From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>
Subject: [NETFILTER 02/07]: nf_conntrack_ftp: fix newline sequence number calculation
Date: Fri, 25 May 2007 00:02:09 +0200 (MEST) [thread overview]
Message-ID: <20070524215836.14308.55840.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20070524215833.14308.60841.sendpatchset@localhost.localdomain>
[NETFILTER]: nf_conntrack_ftp: fix newline sequence number calculation
When the packet size is changed by the FTP NAT helper, the connection
tracking helper adjusts the sequence number of the newline character
by the size difference. This is wrong because NAT sequence number
adjustment happens after helpers are called, so the unadjusted number
is compared to the already adjusted one.
Based on report by YU, Haitao <yuhaitao@tsinghua.org.cn>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 5dcf6ca671036446403108df0dbc025887e81fb4
tree 8a9e36277001fc9f4f6c2bf1d409f1c8a7c6964d
parent 5e09b4a295e2aed7cb6fe60f86bafba4d8e77836
author Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:57 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 24 May 2007 23:49:57 +0200
include/linux/netfilter/nf_conntrack_ftp.h | 3 +--
net/ipv4/netfilter/nf_nat_ftp.c | 20 ++++++--------------
net/netfilter/nf_conntrack_ftp.c | 5 ++---
3 files changed, 9 insertions(+), 19 deletions(-)
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
index 81453ea..b7c360f 100644
--- a/include/linux/netfilter/nf_conntrack_ftp.h
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -37,8 +37,7 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
enum nf_ct_ftp_type type,
unsigned int matchoff,
unsigned int matchlen,
- struct nf_conntrack_expect *exp,
- u32 *seq);
+ struct nf_conntrack_expect *exp);
#endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_FTP_H */
diff --git a/net/ipv4/netfilter/nf_nat_ftp.c b/net/ipv4/netfilter/nf_nat_ftp.c
index 751b598..e6bc8e5 100644
--- a/net/ipv4/netfilter/nf_nat_ftp.c
+++ b/net/ipv4/netfilter/nf_nat_ftp.c
@@ -40,8 +40,7 @@ mangle_rfc959_packet(struct sk_buff **pskb,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conn *ct,
- enum ip_conntrack_info ctinfo,
- u32 *seq)
+ enum ip_conntrack_info ctinfo)
{
char buffer[sizeof("nnn,nnn,nnn,nnn,nnn,nnn")];
@@ -50,7 +49,6 @@ mangle_rfc959_packet(struct sk_buff **pskb,
DEBUGP("calling nf_nat_mangle_tcp_packet\n");
- *seq += strlen(buffer) - matchlen;
return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff,
matchlen, buffer, strlen(buffer));
}
@@ -63,8 +61,7 @@ mangle_eprt_packet(struct sk_buff **pskb,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conn *ct,
- enum ip_conntrack_info ctinfo,
- u32 *seq)
+ enum ip_conntrack_info ctinfo)
{
char buffer[sizeof("|1|255.255.255.255|65535|")];
@@ -72,7 +69,6 @@ mangle_eprt_packet(struct sk_buff **pskb,
DEBUGP("calling nf_nat_mangle_tcp_packet\n");
- *seq += strlen(buffer) - matchlen;
return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff,
matchlen, buffer, strlen(buffer));
}
@@ -85,8 +81,7 @@ mangle_epsv_packet(struct sk_buff **pskb,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conn *ct,
- enum ip_conntrack_info ctinfo,
- u32 *seq)
+ enum ip_conntrack_info ctinfo)
{
char buffer[sizeof("|||65535|")];
@@ -94,14 +89,13 @@ mangle_epsv_packet(struct sk_buff **pskb,
DEBUGP("calling nf_nat_mangle_tcp_packet\n");
- *seq += strlen(buffer) - matchlen;
return nf_nat_mangle_tcp_packet(pskb, ct, ctinfo, matchoff,
matchlen, buffer, strlen(buffer));
}
static int (*mangle[])(struct sk_buff **, __be32, u_int16_t,
unsigned int, unsigned int, struct nf_conn *,
- enum ip_conntrack_info, u32 *seq)
+ enum ip_conntrack_info)
= {
[NF_CT_FTP_PORT] = mangle_rfc959_packet,
[NF_CT_FTP_PASV] = mangle_rfc959_packet,
@@ -116,8 +110,7 @@ static unsigned int nf_nat_ftp(struct sk_buff **pskb,
enum nf_ct_ftp_type type,
unsigned int matchoff,
unsigned int matchlen,
- struct nf_conntrack_expect *exp,
- u32 *seq)
+ struct nf_conntrack_expect *exp)
{
__be32 newip;
u_int16_t port;
@@ -145,8 +138,7 @@ static unsigned int nf_nat_ftp(struct sk_buff **pskb,
if (port == 0)
return NF_DROP;
- if (!mangle[type](pskb, newip, port, matchoff, matchlen, ct, ctinfo,
- seq)) {
+ if (!mangle[type](pskb, newip, port, matchoff, matchlen, ct, ctinfo)) {
nf_conntrack_unexpect_related(exp);
return NF_DROP;
}
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 3357642..09add2f 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -48,8 +48,7 @@ unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
enum nf_ct_ftp_type type,
unsigned int matchoff,
unsigned int matchlen,
- struct nf_conntrack_expect *exp,
- u32 *seq);
+ struct nf_conntrack_expect *exp);
EXPORT_SYMBOL_GPL(nf_nat_ftp_hook);
#if 0
@@ -521,7 +520,7 @@ static int help(struct sk_buff **pskb,
nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
if (nf_nat_ftp && ct->status & IPS_NAT_MASK)
ret = nf_nat_ftp(pskb, ctinfo, search[dir][i].ftptype,
- matchoff, matchlen, exp, &seq);
+ matchoff, matchlen, exp);
else {
/* Can't expect this? Best to drop packet now. */
if (nf_conntrack_expect_related(exp) != 0)
next prev parent reply other threads:[~2007-05-24 22:02 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-24 22:02 [NETFILTER 00/07]: Netfilter fixes Patrick McHardy
2007-05-24 22:02 ` [NETFILTER 01/07]: nf_conntrack_ftp: fix newline sequence number update Patrick McHardy
2007-05-24 23:41 ` David Miller
2007-05-24 22:02 ` Patrick McHardy [this message]
2007-05-24 23:41 ` [NETFILTER 02/07]: nf_conntrack_ftp: fix newline sequence number calculation David Miller
2007-05-24 22:02 ` [NETFILTER 03/07]: nf_conntrack_h323: fix ASN.1 types Patrick McHardy
2007-05-24 23:42 ` David Miller
2007-05-24 22:02 ` [NETFILTER 04/07]: nf_conntrack_h323: fix get_h225_addr() for IPv6 address access Patrick McHardy
2007-05-24 23:43 ` David Miller
2007-05-24 22:02 ` [NETFILTER 05/07]: nf_conntrack_h323: remove unnecessary process of Information signal Patrick McHardy
2007-05-24 23:43 ` David Miller
2007-05-24 22:02 ` [NETFILTER 06/07]: nf_conntrack_h323: add missing T.120 address in OLCA Patrick McHardy
2007-05-24 23:44 ` David Miller
2007-05-24 22:02 ` [NETFILTER 07/07]: nf_nat_h323: call set_h225_addr instead of set_h225_addr_hook Patrick McHardy
2007-05-24 23:44 ` David Miller
2007-05-24 23:45 ` [NETFILTER 00/07]: Netfilter fixes David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070524215836.14308.55840.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.