* [PATCH 0/4] netfilter updates for net-next (batch 3)
@ 2012-06-19 3:16 pablo
2012-06-19 3:16 ` [PATCH 1/4] netfilter: ctnetlink: fix NULL dereference while trying to change helper pablo
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: pablo @ 2012-06-19 3:16 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi David,
The following patchset provides fixes for issues that were recently introduced
by my new cthelper infrastructure. They have been spotted by Randy Dunlap,
Andrew Morton and Dan Carpenter.
The patches provide:
* compilation fixes if CONFIG_NF_CONNTRACK is disabled: I moved all the
conntrack code from nfnetlink_queue.c to nfnetlink_queue_ct.c to avoid
peppering the entire code with lots of ifdefs. I needed to rename
nfnetlink_queue.c to nfnetlink_queue_core.c to get it working with the
Makefile tweaks I've added.
* fix NULL pointer dereference via ctnetlink while trying to change the helper
for an existing conntrack entry. I don't find any reasonable use case for
changing the helper from one to another in run-time. Thus, now ctnetlink
returns -EOPNOTSUPP for this operation.
* fix possible out-of-bound zeroing of the conntrack extension area due to
the helper automatic assignation routine.
You can pull these changes from:
git://1984.lsi.us.es/nf-next master
Thanks!
Pablo Neira Ayuso (4):
netfilter: ctnetlink: fix NULL dereference while trying to change helper
netfilter: nf_ct_helper: disable automatic helper re-assignment of different type
netfilter: fix compilation of the nfnl_cthelper if NF_CONNTRACK is unset
netfilter: nfnetlink_queue: fix compilation with NF_CONNTRACK disabled
include/net/netfilter/nfnetlink_queue.h | 43 +++++++++
net/netfilter/Kconfig | 29 ++++--
net/netfilter/Makefile | 4 +-
net/netfilter/nf_conntrack_helper.c | 8 +-
net/netfilter/nf_conntrack_netlink.c | 24 ++---
.../{nfnetlink_queue.c => nfnetlink_queue_core.c} | 49 ++--------
net/netfilter/nfnetlink_queue_ct.c | 97 ++++++++++++++++++++
7 files changed, 187 insertions(+), 67 deletions(-)
create mode 100644 include/net/netfilter/nfnetlink_queue.h
rename net/netfilter/{nfnetlink_queue.c => nfnetlink_queue_core.c} (95%)
create mode 100644 net/netfilter/nfnetlink_queue_ct.c
--
1.7.10
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH 1/4] netfilter: ctnetlink: fix NULL dereference while trying to change helper 2012-06-19 3:16 [PATCH 0/4] netfilter updates for net-next (batch 3) pablo @ 2012-06-19 3:16 ` pablo 2012-06-19 3:16 ` [PATCH 2/4] netfilter: nf_ct_helper: disable automatic helper re-assignment of different type pablo ` (4 subsequent siblings) 5 siblings, 0 replies; 8+ messages in thread From: pablo @ 2012-06-19 3:16 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> The patch 1afc56794e03: "netfilter: nf_ct_helper: implement variable length helper private data" from Jun 7, 2012, leads to the following Smatch complaint: net/netfilter/nf_conntrack_netlink.c:1231 ctnetlink_change_helper() error: we previously assumed 'help->helper' could be null (see line 1228) This NULL dereference can be triggered with the following sequence: 1) attach the helper for first time when the conntrack is created. 2) remove the helper module or detach the helper from the conntrack via ctnetlink. 3) attach helper again (the same or different one, no matter) to the that existing conntrack again via ctnetlink. This patch fixes the problem by removing the use case that allows you to re-assign again a helper for one conntrack entry via ctnetlink since I cannot find any practical use for it. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index ae156df..76271a1 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1224,19 +1224,12 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[]) if (helper->from_nlattr && helpinfo) helper->from_nlattr(helpinfo, ct); return 0; - } - if (help->helper) + } else return -EBUSY; - /* need to zero data of old helper */ - memset(help->data, 0, help->helper->data_len); - } else { - /* we cannot set a helper for an existing conntrack */ - return -EOPNOTSUPP; } - rcu_assign_pointer(help->helper, helper); - - return 0; + /* we cannot set a helper for an existing conntrack */ + return -EOPNOTSUPP; } static inline int -- 1.7.10 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/4] netfilter: nf_ct_helper: disable automatic helper re-assignment of different type 2012-06-19 3:16 [PATCH 0/4] netfilter updates for net-next (batch 3) pablo 2012-06-19 3:16 ` [PATCH 1/4] netfilter: ctnetlink: fix NULL dereference while trying to change helper pablo @ 2012-06-19 3:16 ` pablo 2012-06-19 3:16 ` [PATCH 3/4] netfilter: fix compilation of the nfnl_cthelper if NF_CONNTRACK is unset pablo ` (3 subsequent siblings) 5 siblings, 0 replies; 8+ messages in thread From: pablo @ 2012-06-19 3:16 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> This patch modifies __nf_ct_try_assign_helper in a way that invalidates support for the following scenario: 1) attach the helper A for first time when the conntrack is created 2) attach new (different) helper B due to changes the reply tuple caused by NAT eg. port redirection from TCP/21 to TCP/5060 with both FTP and SIP helpers loaded, which seems to be a quite unorthodox scenario. I can provide a more elaborated patch to support this scenario but explicit helper attachment provides a better solution for this since now the use can attach the helpers consistently, without relying on the automatic helper lookup magic. This patch fixes a possible out of bound zeroing of the conntrack helper extension if the helper B uses more memory for its private data than helper A. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_conntrack_helper.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 2918ec2..c4bc637 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -229,7 +229,13 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, goto out; } } else { - memset(help->data, 0, helper->data_len); + /* We only allow helper re-assignment of the same sort since + * we cannot reallocate the helper extension area. + */ + if (help->helper != helper) { + RCU_INIT_POINTER(help->helper, NULL); + goto out; + } } rcu_assign_pointer(help->helper, helper); -- 1.7.10 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/4] netfilter: fix compilation of the nfnl_cthelper if NF_CONNTRACK is unset 2012-06-19 3:16 [PATCH 0/4] netfilter updates for net-next (batch 3) pablo 2012-06-19 3:16 ` [PATCH 1/4] netfilter: ctnetlink: fix NULL dereference while trying to change helper pablo 2012-06-19 3:16 ` [PATCH 2/4] netfilter: nf_ct_helper: disable automatic helper re-assignment of different type pablo @ 2012-06-19 3:16 ` pablo 2012-06-19 3:16 ` [PATCH 4/4] netfilter: nfnetlink_queue: fix compilation with NF_CONNTRACK disabled pablo ` (2 subsequent siblings) 5 siblings, 0 replies; 8+ messages in thread From: pablo @ 2012-06-19 3:16 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> This patch fixes the compilation of net/netfilter/nfnetlink_cthelper.c if CONFIG_NF_CONNTRACK is not set. This patch also moves the definition of the cthelper infrastructure to the scope of NF_CONNTRACK things. I have also renamed NETFILTER_NETLINK_CTHELPER by NF_CT_NETLINK_HELPER, to use similar names to other nf_conntrack_netlink extensions. Better now that this has been only for two days in David's tree. Two new dependencies have been added: * NF_CT_NETLINK * NETFILTER_NETLINK_QUEUE Since these infrastructure requires both ctnetlink and nfqueue. Reported-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/Kconfig | 20 ++++++++++++-------- net/netfilter/Makefile | 2 +- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index aae6c62..f1a52ba 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -12,14 +12,6 @@ tristate "Netfilter NFACCT over NFNETLINK interface" If this option is enabled, the kernel will include support for extended accounting via NFNETLINK. -config NETFILTER_NETLINK_CTHELPER -tristate "Netfilter CTHELPER over NFNETLINK interface" - depends on NETFILTER_ADVANCED - select NETFILTER_NETLINK - help - If this option is enabled, the kernel will include support - for user-space connection tracking helpers via NFNETLINK. - config NETFILTER_NETLINK_QUEUE tristate "Netfilter NFQUEUE over NFNETLINK interface" depends on NETFILTER_ADVANCED @@ -343,6 +335,18 @@ config NF_CT_NETLINK_TIMEOUT If unsure, say `N'. +config NF_CT_NETLINK_HELPER + tristate 'Connection tracking helpers in user-space via Netlink' + select NETFILTER_NETLINK + depends on NF_CT_NETLINK + depends on NETFILTER_NETLINK_QUEUE + depends on NETFILTER_ADVANCED + help + This option enables the user-space connection tracking helpers + infrastructure. + + If unsure, say `N'. + endif # NF_CONNTRACK # transparent proxy support diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 2f3bc0f..7cc2019 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -9,7 +9,6 @@ obj-$(CONFIG_NETFILTER) = netfilter.o obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o -obj-$(CONFIG_NETFILTER_NETLINK_CTHELPER) += nfnetlink_cthelper.o obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o @@ -25,6 +24,7 @@ obj-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o # netlink interface for nf_conntrack obj-$(CONFIG_NF_CT_NETLINK) += nf_conntrack_netlink.o obj-$(CONFIG_NF_CT_NETLINK_TIMEOUT) += nfnetlink_cttimeout.o +obj-$(CONFIG_NF_CT_NETLINK_HELPER) += nfnetlink_cthelper.o # connection tracking helpers nf_conntrack_h323-objs := nf_conntrack_h323_main.o nf_conntrack_h323_asn1.o -- 1.7.10 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/4] netfilter: nfnetlink_queue: fix compilation with NF_CONNTRACK disabled 2012-06-19 3:16 [PATCH 0/4] netfilter updates for net-next (batch 3) pablo ` (2 preceding siblings ...) 2012-06-19 3:16 ` [PATCH 3/4] netfilter: fix compilation of the nfnl_cthelper if NF_CONNTRACK is unset pablo @ 2012-06-19 3:16 ` pablo 2012-06-19 3:28 ` [PATCH 0/4] netfilter updates for net-next (batch 3) David Miller 2012-06-19 3:37 ` Pablo Neira Ayuso 5 siblings, 0 replies; 8+ messages in thread From: pablo @ 2012-06-19 3:16 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> In "9cb0176 netfilter: add glue code to integrate nfnetlink_queue and ctnetlink" the compilation with NF_CONNTRACK disabled is broken. This patch fixes this issue. I have moved the conntrack part into nfnetlink_queue_ct.c to avoid peppering the entire nfnetlink_queue.c code with ifdefs. I also needed to rename nfnetlink_queue.c to nfnetlink_queue_pkt.c to update the net/netfilter/Makefile to support conditional compilation of the conntrack integration. This patch also adds CONFIG_NETFILTER_QUEUE_CT in case you want to explicitly disable the integration between nf_conntrack and nfnetlink_queue. Reported-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nfnetlink_queue.h | 43 +++++++++ net/netfilter/Kconfig | 9 ++ net/netfilter/Makefile | 2 + net/netfilter/nf_conntrack_netlink.c | 11 +-- .../{nfnetlink_queue.c => nfnetlink_queue_core.c} | 49 ++-------- net/netfilter/nfnetlink_queue_ct.c | 97 ++++++++++++++++++++ 6 files changed, 164 insertions(+), 47 deletions(-) create mode 100644 include/net/netfilter/nfnetlink_queue.h rename net/netfilter/{nfnetlink_queue.c => nfnetlink_queue_core.c} (95%) create mode 100644 net/netfilter/nfnetlink_queue_ct.c diff --git a/include/net/netfilter/nfnetlink_queue.h b/include/net/netfilter/nfnetlink_queue.h new file mode 100644 index 0000000..9f8095c --- /dev/null +++ b/include/net/netfilter/nfnetlink_queue.h @@ -0,0 +1,43 @@ +#ifndef _NET_NFNL_QUEUE_H_ +#define _NET_NFNL_QUEUE_H_ + +#include <linux/netfilter/nf_conntrack_common.h> + +struct nf_conn; + +#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) +struct nf_conn *nfqnl_ct_get(struct sk_buff *entskb, size_t *size, + enum ip_conntrack_info *ctinfo); +struct nf_conn *nfqnl_ct_parse(const struct sk_buff *skb, + const struct nlattr *attr, + enum ip_conntrack_info *ctinfo); +int nfqnl_ct_put(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo); +void nfqnl_ct_seq_adjust(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, int diff); +#else +inline struct nf_conn * +nfqnl_ct_get(struct sk_buff *entskb, size_t *size, enum ip_conntrack_info *ctinfo) +{ + return NULL; +} + +inline struct nf_conn *nfqnl_ct_parse(const struct sk_buff *skb, + const struct nlattr *attr, + enum ip_conntrack_info *ctinfo) +{ + return NULL; +} + +inline int +nfqnl_ct_put(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo) +{ + return 0; +} + +inline void nfqnl_ct_seq_adjust(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, int diff) +{ +} +#endif /* NF_CONNTRACK */ +#endif diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index f1a52ba..c19b214 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -340,6 +340,7 @@ config NF_CT_NETLINK_HELPER select NETFILTER_NETLINK depends on NF_CT_NETLINK depends on NETFILTER_NETLINK_QUEUE + depends on NETFILTER_NETLINK_QUEUE_CT depends on NETFILTER_ADVANCED help This option enables the user-space connection tracking helpers @@ -347,6 +348,14 @@ config NF_CT_NETLINK_HELPER If unsure, say `N'. +config NETFILTER_NETLINK_QUEUE_CT + bool "NFQUEUE integration with Connection Tracking" + default n + depends on NETFILTER_NETLINK_QUEUE + help + If this option is enabled, NFQUEUE can include Connection Tracking + information together with the packet is the enqueued via NFNETLINK. + endif # NF_CONNTRACK # transparent proxy support diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 7cc2019..1c5160f 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -9,6 +9,8 @@ obj-$(CONFIG_NETFILTER) = netfilter.o obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o +nfnetlink_queue-y := nfnetlink_queue_core.o +nfnetlink_queue-$(CONFIG_NETFILTER_NETLINK_QUEUE_CT) += nfnetlink_queue_ct.o obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 76271a1..31d1d8f 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1627,8 +1627,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, return err; } -#if defined(CONFIG_NETFILTER_NETLINK_QUEUE) || \ - defined(CONFIG_NETFILTER_NETLINK_QUEUE_MODULE) +#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT static size_t ctnetlink_nfqueue_build_size(const struct nf_conn *ct) { @@ -1762,7 +1761,7 @@ static struct nfq_ct_hook ctnetlink_nfqueue_hook = { .seq_adjust = nf_nat_tcp_seq_adjust, #endif }; -#endif /* CONFIG_NETFILTER_NETLINK_QUEUE */ +#endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */ /*********************************************************************** * EXPECT @@ -2568,8 +2567,7 @@ static int __init ctnetlink_init(void) pr_err("ctnetlink_init: cannot register pernet operations\n"); goto err_unreg_exp_subsys; } -#if defined(CONFIG_NETFILTER_NETLINK_QUEUE) || \ - defined(CONFIG_NETFILTER_NETLINK_QUEUE_MODULE) +#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT /* setup interaction between nf_queue and nf_conntrack_netlink. */ RCU_INIT_POINTER(nfq_ct_hook, &ctnetlink_nfqueue_hook); #endif @@ -2590,8 +2588,7 @@ static void __exit ctnetlink_exit(void) unregister_pernet_subsys(&ctnetlink_net_ops); nfnetlink_subsys_unregister(&ctnl_exp_subsys); nfnetlink_subsys_unregister(&ctnl_subsys); -#if defined(CONFIG_NETFILTER_NETLINK_QUEUE) || \ - defined(CONFIG_NETFILTER_NETLINK_QUEUE_MODULE) +#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT RCU_INIT_POINTER(nfq_ct_hook, NULL); #endif } diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue_core.c similarity index 95% rename from net/netfilter/nfnetlink_queue.c rename to net/netfilter/nfnetlink_queue_core.c index ff82c79..d36b95e 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue_core.c @@ -30,7 +30,7 @@ #include <linux/list.h> #include <net/sock.h> #include <net/netfilter/nf_queue.h> -#include <net/netfilter/nf_conntrack.h> +#include <net/netfilter/nfnetlink_queue.h> #include <linux/atomic.h> @@ -234,7 +234,6 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, struct sk_buff *entskb = entry->skb; struct net_device *indev; struct net_device *outdev; - struct nfq_ct_hook *nfq_ct; struct nf_conn *ct = NULL; enum ip_conntrack_info uninitialized_var(ctinfo); @@ -270,17 +269,8 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, break; } - /* rcu_read_lock()ed by __nf_queue already. */ - nfq_ct = rcu_dereference(nfq_ct_hook); - if (nfq_ct != NULL && (queue->flags & NFQA_CFG_F_CONNTRACK)) { - ct = nf_ct_get(entskb, &ctinfo); - if (ct) { - if (!nf_ct_is_untracked(ct)) - size += nfq_ct->build_size(ct); - else - ct = NULL; - } - } + if (queue->flags & NFQA_CFG_F_CONNTRACK) + ct = nfqnl_ct_get(entskb, &size, &ctinfo); skb = alloc_skb(size, GFP_ATOMIC); if (!skb) @@ -404,23 +394,8 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, BUG(); } - if (ct) { - struct nlattr *nest_parms; - u_int32_t tmp; - - nest_parms = nla_nest_start(skb, NFQA_CT | NLA_F_NESTED); - if (!nest_parms) - goto nla_put_failure; - - if (nfq_ct->build(skb, ct) < 0) - goto nla_put_failure; - - nla_nest_end(skb, nest_parms); - - tmp = ctinfo; - if (nla_put_u32(skb, NFQA_CT_INFO, htonl(ctinfo))) - goto nla_put_failure; - } + if (ct && nfqnl_ct_put(skb, ct, ctinfo) < 0) + goto nla_put_failure; nlh->nlmsg_len = skb->tail - old_tail; return skb; @@ -764,7 +739,6 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, struct nfqnl_instance *queue; unsigned int verdict; struct nf_queue_entry *entry; - struct nfq_ct_hook *nfq_ct; enum ip_conntrack_info uninitialized_var(ctinfo); struct nf_conn *ct = NULL; @@ -786,13 +760,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, return -ENOENT; rcu_read_lock(); - nfq_ct = rcu_dereference(nfq_ct_hook); - if (nfq_ct != NULL && - (queue->flags & NFQA_CFG_F_CONNTRACK) && nfqa[NFQA_CT]) { - ct = nf_ct_get(entry->skb, &ctinfo); - if (ct && !nf_ct_is_untracked(ct)) - nfq_ct->parse(nfqa[NFQA_CT], ct); - } + if (nfqa[NFQA_CT] && (queue->flags & NFQA_CFG_F_CONNTRACK)) + ct = nfqnl_ct_parse(entry->skb, nfqa[NFQA_CT], &ctinfo); if (nfqa[NFQA_PAYLOAD]) { u16 payload_len = nla_len(nfqa[NFQA_PAYLOAD]); @@ -802,8 +771,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, payload_len, entry, diff) < 0) verdict = NF_DROP; - if (ct && (ct->status & IPS_NAT_MASK) && diff) - nfq_ct->seq_adjust(skb, ct, ctinfo, diff); + if (ct) + nfqnl_ct_seq_adjust(skb, ct, ctinfo, diff); } rcu_read_unlock(); diff --git a/net/netfilter/nfnetlink_queue_ct.c b/net/netfilter/nfnetlink_queue_ct.c new file mode 100644 index 0000000..68ef550 --- /dev/null +++ b/net/netfilter/nfnetlink_queue_ct.c @@ -0,0 +1,97 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + */ + +#include <linux/skbuff.h> +#include <linux/netfilter.h> +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nfnetlink_queue.h> +#include <net/netfilter/nf_conntrack.h> + +struct nf_conn *nfqnl_ct_get(struct sk_buff *entskb, size_t *size, + enum ip_conntrack_info *ctinfo) +{ + struct nfq_ct_hook *nfq_ct; + struct nf_conn *ct; + + /* rcu_read_lock()ed by __nf_queue already. */ + nfq_ct = rcu_dereference(nfq_ct_hook); + if (nfq_ct == NULL) + return NULL; + + ct = nf_ct_get(entskb, ctinfo); + if (ct) { + if (!nf_ct_is_untracked(ct)) + *size += nfq_ct->build_size(ct); + else + ct = NULL; + } + return ct; +} + +struct nf_conn * +nfqnl_ct_parse(const struct sk_buff *skb, const struct nlattr *attr, + enum ip_conntrack_info *ctinfo) +{ + struct nfq_ct_hook *nfq_ct; + struct nf_conn *ct; + + /* rcu_read_lock()ed by __nf_queue already. */ + nfq_ct = rcu_dereference(nfq_ct_hook); + if (nfq_ct == NULL) + return NULL; + + ct = nf_ct_get(skb, ctinfo); + if (ct && !nf_ct_is_untracked(ct)) + nfq_ct->parse(attr, ct); + + return ct; +} + +int nfqnl_ct_put(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo) +{ + struct nfq_ct_hook *nfq_ct; + struct nlattr *nest_parms; + u_int32_t tmp; + + nfq_ct = rcu_dereference(nfq_ct_hook); + if (nfq_ct == NULL) + return 0; + + nest_parms = nla_nest_start(skb, NFQA_CT | NLA_F_NESTED); + if (!nest_parms) + goto nla_put_failure; + + if (nfq_ct->build(skb, ct) < 0) + goto nla_put_failure; + + nla_nest_end(skb, nest_parms); + + tmp = ctinfo; + if (nla_put_be32(skb, NFQA_CT_INFO, htonl(tmp))) + goto nla_put_failure; + + return 0; + +nla_put_failure: + return -1; +} + +void nfqnl_ct_seq_adjust(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, int diff) +{ + struct nfq_ct_hook *nfq_ct; + + nfq_ct = rcu_dereference(nfq_ct_hook); + if (nfq_ct == NULL) + return; + + if ((ct->status & IPS_NAT_MASK) && diff) + nfq_ct->seq_adjust(skb, ct, ctinfo, diff); +} -- 1.7.10 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 0/4] netfilter updates for net-next (batch 3) 2012-06-19 3:16 [PATCH 0/4] netfilter updates for net-next (batch 3) pablo ` (3 preceding siblings ...) 2012-06-19 3:16 ` [PATCH 4/4] netfilter: nfnetlink_queue: fix compilation with NF_CONNTRACK disabled pablo @ 2012-06-19 3:28 ` David Miller 2012-06-19 3:37 ` Pablo Neira Ayuso 5 siblings, 0 replies; 8+ messages in thread From: David Miller @ 2012-06-19 3:28 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: pablo@netfilter.org Date: Tue, 19 Jun 2012 05:16:25 +0200 > The patches provide: > > * compilation fixes if CONFIG_NF_CONNTRACK is disabled: I moved all the > conntrack code from nfnetlink_queue.c to nfnetlink_queue_ct.c to avoid > peppering the entire code with lots of ifdefs. I needed to rename > nfnetlink_queue.c to nfnetlink_queue_core.c to get it working with the > Makefile tweaks I've added. > > * fix NULL pointer dereference via ctnetlink while trying to change the helper > for an existing conntrack entry. I don't find any reasonable use case for > changing the helper from one to another in run-time. Thus, now ctnetlink > returns -EOPNOTSUPP for this operation. > > * fix possible out-of-bound zeroing of the conntrack extension area due to > the helper automatic assignation routine. > > You can pull these changes from: > > git://1984.lsi.us.es/nf-next master Pulled, thanks. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/4] netfilter updates for net-next (batch 3) 2012-06-19 3:16 [PATCH 0/4] netfilter updates for net-next (batch 3) pablo ` (4 preceding siblings ...) 2012-06-19 3:28 ` [PATCH 0/4] netfilter updates for net-next (batch 3) David Miller @ 2012-06-19 3:37 ` Pablo Neira Ayuso 2012-06-19 4:09 ` David Miller 5 siblings, 1 reply; 8+ messages in thread From: Pablo Neira Ayuso @ 2012-06-19 3:37 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev [-- Attachment #1: Type: text/plain, Size: 333 bytes --] On Tue, Jun 19, 2012 at 05:16:25AM +0200, pablo@netfilter.org wrote: [...] > You can pull these changes from: > > git://1984.lsi.us.es/nf-next master Please, also take the small patch attached after this 4 patch series. It fixes one linking issue. Sorry, I'll put more care next time testing compilation options more extensively. [-- Attachment #2: 0001-netfilter-fix-missing-symbols-if-CONFIG_NETFILTER_NE.patch --] [-- Type: text/x-diff, Size: 1358 bytes --] >From af6b248c22759fb7448668bbe495f1cbe0a9109d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Tue, 19 Jun 2012 05:25:46 +0200 Subject: [PATCH] netfilter: fix missing symbols if CONFIG_NETFILTER_NETLINK_QUEUE_CT unset ERROR: "nfqnl_ct_parse" [net/netfilter/nfnetlink_queue.ko] undefined! ERROR: "nfqnl_ct_seq_adjust" [net/netfilter/nfnetlink_queue.ko] undefined! ERROR: "nfqnl_ct_put" [net/netfilter/nfnetlink_queue.ko] undefined! ERROR: "nfqnl_ct_get" [net/netfilter/nfnetlink_queue.ko] undefined! We have to use CONFIG_NETFILTER_NETLINK_QUEUE_CT in include/net/netfilter/nfnetlink_queue.h, not CONFIG_NF_CONNTRACK. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nfnetlink_queue.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/netfilter/nfnetlink_queue.h b/include/net/netfilter/nfnetlink_queue.h index 9f8095c..86267a5 100644 --- a/include/net/netfilter/nfnetlink_queue.h +++ b/include/net/netfilter/nfnetlink_queue.h @@ -5,7 +5,7 @@ struct nf_conn; -#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) +#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT struct nf_conn *nfqnl_ct_get(struct sk_buff *entskb, size_t *size, enum ip_conntrack_info *ctinfo); struct nf_conn *nfqnl_ct_parse(const struct sk_buff *skb, -- 1.7.10 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 0/4] netfilter updates for net-next (batch 3) 2012-06-19 3:37 ` Pablo Neira Ayuso @ 2012-06-19 4:09 ` David Miller 0 siblings, 0 replies; 8+ messages in thread From: David Miller @ 2012-06-19 4:09 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Tue, 19 Jun 2012 05:37:45 +0200 > On Tue, Jun 19, 2012 at 05:16:25AM +0200, pablo@netfilter.org wrote: > [...] >> You can pull these changes from: >> >> git://1984.lsi.us.es/nf-next master > > Please, also take the small patch attached after this 4 patch series. It > fixes one linking issue. > > Sorry, I'll put more care next time testing compilation options more > extensively. Done. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2012-06-19 4:09 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-06-19 3:16 [PATCH 0/4] netfilter updates for net-next (batch 3) pablo 2012-06-19 3:16 ` [PATCH 1/4] netfilter: ctnetlink: fix NULL dereference while trying to change helper pablo 2012-06-19 3:16 ` [PATCH 2/4] netfilter: nf_ct_helper: disable automatic helper re-assignment of different type pablo 2012-06-19 3:16 ` [PATCH 3/4] netfilter: fix compilation of the nfnl_cthelper if NF_CONNTRACK is unset pablo 2012-06-19 3:16 ` [PATCH 4/4] netfilter: nfnetlink_queue: fix compilation with NF_CONNTRACK disabled pablo 2012-06-19 3:28 ` [PATCH 0/4] netfilter updates for net-next (batch 3) David Miller 2012-06-19 3:37 ` Pablo Neira Ayuso 2012-06-19 4:09 ` David Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.