aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2007-08-07 21:11:26 -0400
committerDavid S. Miller <davem@davemloft.net>2007-08-07 21:11:26 -0400
commitff4ca8273eafbba875a86d333e059e78f292107f (patch)
tree71a484c1dbd7560b570b5072abf3ef014062f686
parent3af8e31cf57646284b5f77f9d57d2c22fa77485a (diff)
[NETFILTER]: ctnetlink: return EEXIST instead of EINVAL for existing nat'ed conntracks
ctnetlink must return EEXIST for existing nat'ed conntracks instead of EINVAL. Only return EINVAL if we try to update a conntrack with NAT handlings (that is not allowed). Decadence:libnetfilter_conntrack/utils# ./conntrack_create_nat TEST: create conntrack (0)(Success) Decadence:libnetfilter_conntrack/utils# ./conntrack_create_nat TEST: create conntrack (-1)(Invalid argument) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/netfilter/nf_conntrack_netlink.c17
1 files changed, 9 insertions, 8 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 6f89b105a205..2863e72b4091 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1052,17 +1052,18 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1052 } 1052 }
1053 /* implicit 'else' */ 1053 /* implicit 'else' */
1054 1054
1055 /* we only allow nat config for new conntracks */
1056 if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
1057 err = -EINVAL;
1058 goto out_unlock;
1059 }
1060
1061 /* We manipulate the conntrack inside the global conntrack table lock, 1055 /* We manipulate the conntrack inside the global conntrack table lock,
1062 * so there's no need to increase the refcount */ 1056 * so there's no need to increase the refcount */
1063 err = -EEXIST; 1057 err = -EEXIST;
1064 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) 1058 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
1065 err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), cda); 1059 /* we only allow nat config for new conntracks */
1060 if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
1061 err = -EINVAL;
1062 goto out_unlock;
1063 }
1064 err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
1065 cda);
1066 }
1066 1067
1067out_unlock: 1068out_unlock:
1068 write_unlock_bh(&nf_conntrack_lock); 1069 write_unlock_bh(&nf_conntrack_lock);