[PATCH 0/2] minor netfilter fixes for 2.6.30-rc

[PATCH 0/2] minor netfilter fixes for 2.6.30-rc

[Pablo Neira Ayuso]

Hi Patrick,

The following patches are a couple of minor fixes for 2.6.30-rc:

 * fix missing error report to user-space in ctnetlink if we fail to
 allocate the message.
 * fix misleading error in nfnetlink (-EPERM) if we fail to load
 nfnetlink. This patch replaces it with ENOMEM as it does rtnetlink.

---

Pablo Neira Ayuso (2):
      netfilter: nfnetlink: return ENOMEM if we fail to create netlink socket
      netfilter: ctnetlink: report error if event message allocation fails


 net/netfilter/nf_conntrack_netlink.c |    5 +++--
 net/netfilter/nfnetlink.c            |    2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

[PATCH 1/2] netfilter: ctnetlink: report error if event message allocation fails

[Pablo Neira Ayuso]

This patch fixes an inconsistency that results in no error reports
to user-space listeners if we fail to allocate the event message.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 net/netfilter/nf_conntrack_netlink.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c6439c7..5e8503c 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -512,7 +512,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
 
 	skb = ctnetlink_alloc_skb(tuple(ct, IP_CT_DIR_ORIGINAL), GFP_ATOMIC);
 	if (!skb)
-		return NOTIFY_DONE;
+		goto errout;
 
 	b = skb->tail;
 
@@ -591,8 +591,9 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
 nla_put_failure:
 	rcu_read_unlock();
 nlmsg_failure:
-	nfnetlink_set_err(0, group, -ENOBUFS);
 	kfree_skb(skb);
+errout:
+	nfnetlink_set_err(0, group, -ENOBUFS);
 	return NOTIFY_DONE;
 }
 #endif /* CONFIG_NF_CONNTRACK_EVENTS */

Re: [PATCH 1/2] netfilter: ctnetlink: report error if event message allocation fails

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 280 bytes --]

Pablo Neira Ayuso wrote:
> This patch fixes an inconsistency that results in no error reports
> to user-space listeners if we fail to allocate the event message.

I was missing the expectation part. New patch attached.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: ctnl-alloc-fails-report-error.patch --]
[-- Type: text/x-diff, Size: 1605 bytes --]

netfilter: ctnetlink: report error if event message allocation fails

This patch fixes an inconsistency that results in no error reports
to user-space listeners if we fail to allocate the event message.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 net/netfilter/nf_conntrack_netlink.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)


diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c6439c7..0ea36e0 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -512,7 +512,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
 
 	skb = ctnetlink_alloc_skb(tuple(ct, IP_CT_DIR_ORIGINAL), GFP_ATOMIC);
 	if (!skb)
-		return NOTIFY_DONE;
+		goto errout;
 
 	b = skb->tail;
 
@@ -591,8 +591,9 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
 nla_put_failure:
 	rcu_read_unlock();
 nlmsg_failure:
-	nfnetlink_set_err(0, group, -ENOBUFS);
 	kfree_skb(skb);
+errout:
+	nfnetlink_set_err(0, group, -ENOBUFS);
 	return NOTIFY_DONE;
 }
 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
@@ -1564,7 +1565,7 @@ static int ctnetlink_expect_event(struct notifier_block *this,
 
 	skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
 	if (!skb)
-		return NOTIFY_DONE;
+		goto errout;
 
 	b = skb->tail;
 
@@ -1589,8 +1590,9 @@ static int ctnetlink_expect_event(struct notifier_block *this,
 nla_put_failure:
 	rcu_read_unlock();
 nlmsg_failure:
-	nfnetlink_set_err(0, 0, -ENOBUFS);
 	kfree_skb(skb);
+errout:
+	nfnetlink_set_err(0, 0, -ENOBUFS);
 	return NOTIFY_DONE;
 }
 #endif

Re: [PATCH 1/2] netfilter: ctnetlink: report error if event message allocation fails

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> Pablo Neira Ayuso wrote:
>> This patch fixes an inconsistency that results in no error reports
>> to user-space listeners if we fail to allocate the event message.
> 
> I was missing the expectation part. New patch attached.

Applied, thanks Pablo.

[PATCH 2/2] netfilter: nfnetlink: return ENOMEM if we fail to create netlink socket

[Pablo Neira Ayuso]

With this patch, nfnetlink returns -ENOMEM instead of -EPERM if we
fail to create the nfnetlink netlink socket during the module
loading. This is exactly what rtnetlink does in this case.

Ideally, it would be better if we propagate the error that has
happened in netlink_kernel_create(), however, this function still
does not implement this yet.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 net/netfilter/nfnetlink.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 2785d66..b8ab37a 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -203,7 +203,7 @@ static int __init nfnetlink_init(void)
 				     nfnetlink_rcv, NULL, THIS_MODULE);
 	if (!nfnl) {
 		printk(KERN_ERR "cannot initialize nfnetlink!\n");
-		return -1;
+		return -ENOMEM;
 	}
 
 	return 0;

Re: [PATCH 2/2] netfilter: nfnetlink: return ENOMEM if we fail to create netlink socket

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> With this patch, nfnetlink returns -ENOMEM instead of -EPERM if we
> fail to create the nfnetlink netlink socket during the module
> loading. This is exactly what rtnetlink does in this case.

Also applied, thanks.

> Ideally, it would be better if we propagate the error that has
> happened in netlink_kernel_create(), however, this function still
> does not implement this yet.

Agreed, but AFAICS netlink_kernel_create() only returns an error
on memory shortage, so this is fine currently.