netfilter: ctnetlink: group errors into logical errno sets

This patch groups ctnetlink errors into three logical sets: * Malformed messages: if ctnetlink receives a message without some mandatory attribute, then it returns EINVAL. * Unsupported operations: if userspace tries to perform an unsupported operation, then it returns EOPNOTSUPP. * Unchangeable: if userspace tries to change some attribute of the conntrack object that can only be set once, then it returns EBUSY. This patch reduces the number of -EINVAL from 23 to 14 and it results in 5 -EBUSY and 6 -EOPNOTSUPP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2008-06-09 18:56:20 -0400
committer: David S. Miller <davem@davemloft.net> 2008-06-09 18:56:20 -0400
commit: 0adf9d67489cd30bab8eb93f7de81a674e44e1c3 (patch)
tree: 3b29b50ef66f4796211c36a3f098500fcd23a909 /net/netfilter
parent: 93f65158723ceb7078ee9a0fd4830c0de00f4b9e (diff)
1 files changed, 10 insertions, 11 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 0edefcfc5949..13918c1fbf66 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -4,7 +4,7 @@
 * (C) 2001 by Jay Schulist <jschlst@samba.org>
 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
- * (C) 2005-2007 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
 *
 * Initial connection tracking via netlink development funded and
 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
@@ -891,20 +891,19 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
        if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
                /* unchangeable */
-                return -EINVAL;
+                return -EBUSY;
        if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
                /* SEEN_REPLY bit can only be set */
-                return -EINVAL;
+                return -EBUSY;
        if (d & IPS_ASSURED && !(status & IPS_ASSURED))
                /* ASSURED bit can only be set */
-                return -EINVAL;
+                return -EBUSY;
        if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
 #ifndef CONFIG_NF_NAT_NEEDED
-                return -EINVAL;
+                return -EOPNOTSUPP;
 #else
                struct nf_nat_range range;
@@ -945,7 +944,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
        /* don't change helper of sibling connections */
        if (ct->master)
-                return -EINVAL;
+                return -EBUSY;
        err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
        if (err < 0)
@@ -963,7 +962,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
        helper = __nf_conntrack_helper_find_byname(helpname);
        if (helper == NULL)
-                return -EINVAL;
+                return -EOPNOTSUPP;
        if (help) {
                if (help->helper == helper)
@@ -1258,12 +1257,12 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
        if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
                /* we only allow nat config for new conntracks */
                if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
-                        err = -EINVAL;
+                        err = -EOPNOTSUPP;
                        goto out_unlock;
                }
                /* can't link an existing conntrack to a master */
                if (cda[CTA_TUPLE_MASTER]) {
-                        err = -EINVAL;
+                        err = -EOPNOTSUPP;
                        goto out_unlock;
                }
                err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
@@ -1608,7 +1607,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
                h = __nf_conntrack_helper_find_byname(name);
                if (!h) {
                        spin_unlock_bh(&nf_conntrack_lock);
-                        return -EINVAL;
+                        return -EOPNOTSUPP;
                }
                for (i = 0; i < nf_ct_expect_hsize; i++) {
                        hlist_for_each_entry_safe(exp, n, next,
author	Pablo Neira Ayuso <pablo@netfilter.org>	2008-06-09 18:56:20 -0400
committer	David S. Miller <davem@davemloft.net>	2008-06-09 18:56:20 -0400
commit	0adf9d67489cd30bab8eb93f7de81a674e44e1c3 (patch)
tree	3b29b50ef66f4796211c36a3f098500fcd23a909 /net/netfilter
parent	93f65158723ceb7078ee9a0fd4830c0de00f4b9e (diff)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 0edefcfc5949..13918c1fbf66 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c
@@ -4,7 +4,7 @@
4	* (C) 2001 by Jay Schulist <jschlst@samba.org>	4	* (C) 2001 by Jay Schulist <jschlst@samba.org>
5	* (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>	5	* (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6	* (C) 2003 by Patrick Mchardy <kaber@trash.net>	6	* (C) 2003 by Patrick Mchardy <kaber@trash.net>
7	* (C) 2005-2007 by Pablo Neira Ayuso <pablo@netfilter.org>	7	* (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
8	*	8	*
9	* Initial connection tracking via netlink development funded and	9	* Initial connection tracking via netlink development funded and
10	* generally made possible by Network Robots, Inc. (www.networkrobots.com)	10	* generally made possible by Network Robots, Inc. (www.networkrobots.com)
@@ -891,20 +891,19 @@ ctnetlink_change_status(struct nf_conn ct, struct nlattr cda[])
891		891
892	if (d & (IPS_EXPECTED\|IPS_CONFIRMED\|IPS_DYING))	892	if (d & (IPS_EXPECTED\|IPS_CONFIRMED\|IPS_DYING))
893	/* unchangeable */	893	/* unchangeable */
894	return -EINVAL;	894	return -EBUSY;
895		895
896	if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))	896	if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
897	/* SEEN_REPLY bit can only be set */	897	/* SEEN_REPLY bit can only be set */
898	return -EINVAL;	898	return -EBUSY;
899
900		899
901	if (d & IPS_ASSURED && !(status & IPS_ASSURED))	900	if (d & IPS_ASSURED && !(status & IPS_ASSURED))
902	/* ASSURED bit can only be set */	901	/* ASSURED bit can only be set */
903	return -EINVAL;	902	return -EBUSY;
904		903
905	if (cda[CTA_NAT_SRC] \|\| cda[CTA_NAT_DST]) {	904	if (cda[CTA_NAT_SRC] \|\| cda[CTA_NAT_DST]) {
906	#ifndef CONFIG_NF_NAT_NEEDED	905	#ifndef CONFIG_NF_NAT_NEEDED
907	return -EINVAL;	906	return -EOPNOTSUPP;
908	#else	907	#else
909	struct nf_nat_range range;	908	struct nf_nat_range range;
910		909
@@ -945,7 +944,7 @@ ctnetlink_change_helper(struct nf_conn ct, struct nlattr cda[])
945		944
946	/* don't change helper of sibling connections */	945	/* don't change helper of sibling connections */
947	if (ct->master)	946	if (ct->master)
948	return -EINVAL;	947	return -EBUSY;
949		948
950	err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);	949	err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
951	if (err < 0)	950	if (err < 0)
@@ -963,7 +962,7 @@ ctnetlink_change_helper(struct nf_conn ct, struct nlattr cda[])
963		962
964	helper = __nf_conntrack_helper_find_byname(helpname);	963	helper = __nf_conntrack_helper_find_byname(helpname);
965	if (helper == NULL)	964	if (helper == NULL)
966	return -EINVAL;	965	return -EOPNOTSUPP;
967		966
968	if (help) {	967	if (help) {
969	if (help->helper == helper)	968	if (help->helper == helper)
@@ -1258,12 +1257,12 @@ ctnetlink_new_conntrack(struct sock ctnl, struct sk_buff skb,
1258	if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {	1257	if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
1259	/* we only allow nat config for new conntracks */	1258	/* we only allow nat config for new conntracks */
1260	if (cda[CTA_NAT_SRC] \|\| cda[CTA_NAT_DST]) {	1259	if (cda[CTA_NAT_SRC] \|\| cda[CTA_NAT_DST]) {
1261	err = -EINVAL;	1260	err = -EOPNOTSUPP;
1262	goto out_unlock;	1261	goto out_unlock;
1263	}	1262	}
1264	/* can't link an existing conntrack to a master */	1263	/* can't link an existing conntrack to a master */
1265	if (cda[CTA_TUPLE_MASTER]) {	1264	if (cda[CTA_TUPLE_MASTER]) {
1266	err = -EINVAL;	1265	err = -EOPNOTSUPP;
1267	goto out_unlock;	1266	goto out_unlock;
1268	}	1267	}
1269	err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),	1268	err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
@@ -1608,7 +1607,7 @@ ctnetlink_del_expect(struct sock ctnl, struct sk_buff skb,
1608	h = __nf_conntrack_helper_find_byname(name);	1607	h = __nf_conntrack_helper_find_byname(name);
1609	if (!h) {	1608	if (!h) {
1610	spin_unlock_bh(&nf_conntrack_lock);	1609	spin_unlock_bh(&nf_conntrack_lock);
1611	return -EINVAL;	1610	return -EOPNOTSUPP;
1612	}	1611	}
1613	for (i = 0; i < nf_ct_expect_hsize; i++) {	1612	for (i = 0; i < nf_ct_expect_hsize; i++) {
1614	hlist_for_each_entry_safe(exp, n, next,	1613	hlist_for_each_entry_safe(exp, n, next,