From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>
Subject: [NETFILTER 02/03]: ctnetlink: return EEXIST instead of EINVAL for existing nat'ed conntracks
Date: Mon, 6 Aug 2007 15:29:05 +0200 (MEST) [thread overview]
Message-ID: <20070806132847.17202.3321.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20070806132844.17202.50621.sendpatchset@localhost.localdomain>
[NETFILTER]: ctnetlink: return EEXIST instead of EINVAL for existing nat'ed conntracks
ctnetlink must return EEXIST for existing nat'ed conntracks instead of
EINVAL. Only return EINVAL if we try to update a conntrack with NAT
handlings (that is not allowed).
Decadence:libnetfilter_conntrack/utils# ./conntrack_create_nat
TEST: create conntrack (0)(Success)
Decadence:libnetfilter_conntrack/utils# ./conntrack_create_nat
TEST: create conntrack (-1)(Invalid argument)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 58ff363db6a293220756361af531b11acc5a46e1
tree e94a40ef6d9897c0ac86fe0eedbb9c9d59e3d2b0
parent ab3b4927a235c95684cb571b90a04cf6ea1ef7f9
author Pablo Neira Ayuso <pablo@netfilter.org> Mon, 06 Aug 2007 15:26:39 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 06 Aug 2007 15:26:39 +0200
net/netfilter/nf_conntrack_netlink.c | 17 +++++++++--------
1 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 6f89b10..2863e72 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1052,17 +1052,18 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
}
/* implicit 'else' */
- /* we only allow nat config for new conntracks */
- if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
- err = -EINVAL;
- goto out_unlock;
- }
-
/* We manipulate the conntrack inside the global conntrack table lock,
* so there's no need to increase the refcount */
err = -EEXIST;
- if (!(nlh->nlmsg_flags & NLM_F_EXCL))
- err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), cda);
+ if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
+ /* we only allow nat config for new conntracks */
+ if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
+ err = -EINVAL;
+ goto out_unlock;
+ }
+ err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
+ cda);
+ }
out_unlock:
write_unlock_bh(&nf_conntrack_lock);
next prev parent reply other threads:[~2007-08-06 13:29 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-06 13:29 [NETFILTER 00/03]: Netfilter fixes Patrick McHardy
2007-08-06 13:29 ` [NETFILTER 01/03]: ipt_recent: avoid a possible NULL pointer deref in recent_seq_open() Patrick McHardy
2007-08-06 13:29 ` Patrick McHardy [this message]
2007-08-06 13:29 ` [NETFILTER 03/03]: nf_nat: add symbolic dependency on IPv4 conntrack Patrick McHardy
2007-08-08 1:12 ` [NETFILTER 00/03]: Netfilter fixes David Miller
2007-08-08 13:58 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070806132847.17202.3321.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.