Re: [PATCH 1/2] netfilter: helper: Fix incorrect helper name.

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Taehee Yoo <ap420073@gmail.com>
Cc: Patrick McHardy <kaber@trash.net>,
	kadlec@blackhole.kfki.hu, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/2] netfilter: helper: Fix incorrect helper name.
Date: Tue, 24 May 2016 11:23:51 +0200	[thread overview]
Message-ID: <20160524092351.GA2105@salvia> (raw)
In-Reply-To: <CAMArcTUm9PeVD3+Vq7g0OffqxUZQJYRJs304jAF90LXH1Xj1YA@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1627 bytes --]

On Mon, May 23, 2016 at 12:03:55AM +0900, Taehee Yoo wrote:
> 2016-05-17 19:38 GMT+09:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> > On Sat, May 14, 2016 at 10:19:16PM +0900, Taehee Yoo wrote:
> >> when register to helper, each helper adds port to name.
> >> correct form is 'protocol name-port' but irc, sip and tftp adds
> >> a iterator value. so it fix it.
> >
> > Could you track since when this works in this way?
> >
> > This inconsistency has been probably there since long time ago, and we
> > expose this names through iptables -m helper.
> >
> > What I mean is: I understand this is inconsistent, but if we change
> > this now, we may break existing rulesets.
> 
> 
> Thank you for your review.
> And Apologize for late reply.
> 
> I agree that patch destroys so much rulesets.
> but I want to solve the issue that is helper cannot check duplicated
> helper rules.
> nf_conntrack_helper_register() checks name && l3num && protonum to
> check duplicated rules.
> but tftp, sip and irc helper always have unique helper name because
> that includes iterator value.
> (tftp-1, tftp-2, tftp-3 ...)
> helper-name is good method to check duplicated rules.
> but we need another check method to solve this issue and keep rulsets.
> so far, my idea is that using help callback function's pointer address.
> pseudo code is : "if (port && l3num && protonum && help)"
> 
> Do you have any advice?

Probably something like this?

The idea is to compare the helper name, stripping off the '-value'
from the name so we catch if the user specific duplicated ports via
module option, which is what is causing problems to you, right?

[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 1095 bytes --]

diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index f703adb..5785034 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -361,9 +361,9 @@ EXPORT_SYMBOL_GPL(nf_ct_helper_log);
 
 int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
 {
-	int ret = 0;
 	struct nf_conntrack_helper *cur;
 	unsigned int h = helper_hash(&me->tuple);
+	int ret = 0, len;
 
 	BUG_ON(me->expect_policy == NULL);
 	BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
@@ -371,7 +371,13 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
 
 	mutex_lock(&nf_ct_helper_mutex);
 	hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
-		if (strncmp(cur->name, me->name, NF_CT_HELPER_NAME_LEN) == 0 &&
+		slash = strchr(cur->name, '-');
+		if (slash)
+			len = slash - cur->name;
+		else
+			len = NF_CT_HELPER_NAME_LEN;
+
+		if (strncmp(cur->name, me->name, len) == 0 &&
 		    cur->tuple.src.l3num == me->tuple.src.l3num &&
 		    cur->tuple.dst.protonum == me->tuple.dst.protonum) {
 			ret = -EEXIST;

next prev parent reply	other threads:[~2016-05-24  9:23 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-14 13:19 [PATCH 1/2] netfilter: helper: Fix incorrect helper name Taehee Yoo
2016-05-17 10:38 ` Pablo Neira Ayuso
2016-05-22 15:03   ` Taehee Yoo
2016-05-24  9:23     ` Pablo Neira Ayuso [this message]
     [not found]       ` <CA+6hz4p6Tf8+Hy2hThCYOtU1MP-+ptF5t63QVRqH2TUi__bL+Q@mail.gmail.com>
2016-05-24  9:44         ` Pablo Neira Ayuso
     [not found]     ` <CA+6hz4r2KFBgBqA2sYKZAUO2ZUFNSnywEc7f24Y9VyZVbbULBA@mail.gmail.com>
2016-05-29 15:29       ` Taehee Yoo

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f703adb dfblob:5785034 )
 OR (
bs:"Re: [PATCH 1/2] netfilter: helper: Fix incorrect helper name." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160524092351.GA2105@salvia \
    --to=pablo@netfilter.org \
    --cc=ap420073@gmail.com \
    --cc=kaber@trash.net \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).