From: Patrick McHardy <kaber@trash.net>
To: netfilter-devel@vger.kernel.org
Cc: Patrick McHardy <kaber@trash.net>
Subject: [NETFILTER 05/09]: nfnetlink: support attribute policies
Date: Thu, 27 Sep 2007 15:46:07 +0200 (MEST) [thread overview]
Message-ID: <20070927134606.10198.70574.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20070927134559.10198.64673.sendpatchset@localhost.localdomain>
[NETFILTER]: nfnetlink: support attribute policies
Add support for automatic checking of per-callback attribute policies.
Also fix attribute parsing for empty messages, the attribute array
wasn't cleared and contained random crap before.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 5ee4018ae6360a2d6aad8068e7a91c82851dc8ec
tree a99a19c0a6db32a0622443924869b95e21d45ff3
parent e8e16c2608c3a4ac863db49f3c30cae87c582c45
author Patrick McHardy <kaber@trash.net> Thu, 27 Sep 2007 14:22:11 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 27 Sep 2007 14:22:11 +0200
include/linux/netfilter/nfnetlink.h | 3 +-
net/netfilter/nfnetlink.c | 47 +++++++++--------------------------
2 files changed, 14 insertions(+), 36 deletions(-)
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 0bd6086..3ee136a 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -58,7 +58,8 @@ struct nfnl_callback
{
int (*call)(struct sock *nl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *cda[]);
- u_int16_t attr_count; /* number of nlattr's */
+ const struct nla_policy *policy; /* netlink attribute policy */
+ const u_int16_t attr_count; /* number of nlattr's */
};
struct nfnetlink_subsystem
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index e212102..bda0f10 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -111,35 +111,6 @@ nfnetlink_find_client(u_int16_t type, const struct nfnetlink_subsystem *ss)
return &ss->cb[cb_id];
}
-/**
- * nfnetlink_check_attributes - check and parse nfnetlink attributes
- *
- * subsys: nfnl subsystem for which this message is to be parsed
- * nlmsghdr: netlink message to be checked/parsed
- * cda: array of pointers, needs to be at least subsys->attr_count+1 big
- *
- */
-static int
-nfnetlink_check_attributes(const struct nfnetlink_subsystem *subsys,
- struct nlmsghdr *nlh, struct nlattr *cda[])
-{
- int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
- u_int8_t cb_id = NFNL_MSG_TYPE(nlh->nlmsg_type);
- u_int16_t attr_count = subsys->cb[cb_id].attr_count;
-
- /* check attribute lengths. */
- if (likely(nlh->nlmsg_len > min_len)) {
- struct nlattr *attr = (void *)nlh + NLMSG_ALIGN(min_len);
- int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len);
- nla_parse(cda, attr_count, attr, attrlen, NULL);
- }
-
- /* implicit: if nlmsg_len == min_len, we return 0, and an empty
- * (zeroed) cda[] array. The message is valid, but empty. */
-
- return 0;
-}
-
int nfnetlink_has_listeners(unsigned int group)
{
return netlink_has_listeners(nfnl, group);
@@ -163,7 +134,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
const struct nfnl_callback *nc;
const struct nfnetlink_subsystem *ss;
- int type, err;
+ int type;
if (security_netlink_recv(skb, CAP_NET_ADMIN))
return -EPERM;
@@ -192,15 +163,21 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return -EINVAL;
{
- u_int16_t attr_count =
- ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count;
+ int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
+ u_int8_t cb_id = NFNL_MSG_TYPE(nlh->nlmsg_type);
+ u_int16_t attr_count = ss->cb[cb_id].attr_count;
struct nlattr *cda[attr_count+1];
memset(cda, 0, sizeof(struct nlattr *) * attr_count);
- err = nfnetlink_check_attributes(ss, nlh, cda);
- if (err < 0)
- return err;
+ if (likely(nlh->nlmsg_len >= min_len)) {
+ struct nlattr *attr = (void *)nlh + NLMSG_ALIGN(min_len);
+ int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len);
+ nla_parse(cda, attr_count, attr, attrlen,
+ ss->cb[cb_id].policy);
+ } else
+ return -EINVAL;
+
return nc->call(nfnl, skb, nlh, cda);
}
}
next prev parent reply other threads:[~2007-09-27 13:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-27 13:45 [NETFILTER 00/09]: Use generic netlink functions for nfnetlink Patrick McHardy
2007-09-27 13:46 ` [NETFILTER 01/09]: nfnetlink: make subsystem and callbacks const Patrick McHardy
2007-09-27 13:46 ` [NETFILTER 02/09]: nfnetlink: convert to generic netlink attribute functions Patrick McHardy
2007-09-27 13:46 ` [NETFILTER 03/09]: nfnetlink: rename functions containing 'nfattr' Patrick McHardy
2007-09-27 13:46 ` [NETFILTER 04/09]: nfnetlink: use nlmsg_notify() Patrick McHardy
2007-09-27 13:46 ` Patrick McHardy [this message]
2007-09-27 13:46 ` [NETFILTER 06/09]: nfnetlink_log: use netlink policy Patrick McHardy
2007-09-27 13:46 ` [NETFILTER 07/09]: nfnetlink_queue: " Patrick McHardy
2007-09-27 13:46 ` [NETFILTER 08/09]: ctnetlink: " Patrick McHardy
2007-09-27 13:46 ` [NETFILTER 09/09]: nfnetlink: kill nlattr_bad_size Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070927134606.10198.70574.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.