diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-03 10:56:17 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-03 10:56:17 +0100 |
commit | 06fd3a392bb36ff162d10cb7d5794185b94edb2f (patch) | |
tree | 9b7b5a5b3f82e2b11f6cd903a724eb4829e0ce95 /net/bridge | |
parent | 1610a73c4175e7d63985316b52ac932b65a4dc90 (diff) | |
download | lwn-06fd3a392bb36ff162d10cb7d5794185b94edb2f.tar.gz lwn-06fd3a392bb36ff162d10cb7d5794185b94edb2f.zip |
netfilter: deprecate NF_STOP
NF_STOP is only used by br_netfilter these days, and it can be emulated
with a combination of NF_STOLEN plus explicit call to the ->okfn()
function as Florian suggests.
To retain binary compatibility with userspace nf_queue application, we
have to keep NF_STOP around, so libnetfilter_queue userspace userspace
applications still work if they use NF_STOP for some exotic reason.
Out of tree modules using NF_STOP would break, but we don't care about
those.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/bridge')
-rw-r--r-- | net/bridge/br_netfilter_hooks.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index d0d66faebe90..7e3645fa6339 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -845,8 +845,10 @@ static unsigned int ip_sabotage_in(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { - if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) - return NF_STOP; + if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) { + state->okfn(state->net, state->sk, skb); + return NF_STOLEN; + } return NF_ACCEPT; } |