diff options
| -rw-r--r-- | include/net/netfilter/nf_conntrack_helper.h | 4 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 10 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_amanda.c | 5 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_ftp.c | 10 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_h323_main.c | 6 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_helper.c | 19 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_irc.c | 7 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_sane.c | 5 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_sip.c | 73 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_tftp.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_nat_amanda.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_nat_ftp.c | 5 | ||||
| -rw-r--r-- | net/netfilter/nf_nat_irc.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_nat_sip.c | 49 | ||||
| -rw-r--r-- | net/netfilter/nf_nat_tftp.c | 4 |
16 files changed, 164 insertions, 65 deletions
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index ce27edf57570..26c4ae5bfbb8 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h | |||
| @@ -100,6 +100,10 @@ struct nf_ct_helper_expectfn { | |||
| 100 | void (*expectfn)(struct nf_conn *ct, struct nf_conntrack_expect *exp); | 100 | void (*expectfn)(struct nf_conn *ct, struct nf_conntrack_expect *exp); |
| 101 | }; | 101 | }; |
| 102 | 102 | ||
| 103 | __printf(3,4) | ||
| 104 | void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct, | ||
| 105 | const char *fmt, ...); | ||
| 106 | |||
| 103 | void nf_ct_helper_expectfn_register(struct nf_ct_helper_expectfn *n); | 107 | void nf_ct_helper_expectfn_register(struct nf_ct_helper_expectfn *n); |
| 104 | void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n); | 108 | void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n); |
| 105 | struct nf_ct_helper_expectfn * | 109 | struct nf_ct_helper_expectfn * |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 48990ada0e1e..2820aa18b542 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
| @@ -100,7 +100,6 @@ static unsigned int ipv4_helper(unsigned int hooknum, | |||
| 100 | enum ip_conntrack_info ctinfo; | 100 | enum ip_conntrack_info ctinfo; |
| 101 | const struct nf_conn_help *help; | 101 | const struct nf_conn_help *help; |
| 102 | const struct nf_conntrack_helper *helper; | 102 | const struct nf_conntrack_helper *helper; |
| 103 | unsigned int ret; | ||
| 104 | 103 | ||
| 105 | /* This is where we call the helper: as the packet goes out. */ | 104 | /* This is where we call the helper: as the packet goes out. */ |
| 106 | ct = nf_ct_get(skb, &ctinfo); | 105 | ct = nf_ct_get(skb, &ctinfo); |
| @@ -116,13 +115,8 @@ static unsigned int ipv4_helper(unsigned int hooknum, | |||
| 116 | if (!helper) | 115 | if (!helper) |
| 117 | return NF_ACCEPT; | 116 | return NF_ACCEPT; |
| 118 | 117 | ||
| 119 | ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb), | 118 | return helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb), |
| 120 | ct, ctinfo); | 119 | ct, ctinfo); |
| 121 | if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) { | ||
| 122 | nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL, | ||
| 123 | "nf_ct_%s: dropping packet", helper->name); | ||
| 124 | } | ||
| 125 | return ret; | ||
| 126 | } | 120 | } |
| 127 | 121 | ||
| 128 | static unsigned int ipv4_confirm(unsigned int hooknum, | 122 | static unsigned int ipv4_confirm(unsigned int hooknum, |
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index 8a45bb20bedb..2b6c226f5198 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | |||
| @@ -104,7 +104,6 @@ static unsigned int ipv6_helper(unsigned int hooknum, | |||
| 104 | const struct nf_conn_help *help; | 104 | const struct nf_conn_help *help; |
| 105 | const struct nf_conntrack_helper *helper; | 105 | const struct nf_conntrack_helper *helper; |
| 106 | enum ip_conntrack_info ctinfo; | 106 | enum ip_conntrack_info ctinfo; |
| 107 | unsigned int ret; | ||
| 108 | __be16 frag_off; | 107 | __be16 frag_off; |
| 109 | int protoff; | 108 | int protoff; |
| 110 | u8 nexthdr; | 109 | u8 nexthdr; |
| @@ -130,12 +129,7 @@ static unsigned int ipv6_helper(unsigned int hooknum, | |||
| 130 | return NF_ACCEPT; | 129 | return NF_ACCEPT; |
| 131 | } | 130 | } |
| 132 | 131 | ||
| 133 | ret = helper->help(skb, protoff, ct, ctinfo); | 132 | return helper->help(skb, protoff, ct, ctinfo); |
| 134 | if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) { | ||
| 135 | nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL, | ||
| 136 | "nf_ct_%s: dropping packet", helper->name); | ||
| 137 | } | ||
| 138 | return ret; | ||
| 139 | } | 133 | } |
| 140 | 134 | ||
| 141 | static unsigned int ipv6_confirm(unsigned int hooknum, | 135 | static unsigned int ipv6_confirm(unsigned int hooknum, |
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c index c514fe6033d2..dbdaa1149260 100644 --- a/net/netfilter/nf_conntrack_amanda.c +++ b/net/netfilter/nf_conntrack_amanda.c | |||
| @@ -145,6 +145,7 @@ static int amanda_help(struct sk_buff *skb, | |||
| 145 | 145 | ||
| 146 | exp = nf_ct_expect_alloc(ct); | 146 | exp = nf_ct_expect_alloc(ct); |
| 147 | if (exp == NULL) { | 147 | if (exp == NULL) { |
| 148 | nf_ct_helper_log(skb, ct, "cannot alloc expectation"); | ||
| 148 | ret = NF_DROP; | 149 | ret = NF_DROP; |
| 149 | goto out; | 150 | goto out; |
| 150 | } | 151 | } |
| @@ -158,8 +159,10 @@ static int amanda_help(struct sk_buff *skb, | |||
| 158 | if (nf_nat_amanda && ct->status & IPS_NAT_MASK) | 159 | if (nf_nat_amanda && ct->status & IPS_NAT_MASK) |
| 159 | ret = nf_nat_amanda(skb, ctinfo, protoff, | 160 | ret = nf_nat_amanda(skb, ctinfo, protoff, |
| 160 | off - dataoff, len, exp); | 161 | off - dataoff, len, exp); |
| 161 | else if (nf_ct_expect_related(exp) != 0) | 162 | else if (nf_ct_expect_related(exp) != 0) { |
| 163 | nf_ct_helper_log(skb, ct, "cannot add expectation"); | ||
| 162 | ret = NF_DROP; | 164 | ret = NF_DROP; |
| 165 | } | ||
| 163 | nf_ct_expect_put(exp); | 166 | nf_ct_expect_put(exp); |
| 164 | } | 167 | } |
| 165 | 168 | ||
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index 1ce3befb7c8a..62fb8faedb80 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c | |||
| @@ -435,8 +435,8 @@ skip_nl_seq: | |||
| 435 | connection tracking, not packet filtering. | 435 | connection tracking, not packet filtering. |
| 436 | However, it is necessary for accurate tracking in | 436 | However, it is necessary for accurate tracking in |
| 437 | this case. */ | 437 | this case. */ |
| 438 | pr_debug("conntrack_ftp: partial %s %u+%u\n", | 438 | nf_ct_helper_log(skb, ct, "partial matching of `%s'", |
| 439 | search[dir][i].pattern, ntohl(th->seq), datalen); | 439 | search[dir][i].pattern); |
| 440 | ret = NF_DROP; | 440 | ret = NF_DROP; |
| 441 | goto out; | 441 | goto out; |
| 442 | } else if (found == 0) { /* No match */ | 442 | } else if (found == 0) { /* No match */ |
| @@ -450,6 +450,7 @@ skip_nl_seq: | |||
| 450 | 450 | ||
| 451 | exp = nf_ct_expect_alloc(ct); | 451 | exp = nf_ct_expect_alloc(ct); |
| 452 | if (exp == NULL) { | 452 | if (exp == NULL) { |
| 453 | nf_ct_helper_log(skb, ct, "cannot alloc expectation"); | ||
| 453 | ret = NF_DROP; | 454 | ret = NF_DROP; |
| 454 | goto out; | 455 | goto out; |
| 455 | } | 456 | } |
| @@ -500,9 +501,10 @@ skip_nl_seq: | |||
| 500 | protoff, matchoff, matchlen, exp); | 501 | protoff, matchoff, matchlen, exp); |
| 501 | else { | 502 | else { |
| 502 | /* Can't expect this? Best to drop packet now. */ | 503 | /* Can't expect this? Best to drop packet now. */ |
| 503 | if (nf_ct_expect_related(exp) != 0) | 504 | if (nf_ct_expect_related(exp) != 0) { |
| 505 | nf_ct_helper_log(skb, ct, "cannot add expectation"); | ||
| 504 | ret = NF_DROP; | 506 | ret = NF_DROP; |
| 505 | else | 507 | } else |
| 506 | ret = NF_ACCEPT; | 508 | ret = NF_ACCEPT; |
| 507 | } | 509 | } |
| 508 | 510 | ||
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c index 962795e839ab..7df7b36d2e24 100644 --- a/net/netfilter/nf_conntrack_h323_main.c +++ b/net/netfilter/nf_conntrack_h323_main.c | |||
| @@ -623,7 +623,7 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff, | |||
| 623 | 623 | ||
| 624 | drop: | 624 | drop: |
| 625 | spin_unlock_bh(&nf_h323_lock); | 625 | spin_unlock_bh(&nf_h323_lock); |
| 626 | net_info_ratelimited("nf_ct_h245: packet dropped\n"); | 626 | nf_ct_helper_log(skb, ct, "cannot process H.245 message"); |
| 627 | return NF_DROP; | 627 | return NF_DROP; |
| 628 | } | 628 | } |
| 629 | 629 | ||
| @@ -1197,7 +1197,7 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff, | |||
| 1197 | 1197 | ||
| 1198 | drop: | 1198 | drop: |
| 1199 | spin_unlock_bh(&nf_h323_lock); | 1199 | spin_unlock_bh(&nf_h323_lock); |
| 1200 | net_info_ratelimited("nf_ct_q931: packet dropped\n"); | 1200 | nf_ct_helper_log(skb, ct, "cannot process Q.931 message"); |
| 1201 | return NF_DROP; | 1201 | return NF_DROP; |
| 1202 | } | 1202 | } |
| 1203 | 1203 | ||
| @@ -1795,7 +1795,7 @@ static int ras_help(struct sk_buff *skb, unsigned int protoff, | |||
| 1795 | 1795 | ||
| 1796 | drop: | 1796 | drop: |
| 1797 | spin_unlock_bh(&nf_h323_lock); | 1797 | spin_unlock_bh(&nf_h323_lock); |
| 1798 | net_info_ratelimited("nf_ct_ras: packet dropped\n"); | 1798 | nf_ct_helper_log(skb, ct, "cannot process RAS message"); |
| 1799 | return NF_DROP; | 1799 | return NF_DROP; |
| 1800 | } | 1800 | } |
| 1801 | 1801 | ||
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 2f380f73c4c0..c08768da7936 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c | |||
| @@ -28,6 +28,7 @@ | |||
| 28 | #include <net/netfilter/nf_conntrack_helper.h> | 28 | #include <net/netfilter/nf_conntrack_helper.h> |
| 29 | #include <net/netfilter/nf_conntrack_core.h> | 29 | #include <net/netfilter/nf_conntrack_core.h> |
| 30 | #include <net/netfilter/nf_conntrack_extend.h> | 30 | #include <net/netfilter/nf_conntrack_extend.h> |
| 31 | #include <net/netfilter/nf_log.h> | ||
| 31 | 32 | ||
| 32 | static DEFINE_MUTEX(nf_ct_helper_mutex); | 33 | static DEFINE_MUTEX(nf_ct_helper_mutex); |
| 33 | struct hlist_head *nf_ct_helper_hash __read_mostly; | 34 | struct hlist_head *nf_ct_helper_hash __read_mostly; |
| @@ -332,6 +333,24 @@ nf_ct_helper_expectfn_find_by_symbol(const void *symbol) | |||
| 332 | } | 333 | } |
| 333 | EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_symbol); | 334 | EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_symbol); |
| 334 | 335 | ||
| 336 | __printf(3, 4) | ||
| 337 | void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct, | ||
| 338 | const char *fmt, ...) | ||
| 339 | { | ||
| 340 | const struct nf_conn_help *help; | ||
| 341 | const struct nf_conntrack_helper *helper; | ||
| 342 | |||
| 343 | /* Called from the helper function, this call never fails */ | ||
| 344 | help = nfct_help(ct); | ||
| 345 | |||
| 346 | /* rcu_read_lock()ed by nf_hook_slow */ | ||
| 347 | helper = rcu_dereference(help->helper); | ||
| 348 | |||
| 349 | nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, | ||
| 350 | "nf_ct_%s: dropping packet: %s ", helper->name, fmt); | ||
| 351 | } | ||
| 352 | EXPORT_SYMBOL_GPL(nf_ct_helper_log); | ||
| 353 | |||
| 335 | int nf_conntrack_helper_register(struct nf_conntrack_helper *me) | 354 | int nf_conntrack_helper_register(struct nf_conntrack_helper *me) |
| 336 | { | 355 | { |
| 337 | int ret = 0; | 356 | int ret = 0; |
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index 3b20aa77cfc8..70985c5d0ffa 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c | |||
| @@ -194,6 +194,8 @@ static int help(struct sk_buff *skb, unsigned int protoff, | |||
| 194 | 194 | ||
| 195 | exp = nf_ct_expect_alloc(ct); | 195 | exp = nf_ct_expect_alloc(ct); |
| 196 | if (exp == NULL) { | 196 | if (exp == NULL) { |
| 197 | nf_ct_helper_log(skb, ct, | ||
| 198 | "cannot alloc expectation"); | ||
| 197 | ret = NF_DROP; | 199 | ret = NF_DROP; |
| 198 | goto out; | 200 | goto out; |
| 199 | } | 201 | } |
| @@ -210,8 +212,11 @@ static int help(struct sk_buff *skb, unsigned int protoff, | |||
| 210 | addr_beg_p - ib_ptr, | 212 | addr_beg_p - ib_ptr, |
| 211 | addr_end_p - addr_beg_p, | 213 | addr_end_p - addr_beg_p, |
| 212 | exp); | 214 | exp); |
| 213 | else if (nf_ct_expect_related(exp) != 0) | 215 | else if (nf_ct_expect_related(exp) != 0) { |
| 216 | nf_ct_helper_log(skb, ct, | ||
| 217 | "cannot add expectation"); | ||
| 214 | ret = NF_DROP; | 218 | ret = NF_DROP; |
| 219 | } | ||
| 215 | nf_ct_expect_put(exp); | 220 | nf_ct_expect_put(exp); |
| 216 | goto out; | 221 | goto out; |
| 217 | } | 222 | } |
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c index 295429f39088..4a2134fd3fcb 100644 --- a/net/netfilter/nf_conntrack_sane.c +++ b/net/netfilter/nf_conntrack_sane.c | |||
| @@ -138,6 +138,7 @@ static int help(struct sk_buff *skb, | |||
| 138 | 138 | ||
| 139 | exp = nf_ct_expect_alloc(ct); | 139 | exp = nf_ct_expect_alloc(ct); |
| 140 | if (exp == NULL) { | 140 | if (exp == NULL) { |
| 141 | nf_ct_helper_log(skb, ct, "cannot alloc expectation"); | ||
| 141 | ret = NF_DROP; | 142 | ret = NF_DROP; |
| 142 | goto out; | 143 | goto out; |
| 143 | } | 144 | } |
| @@ -151,8 +152,10 @@ static int help(struct sk_buff *skb, | |||
| 151 | nf_ct_dump_tuple(&exp->tuple); | 152 | nf_ct_dump_tuple(&exp->tuple); |
| 152 | 153 | ||
| 153 | /* Can't expect this? Best to drop packet now. */ | 154 | /* Can't expect this? Best to drop packet now. */ |
| 154 | if (nf_ct_expect_related(exp) != 0) | 155 | if (nf_ct_expect_related(exp) != 0) { |
| 156 | nf_ct_helper_log(skb, ct, "cannot add expectation"); | ||
| 155 | ret = NF_DROP; | 157 | ret = NF_DROP; |
| 158 | } | ||
| 156 | 159 | ||
| 157 | nf_ct_expect_put(exp); | 160 | nf_ct_expect_put(exp); |
| 158 | 161 | ||
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 72a67bbe3518..069229d919b6 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c | |||
| @@ -1095,8 +1095,10 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff, | |||
| 1095 | port = simple_strtoul(*dptr + mediaoff, NULL, 10); | 1095 | port = simple_strtoul(*dptr + mediaoff, NULL, 10); |
| 1096 | if (port == 0) | 1096 | if (port == 0) |
| 1097 | continue; | 1097 | continue; |
| 1098 | if (port < 1024 || port > 65535) | 1098 | if (port < 1024 || port > 65535) { |
| 1099 | nf_ct_helper_log(skb, ct, "wrong port %u", port); | ||
| 1099 | return NF_DROP; | 1100 | return NF_DROP; |
| 1101 | } | ||
| 1100 | 1102 | ||
| 1101 | /* The media description overrides the session description. */ | 1103 | /* The media description overrides the session description. */ |
| 1102 | maddr_len = 0; | 1104 | maddr_len = 0; |
| @@ -1107,15 +1109,20 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff, | |||
| 1107 | memcpy(&rtp_addr, &maddr, sizeof(rtp_addr)); | 1109 | memcpy(&rtp_addr, &maddr, sizeof(rtp_addr)); |
| 1108 | } else if (caddr_len) | 1110 | } else if (caddr_len) |
| 1109 | memcpy(&rtp_addr, &caddr, sizeof(rtp_addr)); | 1111 | memcpy(&rtp_addr, &caddr, sizeof(rtp_addr)); |
| 1110 | else | 1112 | else { |
| 1113 | nf_ct_helper_log(skb, ct, "cannot parse SDP message"); | ||
| 1111 | return NF_DROP; | 1114 | return NF_DROP; |
| 1115 | } | ||
| 1112 | 1116 | ||
| 1113 | ret = set_expected_rtp_rtcp(skb, protoff, dataoff, | 1117 | ret = set_expected_rtp_rtcp(skb, protoff, dataoff, |
| 1114 | dptr, datalen, | 1118 | dptr, datalen, |
| 1115 | &rtp_addr, htons(port), t->class, | 1119 | &rtp_addr, htons(port), t->class, |
| 1116 | mediaoff, medialen); | 1120 | mediaoff, medialen); |
| 1117 | if (ret != NF_ACCEPT) | 1121 | if (ret != NF_ACCEPT) { |
| 1122 | nf_ct_helper_log(skb, ct, | ||
| 1123 | "cannot add expectation for voice"); | ||
| 1118 | return ret; | 1124 | return ret; |
| 1125 | } | ||
| 1119 | 1126 | ||
| 1120 | /* Update media connection address if present */ | 1127 | /* Update media connection address if present */ |
| 1121 | if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) { | 1128 | if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) { |
| @@ -1123,8 +1130,10 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff, | |||
| 1123 | dptr, datalen, mediaoff, | 1130 | dptr, datalen, mediaoff, |
| 1124 | SDP_HDR_CONNECTION, SDP_HDR_MEDIA, | 1131 | SDP_HDR_CONNECTION, SDP_HDR_MEDIA, |
| 1125 | &rtp_addr); | 1132 | &rtp_addr); |
| 1126 | if (ret != NF_ACCEPT) | 1133 | if (ret != NF_ACCEPT) { |
| 1134 | nf_ct_helper_log(skb, ct, "cannot mangle SDP"); | ||
| 1127 | return ret; | 1135 | return ret; |
| 1136 | } | ||
| 1128 | } | 1137 | } |
| 1129 | i++; | 1138 | i++; |
| 1130 | } | 1139 | } |
| @@ -1258,9 +1267,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff, | |||
| 1258 | ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, | 1267 | ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, |
| 1259 | SIP_HDR_CONTACT, NULL, | 1268 | SIP_HDR_CONTACT, NULL, |
| 1260 | &matchoff, &matchlen, &daddr, &port); | 1269 | &matchoff, &matchlen, &daddr, &port); |
| 1261 | if (ret < 0) | 1270 | if (ret < 0) { |
| 1271 | nf_ct_helper_log(skb, ct, "cannot parse contact"); | ||
| 1262 | return NF_DROP; | 1272 | return NF_DROP; |
| 1263 | else if (ret == 0) | 1273 | } else if (ret == 0) |
| 1264 | return NF_ACCEPT; | 1274 | return NF_ACCEPT; |
| 1265 | 1275 | ||
| 1266 | /* We don't support third-party registrations */ | 1276 | /* We don't support third-party registrations */ |
| @@ -1273,8 +1283,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff, | |||
| 1273 | 1283 | ||
| 1274 | if (ct_sip_parse_numerical_param(ct, *dptr, | 1284 | if (ct_sip_parse_numerical_param(ct, *dptr, |
| 1275 | matchoff + matchlen, *datalen, | 1285 | matchoff + matchlen, *datalen, |
| 1276 | "expires=", NULL, NULL, &expires) < 0) | 1286 | "expires=", NULL, NULL, &expires) < 0) { |
| 1287 | nf_ct_helper_log(skb, ct, "cannot parse expires"); | ||
| 1277 | return NF_DROP; | 1288 | return NF_DROP; |
| 1289 | } | ||
| 1278 | 1290 | ||
| 1279 | if (expires == 0) { | 1291 | if (expires == 0) { |
| 1280 | ret = NF_ACCEPT; | 1292 | ret = NF_ACCEPT; |
| @@ -1282,8 +1294,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff, | |||
| 1282 | } | 1294 | } |
| 1283 | 1295 | ||
| 1284 | exp = nf_ct_expect_alloc(ct); | 1296 | exp = nf_ct_expect_alloc(ct); |
| 1285 | if (!exp) | 1297 | if (!exp) { |
| 1298 | nf_ct_helper_log(skb, ct, "cannot alloc expectation"); | ||
| 1286 | return NF_DROP; | 1299 | return NF_DROP; |
| 1300 | } | ||
| 1287 | 1301 | ||
| 1288 | saddr = NULL; | 1302 | saddr = NULL; |
| 1289 | if (sip_direct_signalling) | 1303 | if (sip_direct_signalling) |
| @@ -1300,9 +1314,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff, | |||
| 1300 | ret = nf_nat_sip_expect(skb, protoff, dataoff, dptr, datalen, | 1314 | ret = nf_nat_sip_expect(skb, protoff, dataoff, dptr, datalen, |
| 1301 | exp, matchoff, matchlen); | 1315 | exp, matchoff, matchlen); |
| 1302 | else { | 1316 | else { |
| 1303 | if (nf_ct_expect_related(exp) != 0) | 1317 | if (nf_ct_expect_related(exp) != 0) { |
| 1318 | nf_ct_helper_log(skb, ct, "cannot add expectation"); | ||
| 1304 | ret = NF_DROP; | 1319 | ret = NF_DROP; |
| 1305 | else | 1320 | } else |
| 1306 | ret = NF_ACCEPT; | 1321 | ret = NF_ACCEPT; |
| 1307 | } | 1322 | } |
| 1308 | nf_ct_expect_put(exp); | 1323 | nf_ct_expect_put(exp); |
| @@ -1356,9 +1371,10 @@ static int process_register_response(struct sk_buff *skb, unsigned int protoff, | |||
| 1356 | SIP_HDR_CONTACT, &in_contact, | 1371 | SIP_HDR_CONTACT, &in_contact, |
| 1357 | &matchoff, &matchlen, | 1372 | &matchoff, &matchlen, |
| 1358 | &addr, &port); | 1373 | &addr, &port); |
| 1359 | if (ret < 0) | 1374 | if (ret < 0) { |
| 1375 | nf_ct_helper_log(skb, ct, "cannot parse contact"); | ||
| 1360 | return NF_DROP; | 1376 | return NF_DROP; |
| 1361 | else if (ret == 0) | 1377 | } else if (ret == 0) |
| 1362 | break; | 1378 | break; |
| 1363 | 1379 | ||
| 1364 | /* We don't support third-party registrations */ | 1380 | /* We don't support third-party registrations */ |
| @@ -1373,8 +1389,10 @@ static int process_register_response(struct sk_buff *skb, unsigned int protoff, | |||
| 1373 | matchoff + matchlen, | 1389 | matchoff + matchlen, |
| 1374 | *datalen, "expires=", | 1390 | *datalen, "expires=", |
| 1375 | NULL, NULL, &c_expires); | 1391 | NULL, NULL, &c_expires); |
| 1376 | if (ret < 0) | 1392 | if (ret < 0) { |
| 1393 | nf_ct_helper_log(skb, ct, "cannot parse expires"); | ||
| 1377 | return NF_DROP; | 1394 | return NF_DROP; |
| 1395 | } | ||
| 1378 | if (c_expires == 0) | 1396 | if (c_expires == 0) |
| 1379 | break; | 1397 | break; |
| 1380 | if (refresh_signalling_expectation(ct, &addr, proto, port, | 1398 | if (refresh_signalling_expectation(ct, &addr, proto, port, |
| @@ -1408,15 +1426,21 @@ static int process_sip_response(struct sk_buff *skb, unsigned int protoff, | |||
| 1408 | if (*datalen < strlen("SIP/2.0 200")) | 1426 | if (*datalen < strlen("SIP/2.0 200")) |
| 1409 | return NF_ACCEPT; | 1427 | return NF_ACCEPT; |
| 1410 | code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10); | 1428 | code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10); |
| 1411 | if (!code) | 1429 | if (!code) { |
| 1430 | nf_ct_helper_log(skb, ct, "cannot get code"); | ||
| 1412 | return NF_DROP; | 1431 | return NF_DROP; |
| 1432 | } | ||
| 1413 | 1433 | ||
| 1414 | if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ, | 1434 | if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ, |
| 1415 | &matchoff, &matchlen) <= 0) | 1435 | &matchoff, &matchlen) <= 0) { |
| 1436 | nf_ct_helper_log(skb, ct, "cannot parse cseq"); | ||
| 1416 | return NF_DROP; | 1437 | return NF_DROP; |
| 1438 | } | ||
| 1417 | cseq = simple_strtoul(*dptr + matchoff, NULL, 10); | 1439 | cseq = simple_strtoul(*dptr + matchoff, NULL, 10); |
| 1418 | if (!cseq) | 1440 | if (!cseq) { |
| 1441 | nf_ct_helper_log(skb, ct, "cannot get cseq"); | ||
| 1419 | return NF_DROP; | 1442 | return NF_DROP; |
| 1443 | } | ||
| 1420 | matchend = matchoff + matchlen + 1; | 1444 | matchend = matchoff + matchlen + 1; |
| 1421 | 1445 | ||
| 1422 | for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) { | 1446 | for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) { |
| @@ -1471,11 +1495,15 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff, | |||
| 1471 | continue; | 1495 | continue; |
| 1472 | 1496 | ||
| 1473 | if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ, | 1497 | if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ, |
| 1474 | &matchoff, &matchlen) <= 0) | 1498 | &matchoff, &matchlen) <= 0) { |
| 1499 | nf_ct_helper_log(skb, ct, "cannot parse cseq"); | ||
| 1475 | return NF_DROP; | 1500 | return NF_DROP; |
| 1501 | } | ||
| 1476 | cseq = simple_strtoul(*dptr + matchoff, NULL, 10); | 1502 | cseq = simple_strtoul(*dptr + matchoff, NULL, 10); |
| 1477 | if (!cseq) | 1503 | if (!cseq) { |
| 1504 | nf_ct_helper_log(skb, ct, "cannot get cseq"); | ||
| 1478 | return NF_DROP; | 1505 | return NF_DROP; |
| 1506 | } | ||
| 1479 | 1507 | ||
| 1480 | return handler->request(skb, protoff, dataoff, dptr, datalen, | 1508 | return handler->request(skb, protoff, dataoff, dptr, datalen, |
| 1481 | cseq); | 1509 | cseq); |
| @@ -1498,8 +1526,10 @@ static int process_sip_msg(struct sk_buff *skb, struct nf_conn *ct, | |||
| 1498 | if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) { | 1526 | if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) { |
| 1499 | nf_nat_sip = rcu_dereference(nf_nat_sip_hook); | 1527 | nf_nat_sip = rcu_dereference(nf_nat_sip_hook); |
| 1500 | if (nf_nat_sip && !nf_nat_sip(skb, protoff, dataoff, | 1528 | if (nf_nat_sip && !nf_nat_sip(skb, protoff, dataoff, |
| 1501 | dptr, datalen)) | 1529 | dptr, datalen)) { |
| 1530 | nf_ct_helper_log(skb, ct, "cannot NAT SIP message"); | ||
| 1502 | ret = NF_DROP; | 1531 | ret = NF_DROP; |
| 1532 | } | ||
| 1503 | } | 1533 | } |
| 1504 | 1534 | ||
| 1505 | return ret; | 1535 | return ret; |
| @@ -1563,11 +1593,14 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, | |||
| 1563 | end += strlen("\r\n\r\n") + clen; | 1593 | end += strlen("\r\n\r\n") + clen; |
| 1564 | 1594 | ||
| 1565 | msglen = origlen = end - dptr; | 1595 | msglen = origlen = end - dptr; |
| 1566 | if (msglen > datalen) | 1596 | if (msglen > datalen) { |
| 1597 | nf_ct_helper_log(skb, ct, "incomplete/bad SIP message"); | ||
| 1567 | return NF_DROP; | 1598 | return NF_DROP; |
| 1599 | } | ||
| 1568 | 1600 | ||
| 1569 | ret = process_sip_msg(skb, ct, protoff, dataoff, | 1601 | ret = process_sip_msg(skb, ct, protoff, dataoff, |
| 1570 | &dptr, &msglen); | 1602 | &dptr, &msglen); |
| 1603 | /* process_sip_* functions report why this packet is dropped */ | ||
| 1571 | if (ret != NF_ACCEPT) | 1604 | if (ret != NF_ACCEPT) |
| 1572 | break; | 1605 | break; |
| 1573 | diff = msglen - origlen; | 1606 | diff = msglen - origlen; |
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c index 81fc61c05263..e9936c830208 100644 --- a/net/netfilter/nf_conntrack_tftp.c +++ b/net/netfilter/nf_conntrack_tftp.c | |||
| @@ -60,8 +60,10 @@ static int tftp_help(struct sk_buff *skb, | |||
| 60 | nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); | 60 | nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); |
| 61 | 61 | ||
| 62 | exp = nf_ct_expect_alloc(ct); | 62 | exp = nf_ct_expect_alloc(ct); |
| 63 | if (exp == NULL) | 63 | if (exp == NULL) { |
| 64 | nf_ct_helper_log(skb, ct, "cannot alloc expectation"); | ||
| 64 | return NF_DROP; | 65 | return NF_DROP; |
| 66 | } | ||
| 65 | tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple; | 67 | tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple; |
| 66 | nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, | 68 | nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, |
| 67 | nf_ct_l3num(ct), | 69 | nf_ct_l3num(ct), |
| @@ -74,8 +76,10 @@ static int tftp_help(struct sk_buff *skb, | |||
| 74 | nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook); | 76 | nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook); |
| 75 | if (nf_nat_tftp && ct->status & IPS_NAT_MASK) | 77 | if (nf_nat_tftp && ct->status & IPS_NAT_MASK) |
| 76 | ret = nf_nat_tftp(skb, ctinfo, exp); | 78 | ret = nf_nat_tftp(skb, ctinfo, exp); |
| 77 | else if (nf_ct_expect_related(exp) != 0) | 79 | else if (nf_ct_expect_related(exp) != 0) { |
| 80 | nf_ct_helper_log(skb, ct, "cannot add expectation"); | ||
| 78 | ret = NF_DROP; | 81 | ret = NF_DROP; |
| 82 | } | ||
| 79 | nf_ct_expect_put(exp); | 83 | nf_ct_expect_put(exp); |
| 80 | break; | 84 | break; |
| 81 | case TFTP_OPCODE_DATA: | 85 | case TFTP_OPCODE_DATA: |
diff --git a/net/netfilter/nf_nat_amanda.c b/net/netfilter/nf_nat_amanda.c index 42d337881171..3b67c9d11273 100644 --- a/net/netfilter/nf_nat_amanda.c +++ b/net/netfilter/nf_nat_amanda.c | |||
| @@ -56,15 +56,19 @@ static unsigned int help(struct sk_buff *skb, | |||
| 56 | } | 56 | } |
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | if (port == 0) | 59 | if (port == 0) { |
| 60 | nf_ct_helper_log(skb, exp->master, "all ports in use"); | ||
| 60 | return NF_DROP; | 61 | return NF_DROP; |
| 62 | } | ||
| 61 | 63 | ||
| 62 | sprintf(buffer, "%u", port); | 64 | sprintf(buffer, "%u", port); |
| 63 | ret = nf_nat_mangle_udp_packet(skb, exp->master, ctinfo, | 65 | ret = nf_nat_mangle_udp_packet(skb, exp->master, ctinfo, |
| 64 | protoff, matchoff, matchlen, | 66 | protoff, matchoff, matchlen, |
| 65 | buffer, strlen(buffer)); | 67 | buffer, strlen(buffer)); |
| 66 | if (ret != NF_ACCEPT) | 68 | if (ret != NF_ACCEPT) { |
| 69 | nf_ct_helper_log(skb, exp->master, "cannot mangle packet"); | ||
| 67 | nf_ct_unexpect_related(exp); | 70 | nf_ct_unexpect_related(exp); |
| 71 | } | ||
| 68 | return ret; | 72 | return ret; |
| 69 | } | 73 | } |
| 70 | 74 | ||
diff --git a/net/netfilter/nf_nat_ftp.c b/net/netfilter/nf_nat_ftp.c index e839b97b2863..e84a578dbe35 100644 --- a/net/netfilter/nf_nat_ftp.c +++ b/net/netfilter/nf_nat_ftp.c | |||
| @@ -96,8 +96,10 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb, | |||
| 96 | } | 96 | } |
| 97 | } | 97 | } |
| 98 | 98 | ||
| 99 | if (port == 0) | 99 | if (port == 0) { |
| 100 | nf_ct_helper_log(skb, ct, "all ports in use"); | ||
| 100 | return NF_DROP; | 101 | return NF_DROP; |
| 102 | } | ||
| 101 | 103 | ||
| 102 | buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer), | 104 | buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer), |
| 103 | &newaddr, port); | 105 | &newaddr, port); |
| @@ -113,6 +115,7 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb, | |||
| 113 | return NF_ACCEPT; | 115 | return NF_ACCEPT; |
| 114 | 116 | ||
| 115 | out: | 117 | out: |
| 118 | nf_ct_helper_log(skb, ct, "cannot mangle packet"); | ||
| 116 | nf_ct_unexpect_related(exp); | 119 | nf_ct_unexpect_related(exp); |
| 117 | return NF_DROP; | 120 | return NF_DROP; |
| 118 | } | 121 | } |
diff --git a/net/netfilter/nf_nat_irc.c b/net/netfilter/nf_nat_irc.c index 1fedee6e7fb6..f02b3605823e 100644 --- a/net/netfilter/nf_nat_irc.c +++ b/net/netfilter/nf_nat_irc.c | |||
| @@ -56,14 +56,18 @@ static unsigned int help(struct sk_buff *skb, | |||
| 56 | } | 56 | } |
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | if (port == 0) | 59 | if (port == 0) { |
| 60 | nf_ct_helper_log(skb, exp->master, "all ports in use"); | ||
| 60 | return NF_DROP; | 61 | return NF_DROP; |
| 62 | } | ||
| 61 | 63 | ||
| 62 | ret = nf_nat_mangle_tcp_packet(skb, exp->master, ctinfo, | 64 | ret = nf_nat_mangle_tcp_packet(skb, exp->master, ctinfo, |
| 63 | protoff, matchoff, matchlen, buffer, | 65 | protoff, matchoff, matchlen, buffer, |
| 64 | strlen(buffer)); | 66 | strlen(buffer)); |
| 65 | if (ret != NF_ACCEPT) | 67 | if (ret != NF_ACCEPT) { |
| 68 | nf_ct_helper_log(skb, exp->master, "cannot mangle packet"); | ||
| 66 | nf_ct_unexpect_related(exp); | 69 | nf_ct_unexpect_related(exp); |
| 70 | } | ||
| 67 | return ret; | 71 | return ret; |
| 68 | } | 72 | } |
| 69 | 73 | ||
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c index 5951146e7688..96ccdf78a29f 100644 --- a/net/netfilter/nf_nat_sip.c +++ b/net/netfilter/nf_nat_sip.c | |||
| @@ -159,8 +159,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff, | |||
| 159 | &matchoff, &matchlen, | 159 | &matchoff, &matchlen, |
| 160 | &addr, &port) > 0 && | 160 | &addr, &port) > 0 && |
| 161 | !map_addr(skb, protoff, dataoff, dptr, datalen, | 161 | !map_addr(skb, protoff, dataoff, dptr, datalen, |
| 162 | matchoff, matchlen, &addr, port)) | 162 | matchoff, matchlen, &addr, port)) { |
| 163 | nf_ct_helper_log(skb, ct, "cannot mangle SIP message"); | ||
| 163 | return NF_DROP; | 164 | return NF_DROP; |
| 165 | } | ||
| 164 | request = 1; | 166 | request = 1; |
| 165 | } else | 167 | } else |
| 166 | request = 0; | 168 | request = 0; |
| @@ -193,8 +195,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff, | |||
| 193 | 195 | ||
| 194 | olen = *datalen; | 196 | olen = *datalen; |
| 195 | if (!map_addr(skb, protoff, dataoff, dptr, datalen, | 197 | if (!map_addr(skb, protoff, dataoff, dptr, datalen, |
| 196 | matchoff, matchlen, &addr, port)) | 198 | matchoff, matchlen, &addr, port)) { |
| 199 | nf_ct_helper_log(skb, ct, "cannot mangle Via header"); | ||
| 197 | return NF_DROP; | 200 | return NF_DROP; |
| 201 | } | ||
| 198 | 202 | ||
| 199 | matchend = matchoff + matchlen + *datalen - olen; | 203 | matchend = matchoff + matchlen + *datalen - olen; |
| 200 | 204 | ||
| @@ -209,8 +213,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff, | |||
| 209 | &ct->tuplehash[!dir].tuple.dst.u3, | 213 | &ct->tuplehash[!dir].tuple.dst.u3, |
| 210 | true); | 214 | true); |
| 211 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, | 215 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, |
| 212 | poff, plen, buffer, buflen)) | 216 | poff, plen, buffer, buflen)) { |
| 217 | nf_ct_helper_log(skb, ct, "cannot mangle maddr"); | ||
| 213 | return NF_DROP; | 218 | return NF_DROP; |
| 219 | } | ||
| 214 | } | 220 | } |
| 215 | 221 | ||
| 216 | /* The received= parameter (RFC 2361) contains the address | 222 | /* The received= parameter (RFC 2361) contains the address |
| @@ -225,6 +231,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff, | |||
| 225 | false); | 231 | false); |
| 226 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, | 232 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, |
| 227 | poff, plen, buffer, buflen)) | 233 | poff, plen, buffer, buflen)) |
| 234 | nf_ct_helper_log(skb, ct, "cannot mangle received"); | ||
| 228 | return NF_DROP; | 235 | return NF_DROP; |
| 229 | } | 236 | } |
| 230 | 237 | ||
| @@ -238,8 +245,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff, | |||
| 238 | __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port; | 245 | __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port; |
| 239 | buflen = sprintf(buffer, "%u", ntohs(p)); | 246 | buflen = sprintf(buffer, "%u", ntohs(p)); |
| 240 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, | 247 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, |
| 241 | poff, plen, buffer, buflen)) | 248 | poff, plen, buffer, buflen)) { |
| 249 | nf_ct_helper_log(skb, ct, "cannot mangle rport"); | ||
| 242 | return NF_DROP; | 250 | return NF_DROP; |
| 251 | } | ||
| 243 | } | 252 | } |
| 244 | } | 253 | } |
| 245 | 254 | ||
| @@ -253,27 +262,35 @@ next: | |||
| 253 | &addr, &port) > 0) { | 262 | &addr, &port) > 0) { |
| 254 | if (!map_addr(skb, protoff, dataoff, dptr, datalen, | 263 | if (!map_addr(skb, protoff, dataoff, dptr, datalen, |
| 255 | matchoff, matchlen, | 264 | matchoff, matchlen, |
| 256 | &addr, port)) | 265 | &addr, port)) { |
| 266 | nf_ct_helper_log(skb, ct, "cannot mangle contact"); | ||
| 257 | return NF_DROP; | 267 | return NF_DROP; |
| 268 | } | ||
| 258 | } | 269 | } |
| 259 | 270 | ||
| 260 | if (!map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_FROM) || | 271 | if (!map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_FROM) || |
| 261 | !map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_TO)) | 272 | !map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_TO)) { |
| 273 | nf_ct_helper_log(skb, ct, "cannot mangle SIP from/to"); | ||
| 262 | return NF_DROP; | 274 | return NF_DROP; |
| 275 | } | ||
| 263 | 276 | ||
| 264 | /* Mangle destination port for Cisco phones, then fix up checksums */ | 277 | /* Mangle destination port for Cisco phones, then fix up checksums */ |
| 265 | if (dir == IP_CT_DIR_REPLY && ct_sip_info->forced_dport) { | 278 | if (dir == IP_CT_DIR_REPLY && ct_sip_info->forced_dport) { |
| 266 | struct udphdr *uh; | 279 | struct udphdr *uh; |
| 267 | 280 | ||
| 268 | if (!skb_make_writable(skb, skb->len)) | 281 | if (!skb_make_writable(skb, skb->len)) { |
| 282 | nf_ct_helper_log(skb, ct, "cannot mangle packet"); | ||
| 269 | return NF_DROP; | 283 | return NF_DROP; |
| 284 | } | ||
| 270 | 285 | ||
| 271 | uh = (void *)skb->data + protoff; | 286 | uh = (void *)skb->data + protoff; |
| 272 | uh->dest = ct_sip_info->forced_dport; | 287 | uh->dest = ct_sip_info->forced_dport; |
| 273 | 288 | ||
| 274 | if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, protoff, | 289 | if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, protoff, |
| 275 | 0, 0, NULL, 0)) | 290 | 0, 0, NULL, 0)) { |
| 291 | nf_ct_helper_log(skb, ct, "cannot mangle packet"); | ||
| 276 | return NF_DROP; | 292 | return NF_DROP; |
| 293 | } | ||
| 277 | } | 294 | } |
| 278 | 295 | ||
| 279 | return NF_ACCEPT; | 296 | return NF_ACCEPT; |
| @@ -372,15 +389,19 @@ static unsigned int nf_nat_sip_expect(struct sk_buff *skb, unsigned int protoff, | |||
| 372 | } | 389 | } |
| 373 | } | 390 | } |
| 374 | 391 | ||
| 375 | if (port == 0) | 392 | if (port == 0) { |
| 393 | nf_ct_helper_log(skb, ct, "all ports in use for SIP"); | ||
| 376 | return NF_DROP; | 394 | return NF_DROP; |
| 395 | } | ||
| 377 | 396 | ||
| 378 | if (!nf_inet_addr_cmp(&exp->tuple.dst.u3, &exp->saved_addr) || | 397 | if (!nf_inet_addr_cmp(&exp->tuple.dst.u3, &exp->saved_addr) || |
| 379 | exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) { | 398 | exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) { |
| 380 | buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, port); | 399 | buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, port); |
| 381 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, | 400 | if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, |
| 382 | matchoff, matchlen, buffer, buflen)) | 401 | matchoff, matchlen, buffer, buflen)) { |
| 402 | nf_ct_helper_log(skb, ct, "cannot mangle packet"); | ||
| 383 | goto err; | 403 | goto err; |
| 404 | } | ||
| 384 | } | 405 | } |
| 385 | return NF_ACCEPT; | 406 | return NF_ACCEPT; |
| 386 | 407 | ||
| @@ -573,14 +594,18 @@ static unsigned int nf_nat_sdp_media(struct sk_buff *skb, unsigned int protoff, | |||
| 573 | } | 594 | } |
| 574 | } | 595 | } |
| 575 | 596 | ||
| 576 | if (port == 0) | 597 | if (port == 0) { |
| 598 | nf_ct_helper_log(skb, ct, "all ports in use for SDP media"); | ||
| 577 | goto err1; | 599 | goto err1; |
| 600 | } | ||
| 578 | 601 | ||
| 579 | /* Update media port. */ | 602 | /* Update media port. */ |
| 580 | if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port && | 603 | if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port && |
| 581 | !nf_nat_sdp_port(skb, protoff, dataoff, dptr, datalen, | 604 | !nf_nat_sdp_port(skb, protoff, dataoff, dptr, datalen, |
| 582 | mediaoff, medialen, port)) | 605 | mediaoff, medialen, port)) { |
| 606 | nf_ct_helper_log(skb, ct, "cannot mangle SDP message"); | ||
| 583 | goto err2; | 607 | goto err2; |
| 608 | } | ||
| 584 | 609 | ||
| 585 | return NF_ACCEPT; | 610 | return NF_ACCEPT; |
| 586 | 611 | ||
diff --git a/net/netfilter/nf_nat_tftp.c b/net/netfilter/nf_nat_tftp.c index ccabbda71a3e..7f67e1d5310d 100644 --- a/net/netfilter/nf_nat_tftp.c +++ b/net/netfilter/nf_nat_tftp.c | |||
| @@ -28,8 +28,10 @@ static unsigned int help(struct sk_buff *skb, | |||
| 28 | = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port; | 28 | = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port; |
| 29 | exp->dir = IP_CT_DIR_REPLY; | 29 | exp->dir = IP_CT_DIR_REPLY; |
| 30 | exp->expectfn = nf_nat_follow_master; | 30 | exp->expectfn = nf_nat_follow_master; |
| 31 | if (nf_ct_expect_related(exp) != 0) | 31 | if (nf_ct_expect_related(exp) != 0) { |
| 32 | nf_ct_helper_log(skb, exp->master, "cannot add expectation"); | ||
| 32 | return NF_DROP; | 33 | return NF_DROP; |
| 34 | } | ||
| 33 | return NF_ACCEPT; | 35 | return NF_ACCEPT; |
| 34 | } | 36 | } |
| 35 | 37 | ||