netfilter: nf_conntrack: add direction support for zones

[deliverable/linux.git] / net / ipv4 / netfilter / nf_defrag_ipv4.c

diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index c88b7d4347187260e789612c44f34059092dc41d..9306ec4fab41e9fa0c3c99fd6be78bcf8adfb397 100644 (file)
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -43,22 +43,22 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
 static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
                                              struct sk_buff *skb)
 {
-       u16 zone = NF_CT_DEFAULT_ZONE;
-
+       u16 zone_id = NF_CT_DEFAULT_ZONE_ID;
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
-       if (skb->nfct)
-               zone = nf_ct_zone((struct nf_conn *)skb->nfct);
-#endif
+       if (skb->nfct) {
+               enum ip_conntrack_info ctinfo;
+               const struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 
-#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
-       if (skb->nf_bridge &&
-           skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
-               return IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone;
+               zone_id = nf_ct_zone_id(nf_ct_zone(ct), CTINFO2DIR(ctinfo));
+       }
 #endif
+       if (nf_bridge_in_prerouting(skb))
+               return IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone_id;
+
        if (hooknum == NF_INET_PRE_ROUTING)
-               return IP_DEFRAG_CONNTRACK_IN + zone;
+               return IP_DEFRAG_CONNTRACK_IN + zone_id;
        else
-               return IP_DEFRAG_CONNTRACK_OUT + zone;
+               return IP_DEFRAG_CONNTRACK_OUT + zone_id;
 }
 
 static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops,