* (C) 2001 by Jay Schulist <jschlst@samba.org>
* (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
- * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
+ * (C) 2005-2007 by Pablo Neira Ayuso <pablo@netfilter.org>
*
* Initial connection tracking via netlink development funded and
* generally made possible by Network Robots, Inc. (www.networkrobots.com)
static inline int
ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
{
- __be32 id = htonl(ct->id);
+ __be32 id = htonl((unsigned long)ct);
NLA_PUT(skb, CTA_ID, sizeof(u_int32_t), &id);
return 0;
l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
- if (likely(l3proto->nlattr_to_tuple))
- ret = l3proto->nlattr_to_tuple(tb, tuple);
+ if (likely(l3proto->nlattr_to_tuple)) {
+ ret = nla_validate_nested(attr, CTA_IP_MAX,
+ l3proto->nla_policy);
+ if (ret == 0)
+ ret = l3proto->nlattr_to_tuple(tb, tuple);
+ }
nf_ct_l3proto_put(l3proto);
return ret;
}
-static const size_t cta_min_proto[CTA_PROTO_MAX+1] = {
- [CTA_PROTO_NUM] = sizeof(u_int8_t),
+static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
+ [CTA_PROTO_NUM] = { .type = NLA_U8 },
};
static inline int
struct nf_conntrack_l4proto *l4proto;
int ret = 0;
- nla_parse_nested(tb, CTA_PROTO_MAX, attr, NULL);
-
- if (nlattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
- return -EINVAL;
+ ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
+ if (ret < 0)
+ return ret;
if (!tb[CTA_PROTO_NUM])
return -EINVAL;
l4proto = nf_ct_l4proto_find_get(tuple->src.l3num, tuple->dst.protonum);
- if (likely(l4proto->nlattr_to_tuple))
- ret = l4proto->nlattr_to_tuple(tb, tuple);
+ if (likely(l4proto->nlattr_to_tuple)) {
+ ret = nla_validate_nested(attr, CTA_PROTO_MAX,
+ l4proto->nla_policy);
+ if (ret == 0)
+ ret = l4proto->nlattr_to_tuple(tb, tuple);
+ }
nf_ct_l4proto_put(l4proto);
}
#ifdef CONFIG_NF_NAT_NEEDED
-static const size_t cta_min_protonat[CTA_PROTONAT_MAX+1] = {
- [CTA_PROTONAT_PORT_MIN] = sizeof(u_int16_t),
- [CTA_PROTONAT_PORT_MAX] = sizeof(u_int16_t),
+static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
+ [CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 },
+ [CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 },
};
static int nfnetlink_parse_nat_proto(struct nlattr *attr,
{
struct nlattr *tb[CTA_PROTONAT_MAX+1];
struct nf_nat_protocol *npt;
+ int err;
- nla_parse_nested(tb, CTA_PROTONAT_MAX, attr, NULL);
-
- if (nlattr_bad_size(tb, CTA_PROTONAT_MAX, cta_min_protonat))
- return -EINVAL;
+ err = nla_parse_nested(tb, CTA_PROTONAT_MAX, attr, protonat_nla_policy);
+ if (err < 0)
+ return err;
npt = nf_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
return 0;
}
-static const size_t cta_min_nat[CTA_NAT_MAX+1] = {
- [CTA_NAT_MINIP] = sizeof(u_int32_t),
- [CTA_NAT_MAXIP] = sizeof(u_int32_t),
+static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
+ [CTA_NAT_MINIP] = { .type = NLA_U32 },
+ [CTA_NAT_MAXIP] = { .type = NLA_U32 },
};
static inline int
memset(range, 0, sizeof(*range));
- nla_parse_nested(tb, CTA_NAT_MAX, nat, NULL);
-
- if (nlattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat))
- return -EINVAL;
+ err = nla_parse_nested(tb, CTA_NAT_MAX, nat, nat_nla_policy);
+ if (err < 0)
+ return err;
if (tb[CTA_NAT_MINIP])
range->min_ip = *(__be32 *)nla_data(tb[CTA_NAT_MINIP]);
return 0;
}
-static const size_t cta_min[CTA_MAX+1] = {
- [CTA_STATUS] = sizeof(u_int32_t),
- [CTA_TIMEOUT] = sizeof(u_int32_t),
- [CTA_MARK] = sizeof(u_int32_t),
- [CTA_USE] = sizeof(u_int32_t),
- [CTA_ID] = sizeof(u_int32_t)
+static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
+ [CTA_STATUS] = { .type = NLA_U32 },
+ [CTA_TIMEOUT] = { .type = NLA_U32 },
+ [CTA_MARK] = { .type = NLA_U32 },
+ [CTA_USE] = { .type = NLA_U32 },
+ [CTA_ID] = { .type = NLA_U32 },
};
static int
u_int8_t u3 = nfmsg->nfgen_family;
int err = 0;
- if (nlattr_bad_size(cda, CTA_MAX, cta_min))
- return -EINVAL;
-
if (cda[CTA_TUPLE_ORIG])
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
else if (cda[CTA_TUPLE_REPLY])
if (cda[CTA_ID]) {
u_int32_t id = ntohl(*(__be32 *)nla_data(cda[CTA_ID]));
- if (ct->id != id) {
+ if (id != (u32)(unsigned long)ct) {
nf_ct_put(ct);
return -ENOENT;
}
ctnetlink_done);
}
- if (nlattr_bad_size(cda, CTA_MAX, cta_min))
- return -EINVAL;
-
if (cda[CTA_TUPLE_ORIG])
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
else if (cda[CTA_TUPLE_REPLY])
static int
ctnetlink_create_conntrack(struct nlattr *cda[],
struct nf_conntrack_tuple *otuple,
- struct nf_conntrack_tuple *rtuple)
+ struct nf_conntrack_tuple *rtuple,
+ struct nf_conn *master_ct)
{
struct nf_conn *ct;
int err = -EINVAL;
rcu_assign_pointer(help->helper, helper);
}
+ /* setup master conntrack: this is a confirmed expectation */
+ if (master_ct)
+ ct->master = master_ct;
+
add_timer(&ct->timeout);
nf_conntrack_hash_insert(ct);
u_int8_t u3 = nfmsg->nfgen_family;
int err = 0;
- if (nlattr_bad_size(cda, CTA_MAX, cta_min))
- return -EINVAL;
-
if (cda[CTA_TUPLE_ORIG]) {
err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
if (err < 0)
h = __nf_conntrack_find(&rtuple, NULL);
if (h == NULL) {
+ struct nf_conntrack_tuple master;
+ struct nf_conntrack_tuple_hash *master_h = NULL;
+ struct nf_conn *master_ct = NULL;
+
+ if (cda[CTA_TUPLE_MASTER]) {
+ err = ctnetlink_parse_tuple(cda,
+ &master,
+ CTA_TUPLE_MASTER,
+ u3);
+ if (err < 0)
+ return err;
+
+ master_h = __nf_conntrack_find(&master, NULL);
+ if (master_h == NULL) {
+ err = -ENOENT;
+ goto out_unlock;
+ }
+ master_ct = nf_ct_tuplehash_to_ctrack(master_h);
+ atomic_inc(&master_ct->ct_general.use);
+ }
+
write_unlock_bh(&nf_conntrack_lock);
err = -ENOENT;
if (nlh->nlmsg_flags & NLM_F_CREATE)
- err = ctnetlink_create_conntrack(cda, &otuple, &rtuple);
+ err = ctnetlink_create_conntrack(cda,
+ &otuple,
+ &rtuple,
+ master_ct);
+ if (err < 0 && master_ct)
+ nf_ct_put(master_ct);
+
return err;
}
/* implicit 'else' */
err = -EINVAL;
goto out_unlock;
}
+ /* can't link an existing conntrack to a master */
+ if (cda[CTA_TUPLE_MASTER]) {
+ err = -EINVAL;
+ goto out_unlock;
+ }
err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
cda);
}
{
struct nf_conn *master = exp->master;
__be32 timeout = htonl((exp->timeout.expires - jiffies) / HZ);
- __be32 id = htonl(exp->id);
+ __be32 id = htonl((unsigned long)exp);
if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
goto nla_put_failure;
return skb->len;
}
-static const size_t cta_min_exp[CTA_EXPECT_MAX+1] = {
- [CTA_EXPECT_TIMEOUT] = sizeof(u_int32_t),
- [CTA_EXPECT_ID] = sizeof(u_int32_t)
+static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
+ [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
+ [CTA_EXPECT_ID] = { .type = NLA_U32 },
};
static int
u_int8_t u3 = nfmsg->nfgen_family;
int err = 0;
- if (nlattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
- return -EINVAL;
-
if (nlh->nlmsg_flags & NLM_F_DUMP) {
return netlink_dump_start(ctnl, skb, nlh,
ctnetlink_exp_dump_table,
if (cda[CTA_EXPECT_ID]) {
__be32 id = *(__be32 *)nla_data(cda[CTA_EXPECT_ID]);
- if (exp->id != ntohl(id)) {
+ if (ntohl(id) != (u32)(unsigned long)exp) {
nf_ct_expect_put(exp);
return -ENOENT;
}
unsigned int i;
int err;
- if (nlattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
- return -EINVAL;
-
if (cda[CTA_EXPECT_TUPLE]) {
/* delete a single expect by tuple */
err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
if (cda[CTA_EXPECT_ID]) {
__be32 id = *(__be32 *)nla_data(cda[CTA_EXPECT_ID]);
- if (exp->id != ntohl(id)) {
+ if (ntohl(id) != (u32)(unsigned long)exp) {
nf_ct_expect_put(exp);
return -ENOENT;
}
u_int8_t u3 = nfmsg->nfgen_family;
int err = 0;
- if (nlattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
- return -EINVAL;
-
if (!cda[CTA_EXPECT_TUPLE]
|| !cda[CTA_EXPECT_MASK]
|| !cda[CTA_EXPECT_MASTER])
static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
[IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
- .attr_count = CTA_MAX, },
+ .attr_count = CTA_MAX,
+ .policy = ct_nla_policy },
[IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
- .attr_count = CTA_MAX, },
+ .attr_count = CTA_MAX,
+ .policy = ct_nla_policy },
[IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
- .attr_count = CTA_MAX, },
+ .attr_count = CTA_MAX,
+ .policy = ct_nla_policy },
[IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
- .attr_count = CTA_MAX, },
+ .attr_count = CTA_MAX,
+ .policy = ct_nla_policy },
};
static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
[IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
- .attr_count = CTA_EXPECT_MAX, },
+ .attr_count = CTA_EXPECT_MAX,
+ .policy = exp_nla_policy },
[IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
- .attr_count = CTA_EXPECT_MAX, },
+ .attr_count = CTA_EXPECT_MAX,
+ .policy = exp_nla_policy },
[IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
- .attr_count = CTA_EXPECT_MAX, },
+ .attr_count = CTA_EXPECT_MAX,
+ .policy = exp_nla_policy },
};
static const struct nfnetlink_subsystem ctnl_subsys = {