Re: [PATCH v7] netfilter: nf_conntrack_sip: fix expectation clash

[Pablo Neira Ayuso]

This patch looks nice now.

One more change and we go:

On Tue, Jun 18, 2019 at 04:32:50PM +0800, xiao ruizhu wrote:
> diff --git a/net/netfilter/nf_conntrack_expect.c 
> b/net/netfilter/nf_conntrack_expect.c
> index 59c1880..7df6228 100644
> --- a/net/netfilter/nf_conntrack_expect.c
> +++ b/net/netfilter/nf_conntrack_expect.c
> @@ -252,13 +252,22 @@ static inline int expect_clash(const struct 
> nf_conntrack_expect *a,
>  static inline int expect_matches(const struct nf_conntrack_expect *a,
>                                const struct nf_conntrack_expect *b)
>  {
> -     return a->master == b->master &&
> -            nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
> +     return nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
>              nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
>              net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) &&
>              nf_ct_zone_equal_any(a->master, nf_ct_zone(b->master));
>  }
>  
> +static bool master_matches(const struct nf_conntrack_expect *a,
> +                        const struct nf_conntrack_expect *b,
> +                        unsigned int flags)
> +{
> +     if (flags & NF_CT_EXP_F_CHECK_MASTER)

rename this to NF_CT_EXP_F_SKIP_MASTER.

Since semantics here is to skip the master check, rather than checking
for it.

> +             return true;
> +
> +     return a->master == b->master;
> +}

Thanks.