linux-stable.git/net/netfilter/nft_socket.c, branch v4.18

netfilter: nft_socket: fix module autoload

2018-06-12T17:12:45+00:00

Add alias definition for module autoload when adding socket rules.

Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
Signed-off-by: Pablo Neira Ayuso

netfilter: Decrease code duplication regarding transparent socket option

2018-06-02T22:02:01+00:00

There is a function in include/net/netfilter/nf_socket.h to decide if a
socket has IP(V6)_TRANSPARENT socket option set or not. However this
does the same as inet_sk_transparent() in include/net/tcp.h

include/net/tcp.h:1733
/* This helper checks if socket has IP_TRANSPARENT set */
static inline bool inet_sk_transparent(const struct sock *sk)
{
	switch (sk->sk_state) {
	case TCP_TIME_WAIT:
		return inet_twsk(sk)->tw_transparent;
	case TCP_NEW_SYN_RECV:
		return inet_rsk(inet_reqsk(sk))->no_srccheck;
	}
	return inet_sk(sk)->transparent;
}

tproxy_sk_is_transparent has also been refactored to use this function
instead of reimplementing it.

Signed-off-by: Máté Eckl 
Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: add support for native socket matching

2018-06-01T07:46:15+00:00

Now it can only match the transparent flag of an ip/ipv6 socket.

Signed-off-by: Máté Eckl 
Signed-off-by: Pablo Neira Ayuso