From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 07/53] netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean
Date: Mon, 1 May 2017 12:46:34 +0200 [thread overview]
Message-ID: <1493635640-24325-8-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1493635640-24325-1-git-send-email-pablo@netfilter.org>
From: Gao Feng <fgao@ikuai8.com>
nf_nat_mangle_{udp,tcp}_packet() returns int. However, it is used as
bool type in many spots. Fix this by consistently handle this return
value as a boolean.
Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_nat_helper.h | 36 +++++++++++++++----------------
net/ipv4/netfilter/nf_nat_pptp.c | 20 +++++++++---------
net/netfilter/ipvs/ip_vs_ftp.c | 13 +++++++-----
net/netfilter/nf_nat_amanda.c | 11 +++++-----
net/netfilter/nf_nat_helper.c | 40 +++++++++++++++++------------------
net/netfilter/nf_nat_irc.c | 9 ++++----
6 files changed, 65 insertions(+), 64 deletions(-)
diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h
index 01bcc6bfbcc9..fbfa5acf4f14 100644
--- a/include/net/netfilter/nf_nat_helper.h
+++ b/include/net/netfilter/nf_nat_helper.h
@@ -7,31 +7,31 @@
struct sk_buff;
/* These return true or false. */
-int __nf_nat_mangle_tcp_packet(struct sk_buff *skb, struct nf_conn *ct,
- enum ip_conntrack_info ctinfo,
- unsigned int protoff, unsigned int match_offset,
- unsigned int match_len, const char *rep_buffer,
- unsigned int rep_len, bool adjust);
+bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb, struct nf_conn *ct,
+ enum ip_conntrack_info ctinfo,
+ unsigned int protoff, unsigned int match_offset,
+ unsigned int match_len, const char *rep_buffer,
+ unsigned int rep_len, bool adjust);
-static inline int nf_nat_mangle_tcp_packet(struct sk_buff *skb,
- struct nf_conn *ct,
- enum ip_conntrack_info ctinfo,
- unsigned int protoff,
- unsigned int match_offset,
- unsigned int match_len,
- const char *rep_buffer,
- unsigned int rep_len)
+static inline bool nf_nat_mangle_tcp_packet(struct sk_buff *skb,
+ struct nf_conn *ct,
+ enum ip_conntrack_info ctinfo,
+ unsigned int protoff,
+ unsigned int match_offset,
+ unsigned int match_len,
+ const char *rep_buffer,
+ unsigned int rep_len)
{
return __nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff,
match_offset, match_len,
rep_buffer, rep_len, true);
}
-int nf_nat_mangle_udp_packet(struct sk_buff *skb, struct nf_conn *ct,
- enum ip_conntrack_info ctinfo,
- unsigned int protoff, unsigned int match_offset,
- unsigned int match_len, const char *rep_buffer,
- unsigned int rep_len);
+bool nf_nat_mangle_udp_packet(struct sk_buff *skb, struct nf_conn *ct,
+ enum ip_conntrack_info ctinfo,
+ unsigned int protoff, unsigned int match_offset,
+ unsigned int match_len, const char *rep_buffer,
+ unsigned int rep_len);
/* Setup NAT on this expected conntrack so it follows master, but goes
* to port ct->master->saved_proto. */
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
index b3ca21b2ba9b..211fee5fe59d 100644
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -177,11 +177,11 @@ pptp_outbound_pkt(struct sk_buff *skb,
ntohs(REQ_CID(pptpReq, cid_off)), ntohs(new_callid));
/* mangle packet */
- if (nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff,
- cid_off + sizeof(struct pptp_pkt_hdr) +
- sizeof(struct PptpControlHeader),
- sizeof(new_callid), (char *)&new_callid,
- sizeof(new_callid)) == 0)
+ if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff,
+ cid_off + sizeof(struct pptp_pkt_hdr) +
+ sizeof(struct PptpControlHeader),
+ sizeof(new_callid), (char *)&new_callid,
+ sizeof(new_callid)))
return NF_DROP;
return NF_ACCEPT;
}
@@ -271,11 +271,11 @@ pptp_inbound_pkt(struct sk_buff *skb,
pr_debug("altering peer call id from 0x%04x to 0x%04x\n",
ntohs(REQ_CID(pptpReq, pcid_off)), ntohs(new_pcid));
- if (nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff,
- pcid_off + sizeof(struct pptp_pkt_hdr) +
- sizeof(struct PptpControlHeader),
- sizeof(new_pcid), (char *)&new_pcid,
- sizeof(new_pcid)) == 0)
+ if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff,
+ pcid_off + sizeof(struct pptp_pkt_hdr) +
+ sizeof(struct PptpControlHeader),
+ sizeof(new_pcid), (char *)&new_pcid,
+ sizeof(new_pcid)))
return NF_DROP;
return NF_ACCEPT;
}
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index d30c327bb578..e9e721e63844 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -261,6 +261,8 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
ct = nf_ct_get(skb, &ctinfo);
if (ct && !nf_ct_is_untracked(ct) && nfct_nat(ct)) {
+ bool mangled;
+
/* If mangling fails this function will return 0
* which will cause the packet to be dropped.
* Mangling can only fail under memory pressure,
@@ -268,12 +270,13 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
* packet.
*/
rcu_read_lock();
- ret = nf_nat_mangle_tcp_packet(skb, ct, ctinfo,
- iph->ihl * 4,
- start-data, end-start,
- buf, buf_len);
+ mangled = nf_nat_mangle_tcp_packet(skb, ct, ctinfo,
+ iph->ihl * 4,
+ start - data,
+ end - start,
+ buf, buf_len);
rcu_read_unlock();
- if (ret) {
+ if (mangled) {
ip_vs_nfct_expect_related(skb, ct, n_cp,
IPPROTO_TCP, 0, 0);
if (skb->ip_summed == CHECKSUM_COMPLETE)
diff --git a/net/netfilter/nf_nat_amanda.c b/net/netfilter/nf_nat_amanda.c
index eb772380a202..e4d61a7a5258 100644
--- a/net/netfilter/nf_nat_amanda.c
+++ b/net/netfilter/nf_nat_amanda.c
@@ -33,7 +33,6 @@ static unsigned int help(struct sk_buff *skb,
{
char buffer[sizeof("65535")];
u_int16_t port;
- unsigned int ret;
/* Connection comes from client. */
exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
@@ -63,14 +62,14 @@ static unsigned int help(struct sk_buff *skb,
}
sprintf(buffer, "%u", port);
- ret = nf_nat_mangle_udp_packet(skb, exp->master, ctinfo,
- protoff, matchoff, matchlen,
- buffer, strlen(buffer));
- if (ret != NF_ACCEPT) {
+ if (!nf_nat_mangle_udp_packet(skb, exp->master, ctinfo,
+ protoff, matchoff, matchlen,
+ buffer, strlen(buffer))) {
nf_ct_helper_log(skb, exp->master, "cannot mangle packet");
nf_ct_unexpect_related(exp);
+ return NF_DROP;
}
- return ret;
+ return NF_ACCEPT;
}
static void __exit nf_nat_amanda_fini(void)
diff --git a/net/netfilter/nf_nat_helper.c b/net/netfilter/nf_nat_helper.c
index 211661cb2c90..607a373379b4 100644
--- a/net/netfilter/nf_nat_helper.c
+++ b/net/netfilter/nf_nat_helper.c
@@ -70,15 +70,15 @@ static void mangle_contents(struct sk_buff *skb,
}
/* Unusual, but possible case. */
-static int enlarge_skb(struct sk_buff *skb, unsigned int extra)
+static bool enlarge_skb(struct sk_buff *skb, unsigned int extra)
{
if (skb->len + extra > 65535)
- return 0;
+ return false;
if (pskb_expand_head(skb, 0, extra - skb_tailroom(skb), GFP_ATOMIC))
- return 0;
+ return false;
- return 1;
+ return true;
}
/* Generic function for mangling variable-length address changes inside
@@ -89,26 +89,26 @@ static int enlarge_skb(struct sk_buff *skb, unsigned int extra)
* skb enlargement, ...
*
* */
-int __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
- struct nf_conn *ct,
- enum ip_conntrack_info ctinfo,
- unsigned int protoff,
- unsigned int match_offset,
- unsigned int match_len,
- const char *rep_buffer,
- unsigned int rep_len, bool adjust)
+bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
+ struct nf_conn *ct,
+ enum ip_conntrack_info ctinfo,
+ unsigned int protoff,
+ unsigned int match_offset,
+ unsigned int match_len,
+ const char *rep_buffer,
+ unsigned int rep_len, bool adjust)
{
const struct nf_nat_l3proto *l3proto;
struct tcphdr *tcph;
int oldlen, datalen;
if (!skb_make_writable(skb, skb->len))
- return 0;
+ return false;
if (rep_len > match_len &&
rep_len - match_len > skb_tailroom(skb) &&
!enlarge_skb(skb, rep_len - match_len))
- return 0;
+ return false;
SKB_LINEAR_ASSERT(skb);
@@ -128,7 +128,7 @@ int __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
nf_ct_seqadj_set(ct, ctinfo, tcph->seq,
(int)rep_len - (int)match_len);
- return 1;
+ return true;
}
EXPORT_SYMBOL(__nf_nat_mangle_tcp_packet);
@@ -142,7 +142,7 @@ EXPORT_SYMBOL(__nf_nat_mangle_tcp_packet);
* XXX - This function could be merged with nf_nat_mangle_tcp_packet which
* should be fairly easy to do.
*/
-int
+bool
nf_nat_mangle_udp_packet(struct sk_buff *skb,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo,
@@ -157,12 +157,12 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb,
int datalen, oldlen;
if (!skb_make_writable(skb, skb->len))
- return 0;
+ return false;
if (rep_len > match_len &&
rep_len - match_len > skb_tailroom(skb) &&
!enlarge_skb(skb, rep_len - match_len))
- return 0;
+ return false;
udph = (void *)skb->data + protoff;
@@ -176,13 +176,13 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb,
/* fix udp checksum if udp checksum was previously calculated */
if (!udph->check && skb->ip_summed != CHECKSUM_PARTIAL)
- return 1;
+ return true;
l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
l3proto->csum_recalc(skb, IPPROTO_UDP, udph, &udph->check,
datalen, oldlen);
- return 1;
+ return true;
}
EXPORT_SYMBOL(nf_nat_mangle_udp_packet);
diff --git a/net/netfilter/nf_nat_irc.c b/net/netfilter/nf_nat_irc.c
index 1fb2258c3535..0648cb096bd8 100644
--- a/net/netfilter/nf_nat_irc.c
+++ b/net/netfilter/nf_nat_irc.c
@@ -37,7 +37,6 @@ static unsigned int help(struct sk_buff *skb,
struct nf_conn *ct = exp->master;
union nf_inet_addr newaddr;
u_int16_t port;
- unsigned int ret;
/* Reply comes from server. */
newaddr = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3;
@@ -83,14 +82,14 @@ static unsigned int help(struct sk_buff *skb,
pr_debug("nf_nat_irc: inserting '%s' == %pI4, port %u\n",
buffer, &newaddr.ip, port);
- ret = nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, matchoff,
- matchlen, buffer, strlen(buffer));
- if (ret != NF_ACCEPT) {
+ if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, matchoff,
+ matchlen, buffer, strlen(buffer))) {
nf_ct_helper_log(skb, ct, "cannot mangle packet");
nf_ct_unexpect_related(exp);
+ return NF_DROP;
}
- return ret;
+ return NF_ACCEPT;
}
static void __exit nf_nat_irc_fini(void)
--
2.1.4
next prev parent reply other threads:[~2017-05-01 10:47 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-01 10:46 [PATCH 00/53] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 01/53] netfilter: ipvs: don't check for presence of nat extension Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 02/53] netfilter: ipvs: Replace kzalloc with kcalloc Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 03/53] ipvs: remove unused variable Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 04/53] netfilter: nf_tables: add nft_is_base_chain() helper Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 05/53] netfilter: expect: Make sure the max_expected limit is effective Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 06/53] netfilter: nf_ct_expect: Add nf_ct_remove_expect() Pablo Neira Ayuso
2017-05-01 10:46 ` Pablo Neira Ayuso [this message]
2017-05-01 10:46 ` [PATCH 08/53] netfilter: nat: avoid use of nf_conn_nat extension Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 09/53] netfilter: ctnetlink: Expectations must have a conntrack helper area Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 10/53] netfilter: Add nfnl_msg_type() helper function Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 11/53] netfilter: Remove unnecessary cast on void pointer Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 12/53] netfilter: Use seq_puts()/seq_putc() where possible Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 13/53] net: netfilter: Use list_{next/prev}_entry instead of list_entry Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 14/53] netfilter: Remove exceptional & on function name Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 15/53] netfilter: ip6_tables: Remove unneccessary comments Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 16/53] netfilter: udplite: Remove duplicated udplite4/6 declaration Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 17/53] netfilter: nat: remove rcu_read_lock in __nf_nat_decode_session Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 18/53] netfilter: nf_tables: remove double return statement Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 19/53] netfilter: nf_conntrack: remove double assignment Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 20/53] ipset: remove unused function __ip_set_get_netlink Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 21/53] netfilter: nf_nat: Fix return NF_DROP in nfnetlink_parse_nat_setup Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 22/53] netfilter: ecache: Refine the nf_ct_deliver_cached_events Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 23/53] netfilter: kill the fake untracked conntrack objects Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 24/53] netfilter: remove nf_ct_is_untracked Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 25/53] netfilter: nft_ct: allow to set ctnetlink event types of a connection Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 26/53] netfilter: conntrack: move helper struct to nf_conntrack_helper.h Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 27/53] netfilter: helper: add build-time asserts for helper data size Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 28/53] netfilter: nfnetlink_cthelper: reject too large userspace allocation requests Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 29/53] netfilter: helpers: remove data_len usage for inkernel helpers Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 30/53] netfilter: remove last traces of variable-sized extensions Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 31/53] netfilter: conntrack: use u8 for extension sizes again Pablo Neira Ayuso
2017-05-01 10:46 ` [PATCH 32/53] netfilter: allow early drop of assured conntracks Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 33/53] nefilter: eache: reduce struct size from 32 to 24 byte Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 34/53] netfilter: ipvs: fix incorrect conflict resolution Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 35/53] netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14 Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 36/53] netfilter: synproxy: only register hooks when needed Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 37/53] ipvs: convert to use pernet nf_hook api Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 38/53] netfilter: decnet: only register hooks in init namespace Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 39/53] ebtables: remove nf_hook_register usage Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 40/53] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 41/53] netfilter: conntrack: remove prealloc support Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 42/53] netfilter: conntrack: mark extension structs as const Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 43/53] netfilter: conntrack: handle initial extension alloc via krealloc Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 44/53] netfilter: masquerade: attach nat extension if not present Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 45/53] netfilter: pptp: attach nat extension when needed Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 46/53] netfilter: don't attach a nat extension by default Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 47/53] ipvs: remove unused function ip_vs_set_state_timeout Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 48/53] ipvs: change comparison on sync_refresh_period Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 49/53] netfilter: batch synchronize_net calls during hook unregister Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 50/53] netfilter: nf_log: don't call synchronize_rcu in nf_log_unset Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 51/53] netfilter: nf_queue: only call synchronize_net twice if nf_queue is active Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 52/53] netfilter: snmp: avoid stack size warning Pablo Neira Ayuso
2017-05-01 10:47 ` [PATCH 53/53] netfilter: nf_ct_ext: invoke destroy even when ext is not attached Pablo Neira Ayuso
2017-05-01 10:53 ` [PATCH 00/53] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2017-05-01 14:48 ` David Miller
2017-05-01 14:47 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493635640-24325-8-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).