf6e74b309)
VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
net/netfilter/nft_ct.c | 2 ++
net/netfilter/nft_nat.c | 6 +++++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index bbdb1e219edb..1e11f3585f76 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -507,6 +507,8 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
priv->key == NFT_CT_AVGPKT)
nf_ct_set_acct(ctx->net, true);
+ allow_conntrack_allocation(ctx->net);
+
return 0;
}
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index a540d9cf56c1..84d1ba34af81 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -203,7 +203,11 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
return -EOPNOTSUPP;
}
- return nf_ct_netns_get(ctx->net, family);
+ err = nf_ct_netns_get(ctx->net, family);
+ if (err == 0)
+ allow_conntrack_allocation(ctx->net);
+
+ return err;
}
static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
--
2.28.0
More information about the Devel
mailing list