[PATCH 1/2] netfilter: ctnetlink: allow changing NAT sequence adjustment in creation

[PATCH 1/2] netfilter: ctnetlink: allow changing NAT sequence adjustment in creation

[Pablo Neira Ayuso]

This patch fixes an inconsistency in the current ctnetlink code
since NAT sequence adjustment bit can only be updated but not set
in the conntrack entry creation.

This patch is used by conntrackd to successfully recover newly
created entries that represent connections with helpers and NAT
payload mangling.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 net/netfilter/nf_conntrack_netlink.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index ef51e99..016fad5 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1212,6 +1212,16 @@ ctnetlink_create_conntrack(struct nlattr *cda[],
 		}
 	}
 
+#ifdef CONFIG_NF_NAT_NEEDED
+	if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
+		err = ctnetlink_change_nat_seq_adj(ct, cda);
+		if (err < 0) {
+			rcu_read_unlock();
+			goto err;
+		}
+	}
+#endif
+
 	if (cda[CTA_PROTOINFO]) {
 		err = ctnetlink_change_protoinfo(ct, cda);
 		if (err < 0) {

[PATCH 2/2] netfilter: ctnetlink: fix echo if not subscribed to any multicast group

[Pablo Neira Ayuso]

This patch fixes echoing if the socket that has sent the request to
create/update/delete an entry is not subscribed to any multicast
group. With the current code, ctnetlink would not send the echo
message via unicast as nfnetlink_send() would be skip.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 net/netfilter/nf_conntrack_netlink.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 2424005..132207f 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -535,7 +535,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
 	} else
 		return NOTIFY_DONE;
 
-	if (!nfnetlink_has_listeners(group))
+	if (!item->report && !nfnetlink_has_listeners(group))
 		return NOTIFY_DONE;
 
 	skb = alloc_skb(ctnetlink_calculate_room_size(ct, events), GFP_ATOMIC);
@@ -1609,7 +1609,8 @@ static int ctnetlink_expect_event(struct notifier_block *this,
 	} else
 		return NOTIFY_DONE;
 
-	if (!nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW))
+	if (!item->report &&
+	    !nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW))
 		return NOTIFY_DONE;
 
 	skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);

Re: [PATCH 2/2] netfilter: ctnetlink: fix echo if not subscribed to any multicast group

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> This patch fixes echoing if the socket that has sent the request to
> create/update/delete an entry is not subscribed to any multicast
> group. With the current code, ctnetlink would not send the echo
> message via unicast as nfnetlink_send() would be skip.

Also applied, thanks.

Re: [PATCH 1/2] netfilter: ctnetlink: allow changing NAT sequence adjustment in creation

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> This patch fixes an inconsistency in the current ctnetlink code
> since NAT sequence adjustment bit can only be updated but not set
> in the conntrack entry creation.
> 
> This patch is used by conntrackd to successfully recover newly
> created entries that represent connections with helpers and NAT
> payload mangling.

Looks good, applied.