netfilter: nf_conntrack: add support for "conntrack zones"

[net-next-2.6.git] / net / ipv4 / netfilter / nf_defrag_ipv4.c

diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index f6f46686cbc0a1bcd9a38e0e7f77750271e1825d..d498a704d456b1300ddec6a0d4a81c78dc8062eb 100644 (file)
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -16,6 +16,7 @@
 
 #include <linux/netfilter_bridge.h>
 #include <linux/netfilter_ipv4.h>
+#include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 #include <net/netfilter/nf_conntrack.h>
 
@@ -39,15 +40,20 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
 static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
                                              struct sk_buff *skb)
 {
+       u16 zone = NF_CT_DEFAULT_ZONE;
+
+       if (skb->nfct)
+               zone = nf_ct_zone((struct nf_conn *)skb->nfct);
+
 #ifdef CONFIG_BRIDGE_NETFILTER
        if (skb->nf_bridge &&
            skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
-               return IP_DEFRAG_CONNTRACK_BRIDGE_IN;
+               return IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone;
 #endif
        if (hooknum == NF_INET_PRE_ROUTING)
-               return IP_DEFRAG_CONNTRACK_IN;
+               return IP_DEFRAG_CONNTRACK_IN + zone;
        else
-               return IP_DEFRAG_CONNTRACK_OUT;
+               return IP_DEFRAG_CONNTRACK_OUT + zone;
 }
 
 static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,