diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-05-05 11:48:26 -0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2009-05-05 11:48:26 -0400 |
commit | fecc1133b66af6e0cd49115a248f34bbb01f180a (patch) | |
tree | 3d1520735b58e63db4d2f7a2aa8e84f796ca38f0 | |
parent | 280f37afa2c270ff029cb420b34396aa002909c3 (diff) |
netfilter: ctnetlink: fix wrong message type in user updates
This patch fixes the wrong message type that are triggered by
user updates, the following commands:
(term1)# conntrack -I -p tcp -s 1.1.1.1 -d 2.2.2.2 -t 10 --sport 10 --dport 20 --state LISTEN
(term1)# conntrack -U -p tcp -s 1.1.1.1 -d 2.2.2.2 -t 10 --sport 10 --dport 20 --state SYN_SENT
(term1)# conntrack -U -p tcp -s 1.1.1.1 -d 2.2.2.2 -t 10 --sport 10 --dport 20 --state SYN_RECV
only trigger event message of type NEW, when only the first is NEW
while others should be UPDATE.
(term2)# conntrack -E
[NEW] tcp 6 10 LISTEN src=1.1.1.1 dst=2.2.2.2 sport=10 dport=20 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=20 dport=10 mark=0
[NEW] tcp 6 10 SYN_SENT src=1.1.1.1 dst=2.2.2.2 sport=10 dport=20 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=20 dport=10 mark=0
[NEW] tcp 6 10 SYN_RECV src=1.1.1.1 dst=2.2.2.2 sport=10 dport=20 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=20 dport=10 mark=0
This patch also removes IPCT_REFRESH from the bitmask since it is
not of any use.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 48 |
1 files changed, 20 insertions, 28 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 0ea36e0c8a0e..fd77619256a8 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
@@ -1186,28 +1186,6 @@ ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[]) | |||
1186 | return 0; | 1186 | return 0; |
1187 | } | 1187 | } |
1188 | 1188 | ||
1189 | static inline void | ||
1190 | ctnetlink_event_report(struct nf_conn *ct, u32 pid, int report) | ||
1191 | { | ||
1192 | unsigned int events = 0; | ||
1193 | |||
1194 | if (test_bit(IPS_EXPECTED_BIT, &ct->status)) | ||
1195 | events |= IPCT_RELATED; | ||
1196 | else | ||
1197 | events |= IPCT_NEW; | ||
1198 | |||
1199 | nf_conntrack_event_report(IPCT_STATUS | | ||
1200 | IPCT_HELPER | | ||
1201 | IPCT_REFRESH | | ||
1202 | IPCT_PROTOINFO | | ||
1203 | IPCT_NATSEQADJ | | ||
1204 | IPCT_MARK | | ||
1205 | events, | ||
1206 | ct, | ||
1207 | pid, | ||
1208 | report); | ||
1209 | } | ||
1210 | |||
1211 | static struct nf_conn * | 1189 | static struct nf_conn * |
1212 | ctnetlink_create_conntrack(struct nlattr *cda[], | 1190 | ctnetlink_create_conntrack(struct nlattr *cda[], |
1213 | struct nf_conntrack_tuple *otuple, | 1191 | struct nf_conntrack_tuple *otuple, |
@@ -1373,6 +1351,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1373 | err = -ENOENT; | 1351 | err = -ENOENT; |
1374 | if (nlh->nlmsg_flags & NLM_F_CREATE) { | 1352 | if (nlh->nlmsg_flags & NLM_F_CREATE) { |
1375 | struct nf_conn *ct; | 1353 | struct nf_conn *ct; |
1354 | enum ip_conntrack_events events; | ||
1376 | 1355 | ||
1377 | ct = ctnetlink_create_conntrack(cda, &otuple, | 1356 | ct = ctnetlink_create_conntrack(cda, &otuple, |
1378 | &rtuple, u3); | 1357 | &rtuple, u3); |
@@ -1383,9 +1362,18 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1383 | err = 0; | 1362 | err = 0; |
1384 | nf_conntrack_get(&ct->ct_general); | 1363 | nf_conntrack_get(&ct->ct_general); |
1385 | spin_unlock_bh(&nf_conntrack_lock); | 1364 | spin_unlock_bh(&nf_conntrack_lock); |
1386 | ctnetlink_event_report(ct, | 1365 | if (test_bit(IPS_EXPECTED_BIT, &ct->status)) |
1387 | NETLINK_CB(skb).pid, | 1366 | events = IPCT_RELATED; |
1388 | nlmsg_report(nlh)); | 1367 | else |
1368 | events = IPCT_NEW; | ||
1369 | |||
1370 | nf_conntrack_event_report(IPCT_STATUS | | ||
1371 | IPCT_HELPER | | ||
1372 | IPCT_PROTOINFO | | ||
1373 | IPCT_NATSEQADJ | | ||
1374 | IPCT_MARK | events, | ||
1375 | ct, NETLINK_CB(skb).pid, | ||
1376 | nlmsg_report(nlh)); | ||
1389 | nf_ct_put(ct); | 1377 | nf_ct_put(ct); |
1390 | } else | 1378 | } else |
1391 | spin_unlock_bh(&nf_conntrack_lock); | 1379 | spin_unlock_bh(&nf_conntrack_lock); |
@@ -1404,9 +1392,13 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1404 | if (err == 0) { | 1392 | if (err == 0) { |
1405 | nf_conntrack_get(&ct->ct_general); | 1393 | nf_conntrack_get(&ct->ct_general); |
1406 | spin_unlock_bh(&nf_conntrack_lock); | 1394 | spin_unlock_bh(&nf_conntrack_lock); |
1407 | ctnetlink_event_report(ct, | 1395 | nf_conntrack_event_report(IPCT_STATUS | |
1408 | NETLINK_CB(skb).pid, | 1396 | IPCT_HELPER | |
1409 | nlmsg_report(nlh)); | 1397 | IPCT_PROTOINFO | |
1398 | IPCT_NATSEQADJ | | ||
1399 | IPCT_MARK, | ||
1400 | ct, NETLINK_CB(skb).pid, | ||
1401 | nlmsg_report(nlh)); | ||
1410 | nf_ct_put(ct); | 1402 | nf_ct_put(ct); |
1411 | } else | 1403 | } else |
1412 | spin_unlock_bh(&nf_conntrack_lock); | 1404 | spin_unlock_bh(&nf_conntrack_lock); |