* Re: [PATCH 1/5] [CTNETLINK] Fix expectation mask dumping
2006-02-27 2:10 [PATCH 1/5] [CTNETLINK] Fix expectation mask dumping Pablo Neira Ayuso
@ 2006-02-27 17:32 ` Yasuyuki KOZAKAI
[not found] ` <200602271732.k1RHWOFO025405@toshiba.co.jp>
` (3 subsequent siblings)
4 siblings, 0 replies; 8+ messages in thread
From: Yasuyuki KOZAKAI @ 2006-02-27 17:32 UTC (permalink / raw)
To: pablo; +Cc: laforge, netfilter-devel, kaber, yasuyuki.kozakai
[-- Attachment #1: Type: Text/Plain, Size: 1419 bytes --]
Hi, Pablo,
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 27 Feb 2006 03:10:18 +0100
> This patch introduces the function ctnetlink_exp_dump_mask, that
> correctly dumps the expectation mask. Such function uses the l3num value
> from the expectation tuple that is a valid layer 3 protocol number.
>
> The value of the l3num mask isn't dumped since it is meaningless from
> the userspace side.
At first, this patch seems to be for net-2.6.17. This fix isn't really
necessary to 2.6.16 ?
> static inline int
> +ctnetlink_exp_dump_mask(struct sk_buff *skb,
> + const struct nf_conntrack_tuple *tuple,
> + const struct nf_conntrack_tuple *mask)
> +{
> + int ret;
> + struct nf_conntrack_l3proto *l3proto;
> + struct nf_conntrack_protocol *proto;
> +
> + l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
> + ret = ctnetlink_dump_tuples_ip(skb, mask, l3proto);
> + nf_ct_l3proto_put(l3proto);
> +
> + if (unlikely(ret < 0))
> + return ret;
> +
> + proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
> + ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
> + nf_ct_proto_put(proto);
> +
> + return ret;
> +}
I've noticed missing nesting with CTA_EXP_MASK in this function. Please
apply the attached patch on top of your patch. I tested it with ftp helper,
ftp server, and telnet with IPv6. And I saw that kernel filled expectation
mask in CTA_EXP_MASK area.
-- Yasuyuki Kozakai
[-- Attachment #2: nfctnl-exp-mask.patch --]
[-- Type: Text/Plain, Size: 950 bytes --]
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index e7a75fb..abf5695 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1169,19 +1169,27 @@ ctnetlink_exp_dump_mask(struct sk_buff *
int ret;
struct nf_conntrack_l3proto *l3proto;
struct nf_conntrack_protocol *proto;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
ret = ctnetlink_dump_tuples_ip(skb, mask, l3proto);
nf_ct_l3proto_put(l3proto);
if (unlikely(ret < 0))
- return ret;
+ goto nfattr_failure;
proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
nf_ct_proto_put(proto);
+ if (unlikely(ret < 0))
+ goto nfattr_failure;
- return ret;
+ NFA_NEST_END(skb, nest_parms);
+
+ return 0;
+
+nfattr_failure:
+ return -1;
}
static inline int
^ permalink raw reply related [flat|nested] 8+ messages in thread[parent not found: <200602271732.k1RHWOFO025405@toshiba.co.jp>]
* Re: [PATCH 1/5] [CTNETLINK] Fix expectation mask dumping
[not found] ` <200602271732.k1RHWOFO025405@toshiba.co.jp>
@ 2006-02-27 18:50 ` Pablo Neira Ayuso
0 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2006-02-27 18:50 UTC (permalink / raw)
To: Yasuyuki KOZAKAI; +Cc: laforge, netfilter-devel, kaber
Hi Yasuyuki,
Yasuyuki KOZAKAI wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> Date: Mon, 27 Feb 2006 03:10:18 +0100
>
>>This patch introduces the function ctnetlink_exp_dump_mask, that
>>correctly dumps the expectation mask. Such function uses the l3num value
>>from the expectation tuple that is a valid layer 3 protocol number.
>>
>>The value of the l3num mask isn't dumped since it is meaningless from
>>the userspace side.
>
> At first, this patch seems to be for net-2.6.17. This fix isn't really
> necessary to 2.6.16 ?
Yes, it's necessary.
> I've noticed missing nesting with CTA_EXP_MASK in this function. Please
> apply the attached patch on top of your patch. I tested it with ftp helper,
> ftp server, and telnet with IPv6. And I saw that kernel filled expectation
> mask in CTA_EXP_MASK area.
Thanks a lot Yasuyuki. Annoying that I forgot about this. I'm going to
resend a patch in some hours.
--
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 6/5] [CTNETLINK] Fix expectation mask dumping
2006-02-27 2:10 [PATCH 1/5] [CTNETLINK] Fix expectation mask dumping Pablo Neira Ayuso
2006-02-27 17:32 ` Yasuyuki KOZAKAI
[not found] ` <200602271732.k1RHWOFO025405@toshiba.co.jp>
@ 2006-03-01 15:23 ` Pablo Neira Ayuso
2006-03-02 17:13 ` Yasuyuki KOZAKAI
2006-03-02 19:16 ` [PATCH 7/5] " Pablo Neira Ayuso
2006-03-04 9:26 ` [PATCH 1/5] " Patrick McHardy
4 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2006-03-01 15:23 UTC (permalink / raw)
To: Netfilter Development Mailinglist
Cc: Harald Welte, Patrick McHardy, Yasuyuki Kozakai
[-- Attachment #1: Type: text/plain, Size: 467 bytes --]
This applies to 2.6.16
This patch introduces the function ctnetlink_exp_dump_mask, that
correctly dumps the expectation mask. Such function uses the l3num value
from the expectation tuple that is a valid layer 3 protocol number.
The value of the l3num mask isn't dumped since it is meaningless from
the userspace side.
--
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
[-- Attachment #2: y --]
[-- Type: text/plain, Size: 9360 bytes --]
[CTNETLINK] Fix expectaction mask dumping
The expectation mask has some particularities that requires a different
handling. The protocol number fields can be set to non-valid protocols,
ie. l3num is set to 0xFFFF. Since that protocol does not exist, the mask
tuple will not be dumped. Moreover, this results in a kernel panic when
nf_conntrack accesses the array of protocol handlers, that is PF_MAX (0x1F)
long.
This patch introduces the function ctnetlink_exp_dump_mask, that correctly
dumps the expectation mask. Such function uses the l3num value from the
expectation tuple that is a valid layer 3 protocol number. The value of the
l3num mask isn't dumped since it is meaningless from the userspace side.
Thanks to Yasuyuki Kozakai and Patrick McHardy for the feedback.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Index: net-2.6.16.git/net/netfilter/nf_conntrack_netlink.c
===================================================================
--- net-2.6.16.git.orig/net/netfilter/nf_conntrack_netlink.c 2006-02-28 16:52:20.000000000 +0100
+++ net-2.6.16.git/net/netfilter/nf_conntrack_netlink.c 2006-02-28 16:52:22.000000000 +0100
@@ -4,7 +4,7 @@
* (C) 2001 by Jay Schulist <jschlst@samba.org>
* (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
- * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
+ * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
*
* I've reworked this stuff to use attributes instead of conntrack
* structures. 5.44 am. I need more tea. --pablo 05/07/11.
@@ -55,20 +55,18 @@ static char __initdata version[] = "0.92
static inline int
ctnetlink_dump_tuples_proto(struct sk_buff *skb,
- const struct nf_conntrack_tuple *tuple)
+ const struct nf_conntrack_tuple *tuple,
+ struct nf_conntrack_protocol *proto)
{
- struct nf_conntrack_protocol *proto;
int ret = 0;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
- /* If no protocol helper is found, this function will return the
- * generic protocol helper, so proto won't *ever* be NULL */
- proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
if (likely(proto->tuple_to_nfattr))
ret = proto->tuple_to_nfattr(skb, tuple);
- nf_ct_proto_put(proto);
+ NFA_NEST_END(skb, nest_parms);
return ret;
@@ -77,33 +75,44 @@ nfattr_failure:
}
static inline int
-ctnetlink_dump_tuples(struct sk_buff *skb,
- const struct nf_conntrack_tuple *tuple)
+ctnetlink_dump_tuples_ip(struct sk_buff *skb,
+ const struct nf_conntrack_tuple *tuple,
+ struct nf_conntrack_l3proto *l3proto)
{
- struct nfattr *nest_parms;
- struct nf_conntrack_l3proto *l3proto;
int ret = 0;
-
- l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
-
- nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
+
if (likely(l3proto->tuple_to_nfattr))
ret = l3proto->tuple_to_nfattr(skb, tuple);
+
NFA_NEST_END(skb, nest_parms);
+ return ret;
+
+nfattr_failure:
+ return -1;
+}
+
+static inline int
+ctnetlink_dump_tuples(struct sk_buff *skb,
+ const struct nf_conntrack_tuple *tuple)
+{
+ int ret;
+ struct nf_conntrack_l3proto *l3proto;
+ struct nf_conntrack_protocol *proto;
+
+ l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
+ ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
nf_ct_l3proto_put(l3proto);
if (unlikely(ret < 0))
return ret;
- nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
- ret = ctnetlink_dump_tuples_proto(skb, tuple);
- NFA_NEST_END(skb, nest_parms);
+ proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
+ ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
+ nf_ct_proto_put(proto);
return ret;
-
-nfattr_failure:
- return -1;
}
static inline int
@@ -1150,6 +1159,37 @@ nfattr_failure:
}
static inline int
+ctnetlink_exp_dump_mask(struct sk_buff *skb,
+ const struct nf_conntrack_tuple *tuple,
+ const struct nf_conntrack_tuple *mask)
+{
+ int ret;
+ struct nf_conntrack_l3proto *l3proto;
+ struct nf_conntrack_protocol *proto;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
+
+ l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
+ ret = ctnetlink_dump_tuples_ip(skb, mask, l3proto);
+ nf_ct_l3proto_put(l3proto);
+
+ if (unlikely(ret < 0))
+ goto nfattr_failure;
+
+ proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
+ ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
+ nf_ct_proto_put(proto);
+ if (unlikely(ret < 0))
+ goto nfattr_failure;
+
+ NFA_NEST_END(skb, nest_parms);
+
+ return 0;
+
+nfattr_failure:
+ return -1;
+}
+
+static inline int
ctnetlink_exp_dump_expect(struct sk_buff *skb,
const struct nf_conntrack_expect *exp)
{
@@ -1159,7 +1199,7 @@ ctnetlink_exp_dump_expect(struct sk_buff
if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
goto nfattr_failure;
- if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0)
+ if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
goto nfattr_failure;
if (ctnetlink_exp_dump_tuple(skb,
&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
Index: net-2.6.16.git/net/ipv4/netfilter/ip_conntrack_netlink.c
===================================================================
--- net-2.6.16.git.orig/net/ipv4/netfilter/ip_conntrack_netlink.c 2006-02-28 16:52:20.000000000 +0100
+++ net-2.6.16.git/net/ipv4/netfilter/ip_conntrack_netlink.c 2006-02-28 16:52:22.000000000 +0100
@@ -4,7 +4,7 @@
* (C) 2001 by Jay Schulist <jschlst@samba.org>
* (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
- * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
+ * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
*
* I've reworked this stuff to use attributes instead of conntrack
* structures. 5.44 am. I need more tea. --pablo 05/07/11.
@@ -53,20 +53,18 @@ static char __initdata version[] = "0.90
static inline int
ctnetlink_dump_tuples_proto(struct sk_buff *skb,
- const struct ip_conntrack_tuple *tuple)
+ const struct ip_conntrack_tuple *tuple,
+ struct ip_conntrack_protocol *proto)
{
- struct ip_conntrack_protocol *proto;
int ret = 0;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
- /* If no protocol helper is found, this function will return the
- * generic protocol helper, so proto won't *ever* be NULL */
- proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
if (likely(proto->tuple_to_nfattr))
ret = proto->tuple_to_nfattr(skb, tuple);
- ip_conntrack_proto_put(proto);
+ NFA_NEST_END(skb, nest_parms);
return ret;
@@ -75,28 +73,41 @@ nfattr_failure:
}
static inline int
-ctnetlink_dump_tuples(struct sk_buff *skb,
- const struct ip_conntrack_tuple *tuple)
+ctnetlink_dump_tuples_ip(struct sk_buff *skb,
+ const struct ip_conntrack_tuple *tuple)
{
- struct nfattr *nest_parms;
- int ret;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
- nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
NFA_PUT(skb, CTA_IP_V4_SRC, sizeof(u_int32_t), &tuple->src.ip);
NFA_PUT(skb, CTA_IP_V4_DST, sizeof(u_int32_t), &tuple->dst.ip);
- NFA_NEST_END(skb, nest_parms);
- nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
- ret = ctnetlink_dump_tuples_proto(skb, tuple);
NFA_NEST_END(skb, nest_parms);
- return ret;
+ return 0;
nfattr_failure:
return -1;
}
static inline int
+ctnetlink_dump_tuples(struct sk_buff *skb,
+ const struct ip_conntrack_tuple *tuple)
+{
+ int ret;
+ struct ip_conntrack_protocol *proto;
+
+ ret = ctnetlink_dump_tuples_ip(skb, tuple);
+ if (unlikely(ret < 0))
+ return ret;
+
+ proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
+ ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
+ ip_conntrack_proto_put(proto);
+
+ return ret;
+}
+
+static inline int
ctnetlink_dump_status(struct sk_buff *skb, const struct ip_conntrack *ct)
{
u_int32_t status = htonl((u_int32_t) ct->status);
@@ -1134,6 +1145,32 @@ nfattr_failure:
}
static inline int
+ctnetlink_exp_dump_mask(struct sk_buff *skb,
+ const struct ip_conntrack_tuple *tuple,
+ const struct ip_conntrack_tuple *mask)
+{
+ int ret;
+ struct ip_conntrack_protocol *proto;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
+
+ ret = ctnetlink_dump_tuples_ip(skb, mask);
+ if (unlikely(ret < 0))
+ goto nfattr_failure;
+
+ proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
+ ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
+ if (unlikely(ret < 0))
+ goto nfattr_failure;
+
+ NFA_NEST_END(skb, nest_parms);
+
+ return 0;
+
+nfattr_failure:
+ return -1;
+}
+
+static inline int
ctnetlink_exp_dump_expect(struct sk_buff *skb,
const struct ip_conntrack_expect *exp)
{
@@ -1143,7 +1180,7 @@ ctnetlink_exp_dump_expect(struct sk_buff
if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
goto nfattr_failure;
- if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0)
+ if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
goto nfattr_failure;
if (ctnetlink_exp_dump_tuple(skb,
&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH 6/5] [CTNETLINK] Fix expectation mask dumping
2006-03-01 15:23 ` [PATCH 6/5] " Pablo Neira Ayuso
@ 2006-03-02 17:13 ` Yasuyuki KOZAKAI
0 siblings, 0 replies; 8+ messages in thread
From: Yasuyuki KOZAKAI @ 2006-03-02 17:13 UTC (permalink / raw)
To: pablo; +Cc: laforge, netfilter-devel, kaber, yasuyuki.kozakai
Hi, Pablo,
Sorry, I forgot to check the part of ip_conntrack_netlink.c in previous
patch.
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 01 Mar 2006 16:23:17 +0100
> Index: net-2.6.16.git/net/ipv4/netfilter/ip_conntrack_netlink.c
> ===================================================================
(snip)
> static inline int
> +ctnetlink_exp_dump_mask(struct sk_buff *skb,
> + const struct ip_conntrack_tuple *tuple,
> + const struct ip_conntrack_tuple *mask)
> +{
> + int ret;
> + struct ip_conntrack_protocol *proto;
> + struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
> +
> + ret = ctnetlink_dump_tuples_ip(skb, mask);
> + if (unlikely(ret < 0))
> + goto nfattr_failure;
> +
> + proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
> + ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
> + if (unlikely(ret < 0))
> + goto nfattr_failure;
> +
> + NFA_NEST_END(skb, nest_parms);
> +
> + return 0;
> +
> +nfattr_failure:
> + return -1;
> +}
ip_conntrack_proto_put() is missing here. Hope I don't miss catching
any more...
-- Yasuyuki Kozakai
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 7/5] [CTNETLINK] Fix expectation mask dumping
2006-02-27 2:10 [PATCH 1/5] [CTNETLINK] Fix expectation mask dumping Pablo Neira Ayuso
` (2 preceding siblings ...)
2006-03-01 15:23 ` [PATCH 6/5] " Pablo Neira Ayuso
@ 2006-03-02 19:16 ` Pablo Neira Ayuso
2006-03-02 19:23 ` Pablo Neira Ayuso
2006-03-04 9:26 ` [PATCH 1/5] " Patrick McHardy
4 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2006-03-02 19:16 UTC (permalink / raw)
To: Netfilter Development Mailinglist
Cc: Harald Welte, Patrick McHardy, Yasuyuki Kozakai
[-- Attachment #1: Type: text/plain, Size: 475 bytes --]
This patch applies to 2.6.16.
This patch introduces the function ctnetlink_exp_dump_mask, that
correctly dumps the expectation mask. Such function uses the l3num value
from the expectation tuple that is a valid layer 3 protocol number.
The value of the l3num mask isn't dumped since it is meaningless from
the userspace side.
--
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
[-- Attachment #2: y --]
[-- Type: text/plain, Size: 9392 bytes --]
[CTNETLINK] Fix expectaction mask dumping
The expectation mask has some particularities that requires a different
handling. The protocol number fields can be set to non-valid protocols,
ie. l3num is set to 0xFFFF. Since that protocol does not exist, the mask
tuple will not be dumped. Moreover, this results in a kernel panic when
nf_conntrack accesses the array of protocol handlers, that is PF_MAX (0x1F)
long.
This patch introduces the function ctnetlink_exp_dump_mask, that correctly
dumps the expectation mask. Such function uses the l3num value from the
expectation tuple that is a valid layer 3 protocol number. The value of the
l3num mask isn't dumped since it is meaningless from the userspace side.
Thanks to Yasuyuki Kozakai and Patrick McHardy for the feedback.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Index: net-2.6.16.git/net/netfilter/nf_conntrack_netlink.c
===================================================================
--- net-2.6.16.git.orig/net/netfilter/nf_conntrack_netlink.c 2006-02-28 16:52:20.000000000 +0100
+++ net-2.6.16.git/net/netfilter/nf_conntrack_netlink.c 2006-02-28 16:52:22.000000000 +0100
@@ -4,7 +4,7 @@
* (C) 2001 by Jay Schulist <jschlst@samba.org>
* (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
- * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
+ * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
*
* I've reworked this stuff to use attributes instead of conntrack
* structures. 5.44 am. I need more tea. --pablo 05/07/11.
@@ -55,20 +55,18 @@ static char __initdata version[] = "0.92
static inline int
ctnetlink_dump_tuples_proto(struct sk_buff *skb,
- const struct nf_conntrack_tuple *tuple)
+ const struct nf_conntrack_tuple *tuple,
+ struct nf_conntrack_protocol *proto)
{
- struct nf_conntrack_protocol *proto;
int ret = 0;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
- /* If no protocol helper is found, this function will return the
- * generic protocol helper, so proto won't *ever* be NULL */
- proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
if (likely(proto->tuple_to_nfattr))
ret = proto->tuple_to_nfattr(skb, tuple);
- nf_ct_proto_put(proto);
+ NFA_NEST_END(skb, nest_parms);
return ret;
@@ -77,33 +75,44 @@ nfattr_failure:
}
static inline int
-ctnetlink_dump_tuples(struct sk_buff *skb,
- const struct nf_conntrack_tuple *tuple)
+ctnetlink_dump_tuples_ip(struct sk_buff *skb,
+ const struct nf_conntrack_tuple *tuple,
+ struct nf_conntrack_l3proto *l3proto)
{
- struct nfattr *nest_parms;
- struct nf_conntrack_l3proto *l3proto;
int ret = 0;
-
- l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
-
- nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
+
if (likely(l3proto->tuple_to_nfattr))
ret = l3proto->tuple_to_nfattr(skb, tuple);
+
NFA_NEST_END(skb, nest_parms);
+ return ret;
+
+nfattr_failure:
+ return -1;
+}
+
+static inline int
+ctnetlink_dump_tuples(struct sk_buff *skb,
+ const struct nf_conntrack_tuple *tuple)
+{
+ int ret;
+ struct nf_conntrack_l3proto *l3proto;
+ struct nf_conntrack_protocol *proto;
+
+ l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
+ ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
nf_ct_l3proto_put(l3proto);
if (unlikely(ret < 0))
return ret;
- nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
- ret = ctnetlink_dump_tuples_proto(skb, tuple);
- NFA_NEST_END(skb, nest_parms);
+ proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
+ ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
+ nf_ct_proto_put(proto);
return ret;
-
-nfattr_failure:
- return -1;
}
static inline int
@@ -1150,6 +1159,37 @@ nfattr_failure:
}
static inline int
+ctnetlink_exp_dump_mask(struct sk_buff *skb,
+ const struct nf_conntrack_tuple *tuple,
+ const struct nf_conntrack_tuple *mask)
+{
+ int ret;
+ struct nf_conntrack_l3proto *l3proto;
+ struct nf_conntrack_protocol *proto;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
+
+ l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
+ ret = ctnetlink_dump_tuples_ip(skb, mask, l3proto);
+ nf_ct_l3proto_put(l3proto);
+
+ if (unlikely(ret < 0))
+ goto nfattr_failure;
+
+ proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
+ ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
+ nf_ct_proto_put(proto);
+ if (unlikely(ret < 0))
+ goto nfattr_failure;
+
+ NFA_NEST_END(skb, nest_parms);
+
+ return 0;
+
+nfattr_failure:
+ return -1;
+}
+
+static inline int
ctnetlink_exp_dump_expect(struct sk_buff *skb,
const struct nf_conntrack_expect *exp)
{
@@ -1159,7 +1199,7 @@ ctnetlink_exp_dump_expect(struct sk_buff
if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
goto nfattr_failure;
- if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0)
+ if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
goto nfattr_failure;
if (ctnetlink_exp_dump_tuple(skb,
&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
Index: net-2.6.16.git/net/ipv4/netfilter/ip_conntrack_netlink.c
===================================================================
--- net-2.6.16.git.orig/net/ipv4/netfilter/ip_conntrack_netlink.c 2006-02-28 16:52:20.000000000 +0100
+++ net-2.6.16.git/net/ipv4/netfilter/ip_conntrack_netlink.c 2006-03-02 20:15:17.000000000 +0100
@@ -4,7 +4,7 @@
* (C) 2001 by Jay Schulist <jschlst@samba.org>
* (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
- * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
+ * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
*
* I've reworked this stuff to use attributes instead of conntrack
* structures. 5.44 am. I need more tea. --pablo 05/07/11.
@@ -53,20 +53,18 @@ static char __initdata version[] = "0.90
static inline int
ctnetlink_dump_tuples_proto(struct sk_buff *skb,
- const struct ip_conntrack_tuple *tuple)
+ const struct ip_conntrack_tuple *tuple,
+ struct ip_conntrack_protocol *proto)
{
- struct ip_conntrack_protocol *proto;
int ret = 0;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
- /* If no protocol helper is found, this function will return the
- * generic protocol helper, so proto won't *ever* be NULL */
- proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
if (likely(proto->tuple_to_nfattr))
ret = proto->tuple_to_nfattr(skb, tuple);
- ip_conntrack_proto_put(proto);
+ NFA_NEST_END(skb, nest_parms);
return ret;
@@ -75,28 +73,41 @@ nfattr_failure:
}
static inline int
-ctnetlink_dump_tuples(struct sk_buff *skb,
- const struct ip_conntrack_tuple *tuple)
+ctnetlink_dump_tuples_ip(struct sk_buff *skb,
+ const struct ip_conntrack_tuple *tuple)
{
- struct nfattr *nest_parms;
- int ret;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
- nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
NFA_PUT(skb, CTA_IP_V4_SRC, sizeof(u_int32_t), &tuple->src.ip);
NFA_PUT(skb, CTA_IP_V4_DST, sizeof(u_int32_t), &tuple->dst.ip);
- NFA_NEST_END(skb, nest_parms);
- nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
- ret = ctnetlink_dump_tuples_proto(skb, tuple);
NFA_NEST_END(skb, nest_parms);
- return ret;
+ return 0;
nfattr_failure:
return -1;
}
static inline int
+ctnetlink_dump_tuples(struct sk_buff *skb,
+ const struct ip_conntrack_tuple *tuple)
+{
+ int ret;
+ struct ip_conntrack_protocol *proto;
+
+ ret = ctnetlink_dump_tuples_ip(skb, tuple);
+ if (unlikely(ret < 0))
+ return ret;
+
+ proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
+ ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
+ ip_conntrack_proto_put(proto);
+
+ return ret;
+}
+
+static inline int
ctnetlink_dump_status(struct sk_buff *skb, const struct ip_conntrack *ct)
{
u_int32_t status = htonl((u_int32_t) ct->status);
@@ -1134,6 +1145,33 @@ nfattr_failure:
}
static inline int
+ctnetlink_exp_dump_mask(struct sk_buff *skb,
+ const struct ip_conntrack_tuple *tuple,
+ const struct ip_conntrack_tuple *mask)
+{
+ int ret;
+ struct ip_conntrack_protocol *proto;
+ struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
+
+ ret = ctnetlink_dump_tuples_ip(skb, mask);
+ if (unlikely(ret < 0))
+ goto nfattr_failure;
+
+ proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
+ ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
+ if (unlikely(ret < 0))
+ goto nfattr_failure;
+
+ ip_conntrack_proto_put(proto);
+ NFA_NEST_END(skb, nest_parms);
+
+ return 0;
+
+nfattr_failure:
+ return -1;
+}
+
+static inline int
ctnetlink_exp_dump_expect(struct sk_buff *skb,
const struct ip_conntrack_expect *exp)
{
@@ -1143,7 +1181,7 @@ ctnetlink_exp_dump_expect(struct sk_buff
if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
goto nfattr_failure;
- if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0)
+ if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
goto nfattr_failure;
if (ctnetlink_exp_dump_tuple(skb,
&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH 7/5] [CTNETLINK] Fix expectation mask dumping
2006-03-02 19:16 ` [PATCH 7/5] " Pablo Neira Ayuso
@ 2006-03-02 19:23 ` Pablo Neira Ayuso
0 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2006-03-02 19:23 UTC (permalink / raw)
To: Netfilter Development Mailinglist
Cc: Harald Welte, Patrick McHardy, Yasuyuki Kozakai
Pablo Neira Ayuso wrote:
> This patch applies to 2.6.16.
>
> This patch introduces the function ctnetlink_exp_dump_mask, that
> correctly dumps the expectation mask. Such function uses the l3num value
> from the expectation tuple that is a valid layer 3 protocol number.
>
> The value of the l3num mask isn't dumped since it is meaningless from
> the userspace side.
This patch is crap, I'll resend later... sometimes I'm stupid.
--
Pablo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/5] [CTNETLINK] Fix expectation mask dumping
2006-02-27 2:10 [PATCH 1/5] [CTNETLINK] Fix expectation mask dumping Pablo Neira Ayuso
` (3 preceding siblings ...)
2006-03-02 19:16 ` [PATCH 7/5] " Pablo Neira Ayuso
@ 2006-03-04 9:26 ` Patrick McHardy
4 siblings, 0 replies; 8+ messages in thread
From: Patrick McHardy @ 2006-03-04 9:26 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Harald Welte, Netfilter Development Mailinglist, Yasuyuki Kozakai
Pablo Neira Ayuso wrote:
> This patch introduces the function ctnetlink_exp_dump_mask, that
> correctly dumps the expectation mask. Such function uses the l3num value
> from the expectation tuple that is a valid layer 3 protocol number.
>
> The value of the l3num mask isn't dumped since it is meaningless from
> the userspace side.
Its too late for 2.6.16, I've applied incarnation n+1 to my 2.6.17 tree.
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread