diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-03-16 10:27:22 -0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2009-03-16 10:27:22 -0400 |
commit | e098360f159b3358f085543eb6dc2eb500d6667c (patch) | |
tree | 085ff85d3bb8fa03eed763f1e3f38c71ae580264 /net | |
parent | 7ec4749675bf33ea639bbcca8a5365ccc5091a6a (diff) |
netfilter: ctnetlink: cleanup conntrack update preliminary checkings
This patch moves the preliminary checkings that must be fulfilled
to update a conntrack, which are the following:
* NAT manglings cannot be updated
* Changing the master conntrack is not allowed.
This patch is a cleanup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index cca22d553826..b67db695d83c 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
@@ -1062,6 +1062,10 @@ ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[]) | |||
1062 | { | 1062 | { |
1063 | int err; | 1063 | int err; |
1064 | 1064 | ||
1065 | /* only allow NAT changes and master assignation for new conntracks */ | ||
1066 | if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER]) | ||
1067 | return -EOPNOTSUPP; | ||
1068 | |||
1065 | if (cda[CTA_HELP]) { | 1069 | if (cda[CTA_HELP]) { |
1066 | err = ctnetlink_change_helper(ct, cda); | 1070 | err = ctnetlink_change_helper(ct, cda); |
1067 | if (err < 0) | 1071 | if (err < 0) |
@@ -1323,17 +1327,6 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1323 | if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { | 1327 | if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { |
1324 | struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); | 1328 | struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); |
1325 | 1329 | ||
1326 | /* we only allow nat config for new conntracks */ | ||
1327 | if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { | ||
1328 | err = -EOPNOTSUPP; | ||
1329 | goto out_unlock; | ||
1330 | } | ||
1331 | /* can't link an existing conntrack to a master */ | ||
1332 | if (cda[CTA_TUPLE_MASTER]) { | ||
1333 | err = -EOPNOTSUPP; | ||
1334 | goto out_unlock; | ||
1335 | } | ||
1336 | |||
1337 | err = ctnetlink_change_conntrack(ct, cda); | 1330 | err = ctnetlink_change_conntrack(ct, cda); |
1338 | if (err == 0) { | 1331 | if (err == 0) { |
1339 | nf_conntrack_get(&ct->ct_general); | 1332 | nf_conntrack_get(&ct->ct_general); |