netfilter 02/11: ctnetlink: group errors into logical errno sets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: Patrick McHardy <kaber@trash.net>, netfilter-devel@vger.kernel.org
Subject: netfilter 02/11: ctnetlink: group errors into logical errno sets
Date: Fri,  6 Jun 2008 17:17:46 +0200 (MEST)	[thread overview]
Message-ID: <20080606151744.25286.101.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20080606151737.25286.54547.sendpatchset@localhost.localdomain>

netfilter: ctnetlink: group errors into logical errno sets

This patch groups ctnetlink errors into three logical sets:

* Malformed messages: if ctnetlink receives a message without some mandatory
attribute, then it returns EINVAL.
* Unsupported operations: if userspace tries to perform an unsupported
operation, then it returns EOPNOTSUPP.
* Unchangeable: if userspace tries to change some attribute of the
conntrack object that can only be set once, then it returns EBUSY.

This patch reduces the number of -EINVAL from 23 to 14 and it results in
5 -EBUSY and 6 -EOPNOTSUPP.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit aed5c546c63f757b44cd55d279b88a118a5cc485
tree 696cc590645bde00e74341241795575c7769b25d
parent b6e858ce9cfbf1779380ba9bb1b3e27b3b4db8b7
author Pablo Neira Ayuso <pablo@netfilter.org> Fri, 06 Jun 2008 17:08:16 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 06 Jun 2008 17:08:16 +0200

 net/netfilter/nf_conntrack_netlink.c |   21 ++++++++++-----------
 1 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 0edefcf..13918c1 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -4,7 +4,7 @@
  * (C) 2001 by Jay Schulist <jschlst@samba.org>
  * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
  * (C) 2003 by Patrick Mchardy <kaber@trash.net>
- * (C) 2005-2007 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
  *
  * Initial connection tracking via netlink development funded and
  * generally made possible by Network Robots, Inc. (www.networkrobots.com)
@@ -891,20 +891,19 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
 
 	if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
 		/* unchangeable */
-		return -EINVAL;
+		return -EBUSY;
 
 	if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
 		/* SEEN_REPLY bit can only be set */
-		return -EINVAL;
-
+		return -EBUSY;
 
 	if (d & IPS_ASSURED && !(status & IPS_ASSURED))
 		/* ASSURED bit can only be set */
-		return -EINVAL;
+		return -EBUSY;
 
 	if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
 #ifndef CONFIG_NF_NAT_NEEDED
-		return -EINVAL;
+		return -EOPNOTSUPP;
 #else
 		struct nf_nat_range range;
 
@@ -945,7 +944,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
 
 	/* don't change helper of sibling connections */
 	if (ct->master)
-		return -EINVAL;
+		return -EBUSY;
 
 	err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
 	if (err < 0)
@@ -963,7 +962,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
 
 	helper = __nf_conntrack_helper_find_byname(helpname);
 	if (helper == NULL)
-		return -EINVAL;
+		return -EOPNOTSUPP;
 
 	if (help) {
 		if (help->helper == helper)
@@ -1258,12 +1257,12 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
 	if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
 		/* we only allow nat config for new conntracks */
 		if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
-			err = -EINVAL;
+			err = -EOPNOTSUPP;
 			goto out_unlock;
 		}
 		/* can't link an existing conntrack to a master */
 		if (cda[CTA_TUPLE_MASTER]) {
-			err = -EINVAL;
+			err = -EOPNOTSUPP;
 			goto out_unlock;
 		}
 		err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
@@ -1608,7 +1607,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
 		h = __nf_conntrack_helper_find_byname(name);
 		if (!h) {
 			spin_unlock_bh(&nf_conntrack_lock);
-			return -EINVAL;
+			return -EOPNOTSUPP;
 		}
 		for (i = 0; i < nf_ct_expect_hsize; i++) {
 			hlist_for_each_entry_safe(exp, n, next,

next prev parent reply	other threads:[~2008-06-06 15:17 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-06-06 15:17 netfilter 00/11: netfilter -next update Patrick McHardy
2008-06-06 15:17 ` netfilter 01/11: ebtables: add IPv6 support Patrick McHardy
2008-06-06 15:17 ` Patrick McHardy [this message]
2008-06-06 15:17 ` netfilter 03/11: ctnetlink: add full support for SCTP to ctnetlink Patrick McHardy
2008-06-06 15:17 ` netfilter 04/11: ip_tables: add iptables security table for mandatory access control rules Patrick McHardy
2008-06-06 15:17 ` netfilter 05/11: ip6_tables: add ip6tables security table Patrick McHardy
2008-06-06 15:17 ` netfilter 06/11: nf_conntrack_extend: use krealloc() in nf_conntrack_extend.c V2 Patrick McHardy
2008-06-06 15:17 ` netfilter 07/11: nf_conntrack: add nf_ct_kill() Patrick McHardy
2008-06-06 15:17 ` netfilter 08/11: nf_conntrack: properly account terminating packets Patrick McHardy
2008-06-06 15:17 ` netfilter 09/11: ctnetlink: include conntrack status in destroy event message Patrick McHardy
2008-06-06 15:18 ` netfilter 10/11: nf_conntrack: remove unnecessary function declaration Patrick McHardy
2008-06-06 15:18 ` netfilter 11/11: {ip,ip6,nfnetlink}_queue: misc cleanups Patrick McHardy
2008-06-09 23:09 ` netfilter 00/11: netfilter -next update David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0edefcf dfblob:13918c1 )
 OR (
bs:"netfilter 02/11: ctnetlink: group errors into logical errno sets" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080606151744.25286.101.sendpatchset@localhost.localdomain \
    --to=kaber@trash.net \
    --cc=davem@davemloft.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.