[PATCH] [LIBNFNETLINK] fixes

[PATCH] [LIBNFNETLINK] fixes

[Pablo Neira Ayuso]

Hi Harald!

The patch attached fixes two issues in libnfnetlink:

- subsys_id was not set in nfnl_subsys_open
- set nfnlh->local.nl_pid in nfnl_open since nfnl_talk checks that:
h->nlmsg_pid != nfnlh->local.nl_pid

Now the libnetfilter_conntrack test says OK again ;)

cheers,
Pablo

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: [PATCH] [LIBNFNETLINK] fixes

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 975 bytes --]

On Sun, Jan 15, 2006 at 03:54:06AM +0100, Pablo Neira Ayuso wrote:
> Hi Harald!
> 
> The patch attached fixes two issues in libnfnetlink:
> 
> - subsys_id was not set in nfnl_subsys_open
> - set nfnlh->local.nl_pid in nfnl_open since nfnl_talk checks that:
> h->nlmsg_pid != nfnlh->local.nl_pid

unfortunately no patch attached...

> Now the libnetfilter_conntrack test says OK again ;)

great. sorry for the breakage, but I hope you can appreciate the beauty
of this new concept.  Being able to talk to all nfnetlink subsystems at
the same time through one socket...

Cheers,
	Harald
-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] [LIBNFNETLINK] fixes

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 848 bytes --]

Harald Welte wrote:
>>The patch attached fixes two issues in libnfnetlink:
>>
>>- subsys_id was not set in nfnl_subsys_open
>>- set nfnlh->local.nl_pid in nfnl_open since nfnl_talk checks that:
>>h->nlmsg_pid != nfnlh->local.nl_pid
> 
> unfortunately no patch attached...

:( sorry about that, patch attached.

>>Now the libnetfilter_conntrack test says OK again ;)
> 
> great. sorry for the breakage, but I hope you can appreciate the beauty
> of this new concept.  Being able to talk to all nfnetlink subsystems at
> the same time through one socket...

Sure, it's a nice rework. And it's really promising that now we can have
helpers in userspace, as Rusty dreamed in early stages :).

BTW, are we going to distribute the further application helpers
(implemented in userspace) separately or living somewhere in
libnetfilter_cthelper?

-- 
Pablo

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 867 bytes --]

Index: src/libnfnetlink.c
===================================================================
--- src/libnfnetlink.c	(revision 6411)
+++ src/libnfnetlink.c	(working copy)
@@ -16,6 +16,10 @@
  *
  * 2006-01-14 Harald Welte <laforge@netfilter.org>:
  * 	introduce nfnl_subsys_handle
+ *
+ * 2006-01-15 Pablo Neira Ayuso <pablo@netfilter.org>:
+ * 	set missing subsys_id in nfnl_subsys_open
+ * 	set missing nfnlh->local.nl_pid in nfnl_open
  */
 
 #include <stdlib.h>
@@ -152,6 +156,10 @@
 		goto err_close;
 	}
 	nfnlh->seq = time(NULL);
+	/*
+	 * nfnl_talk checks: h->nlmsg_pid != nfnlh->local.nl_pid
+	 */
+	nfnlh->local.nl_pid = getpid();
 
 	return nfnlh;
 
@@ -196,6 +204,7 @@
 	ssh->nfnlh = nfnlh;
 	ssh->cb_count = cb_count;
 	ssh->subscriptions = subscriptions;
+	ssh->subsys_id = subsys_id;
 
 	if (recalc_rebind_subscriptions(nfnlh) < 0) {
 		free(ssh->cb);

Re: [PATCH] [LIBNFNETLINK] fixes

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 2003 bytes --]

On Sun, Jan 15, 2006 at 03:35:41PM +0100, Pablo Neira Ayuso wrote:
> Harald Welte wrote:
> >>The patch attached fixes two issues in libnfnetlink:
> >>
> >>- subsys_id was not set in nfnl_subsys_open
> >>- set nfnlh->local.nl_pid in nfnl_open since nfnl_talk checks that:
> >>h->nlmsg_pid != nfnlh->local.nl_pid
> > 
> > unfortunately no patch attached...
> 
> :( sorry about that, patch attached.

thanks, will review and apply.

> >>Now the libnetfilter_conntrack test says OK again ;)
> > 
> > great. sorry for the breakage, but I hope you can appreciate the beauty
> > of this new concept.  Being able to talk to all nfnetlink subsystems at
> > the same time through one socket...
> 
> Sure, it's a nice rework. And it's really promising that now we can have
> helpers in userspace, as Rusty dreamed in early stages :).
> 
> BTW, are we going to distribute the further application helpers
> (implemented in userspace) separately or living somewhere in
> libnetfilter_cthelper?

the helpers are applications (daemons) that link against
libnetfilter_cthelper.  They will not be themselves (apart from some
example code) be in the library package.

We _might_ want to provide some addidional helper infrastructure,
something more than libnetfilter_cthelper, but I don't have any precise
plans yet.  Something with a common handling for logging, config files,
etc. might be neat.  But anyway, that's optional and for later down the
road.

The kernel bits, libnetfilter_queue, libnetfilter_conntrack and
libnetfilter_cthelper is everything you technically need for writing an
userspace helper.
-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]