netfilter: prefer extension check to pointer check

The pointer check usually results in a 'false positive': its likely
that the ctnetlink module is loaded but no event monitoring is enabled.

After recent change to autodetect ctnetlink usage and only allocate
the ecache extension if a listener is active, check if the extension
is present on a given conntrack.

If its not there, there is nothing to report and calls to the
notification framework can be elided.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 13807ea..6406cfe 100644 (file)
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -60,7 +60,7 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
        if (ct) {
                if (!nf_ct_is_confirmed(ct))
                        ret = __nf_conntrack_confirm(skb);
-               if (likely(ret == NF_ACCEPT))
+               if (ret == NF_ACCEPT && nf_ct_ecache_exist(ct))
                        nf_ct_deliver_cached_events(ct);
        }
        return ret;

diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 2e3d584..0c1dac3 100644 (file)
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -36,6 +36,15 @@ nf_ct_ecache_find(const struct nf_conn *ct)
 #endif
 }
 
+static inline bool nf_ct_ecache_exist(const struct nf_conn *ct)
+{
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+       return nf_ct_ext_exist(ct, NF_CT_EXT_ECACHE);
+#else
+       return false;
+#endif
+}
+
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 
 /* This structure is passed to event handler */
@@ -108,30 +117,20 @@ nf_conntrack_event_report(enum ip_conntrack_events event, struct nf_conn *ct,
                          u32 portid, int report)
 {
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
-       const struct net *net = nf_ct_net(ct);
-
-       if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
-               return 0;
-
-       return nf_conntrack_eventmask_report(1 << event, ct, portid, report);
-#else
-       return 0;
+       if (nf_ct_ecache_exist(ct))
+               return nf_conntrack_eventmask_report(1 << event, ct, portid, report);
 #endif
+       return 0;
 }
 
 static inline int
 nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct)
 {
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
-       const struct net *net = nf_ct_net(ct);
-
-       if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
-               return 0;
-
-       return nf_conntrack_eventmask_report(1 << event, ct, 0, 0);
-#else
-       return 0;
+       if (nf_ct_ecache_exist(ct))
+               return nf_conntrack_eventmask_report(1 << event, ct, 0, 0);
 #endif
+       return 0;
 }
 
 #ifdef CONFIG_NF_CONNTRACK_EVENTS