[PATCH 0/2] fix invalid packet logging for icmpv6 conntrack

[PATCH 0/2] fix invalid packet logging for icmpv6 conntrack

[Eric Leblond]

Hi,

This small patchset fixes a small issue with a nf_log_packet() message which
was badly formatted and adds a message for invalid new icmpv6 packet.

Patchset statistic:
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

BR,
--
Eric Leblond <eric@inl.fr>
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/
EdenWall: http://www.edenwall.com/

[PATCH 1/2] netfilter: fix nf_log_packet message in icmpv6 conntrack.

[Eric Leblond]

This patch fixes a trivial typo that was adding a new line at end of
the nf_log_packet() prefix. It also make the logging conditionnal by
adding a LOG_INVALID test.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index c323643..72dbb6d 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -201,8 +201,9 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
 
 	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
 	    nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {
-		nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
-			      "nf_ct_icmpv6: ICMPv6 checksum failed\n");
+		if (LOG_INVALID(net, IPPROTO_ICMPV6))
+			nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+				      "nf_ct_icmpv6: ICMPv6 checksum failed ");
 		return -NF_ACCEPT;
 	}
 
-- 
1.5.6.3

[PATCH 2/2] netfilter: log invalid new icmpv6 packet with nf_log_packet().

[Eric Leblond]

This patch adds a logging message for invalid new icmpv6 packet.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 72dbb6d..8b7059b 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -126,6 +126,10 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
 		pr_debug("icmpv6: can't create new conn with type %u\n",
 			 type + 128);
 		nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
+		if (LOG_INVALID(&init_net, IPPROTO_ICMPV6))
+			nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+				      "nf_ct_icmpv6: invalid new with type %d ",
+				      type + 128);
 		return false;
 	}
 	atomic_set(&ct->proto.icmp.count, 0);
-- 
1.5.6.3

Re: [PATCH 2/2] netfilter: log invalid new icmpv6 packet with nf_log_packet().

[Alexey Dobriyan]

On Thu, Jan 29, 2009 at 09:36:22PM +0100, Eric Leblond wrote:
> --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> @@ -126,6 +126,10 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
>  		pr_debug("icmpv6: can't create new conn with type %u\n",
>  			 type + 128);
>  		nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
> +		if (LOG_INVALID(&init_net, IPPROTO_ICMPV6))

netns is nf_ct_net(ct) at this point, not &init_net.

> +			nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
> +				      "nf_ct_icmpv6: invalid new with type %d ",
> +				      type + 128);

Re: [PATCH 2/2] netfilter: log invalid new icmpv6 packet with nf_log_packet().

[Eric Leblond]

Hi,

Alexey Dobriyan a écrit :
> On Thu, Jan 29, 2009 at 09:36:22PM +0100, Eric Leblond wrote:
>> --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
>> +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
>> @@ -126,6 +126,10 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
>>  		pr_debug("icmpv6: can't create new conn with type %u\n",
>>  			 type + 128);
>>  		nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
>> +		if (LOG_INVALID(&init_net, IPPROTO_ICMPV6))
> 
> netns is nf_ct_net(ct) at this point, not &init_net.

Thanks a lot, updated patch to follow.

BR,
--
Eric Leblond <eric@inl.fr>

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] netfilter: log invalid new icmpv6 packet with nf_log_packet().

[Eric Leblond]

This patch adds a logging message for invalid new icmpv6 packet.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 72dbb6d..41b8a95 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -126,6 +126,10 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
 		pr_debug("icmpv6: can't create new conn with type %u\n",
 			 type + 128);
 		nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
+		if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
+			nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+				      "nf_ct_icmpv6: invalid new with type %d ",
+				      type + 128);
 		return false;
 	}
 	atomic_set(&ct->proto.icmp.count, 0);
-- 
1.5.6.3

Re: [PATCH 1/2] netfilter: fix nf_log_packet message in icmpv6 conntrack.

[Patrick McHardy]

Eric Leblond wrote:
> This patch fixes a trivial typo that was adding a new line at end of
> the nf_log_packet() prefix. It also make the logging conditionnal by
> adding a LOG_INVALID test.

Applied, thanks Eric.

Re: [PATCH] netfilter: log invalid new icmpv6 packet with nf_log_packet().

[Patrick McHardy]

Eric Leblond wrote:
> This patch adds a logging message for invalid new icmpv6 packet.

I've queued this one for 2.6.30 since its not really a fix.
Thanks.