aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c10
-rw-r--r--net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c8
-rw-r--r--net/netfilter/nf_conntrack_amanda.c5
-rw-r--r--net/netfilter/nf_conntrack_ftp.c10
-rw-r--r--net/netfilter/nf_conntrack_h323_main.c6
-rw-r--r--net/netfilter/nf_conntrack_helper.c19
-rw-r--r--net/netfilter/nf_conntrack_irc.c7
-rw-r--r--net/netfilter/nf_conntrack_sane.c5
-rw-r--r--net/netfilter/nf_conntrack_sip.c73
-rw-r--r--net/netfilter/nf_conntrack_tftp.c8
-rw-r--r--net/netfilter/nf_nat_amanda.c8
-rw-r--r--net/netfilter/nf_nat_ftp.c5
-rw-r--r--net/netfilter/nf_nat_irc.c8
-rw-r--r--net/netfilter/nf_nat_sip.c49
-rw-r--r--net/netfilter/nf_nat_tftp.c4
15 files changed, 160 insertions, 65 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 48990ada0e1e..2820aa18b542 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -100,7 +100,6 @@ static unsigned int ipv4_helper(unsigned int hooknum,
100 enum ip_conntrack_info ctinfo; 100 enum ip_conntrack_info ctinfo;
101 const struct nf_conn_help *help; 101 const struct nf_conn_help *help;
102 const struct nf_conntrack_helper *helper; 102 const struct nf_conntrack_helper *helper;
103 unsigned int ret;
104 103
105 /* This is where we call the helper: as the packet goes out. */ 104 /* This is where we call the helper: as the packet goes out. */
106 ct = nf_ct_get(skb, &ctinfo); 105 ct = nf_ct_get(skb, &ctinfo);
@@ -116,13 +115,8 @@ static unsigned int ipv4_helper(unsigned int hooknum,
116 if (!helper) 115 if (!helper)
117 return NF_ACCEPT; 116 return NF_ACCEPT;
118 117
119 ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb), 118 return helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
120 ct, ctinfo); 119 ct, ctinfo);
121 if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
122 nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
123 "nf_ct_%s: dropping packet", helper->name);
124 }
125 return ret;
126} 120}
127 121
128static unsigned int ipv4_confirm(unsigned int hooknum, 122static unsigned int ipv4_confirm(unsigned int hooknum,
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 8a45bb20bedb..2b6c226f5198 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -104,7 +104,6 @@ static unsigned int ipv6_helper(unsigned int hooknum,
104 const struct nf_conn_help *help; 104 const struct nf_conn_help *help;
105 const struct nf_conntrack_helper *helper; 105 const struct nf_conntrack_helper *helper;
106 enum ip_conntrack_info ctinfo; 106 enum ip_conntrack_info ctinfo;
107 unsigned int ret;
108 __be16 frag_off; 107 __be16 frag_off;
109 int protoff; 108 int protoff;
110 u8 nexthdr; 109 u8 nexthdr;
@@ -130,12 +129,7 @@ static unsigned int ipv6_helper(unsigned int hooknum,
130 return NF_ACCEPT; 129 return NF_ACCEPT;
131 } 130 }
132 131
133 ret = helper->help(skb, protoff, ct, ctinfo); 132 return helper->help(skb, protoff, ct, ctinfo);
134 if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
135 nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
136 "nf_ct_%s: dropping packet", helper->name);
137 }
138 return ret;
139} 133}
140 134
141static unsigned int ipv6_confirm(unsigned int hooknum, 135static unsigned int ipv6_confirm(unsigned int hooknum,
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index c514fe6033d2..dbdaa1149260 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -145,6 +145,7 @@ static int amanda_help(struct sk_buff *skb,
145 145
146 exp = nf_ct_expect_alloc(ct); 146 exp = nf_ct_expect_alloc(ct);
147 if (exp == NULL) { 147 if (exp == NULL) {
148 nf_ct_helper_log(skb, ct, "cannot alloc expectation");
148 ret = NF_DROP; 149 ret = NF_DROP;
149 goto out; 150 goto out;
150 } 151 }
@@ -158,8 +159,10 @@ static int amanda_help(struct sk_buff *skb,
158 if (nf_nat_amanda && ct->status & IPS_NAT_MASK) 159 if (nf_nat_amanda && ct->status & IPS_NAT_MASK)
159 ret = nf_nat_amanda(skb, ctinfo, protoff, 160 ret = nf_nat_amanda(skb, ctinfo, protoff,
160 off - dataoff, len, exp); 161 off - dataoff, len, exp);
161 else if (nf_ct_expect_related(exp) != 0) 162 else if (nf_ct_expect_related(exp) != 0) {
163 nf_ct_helper_log(skb, ct, "cannot add expectation");
162 ret = NF_DROP; 164 ret = NF_DROP;
165 }
163 nf_ct_expect_put(exp); 166 nf_ct_expect_put(exp);
164 } 167 }
165 168
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 1ce3befb7c8a..62fb8faedb80 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -435,8 +435,8 @@ skip_nl_seq:
435 connection tracking, not packet filtering. 435 connection tracking, not packet filtering.
436 However, it is necessary for accurate tracking in 436 However, it is necessary for accurate tracking in
437 this case. */ 437 this case. */
438 pr_debug("conntrack_ftp: partial %s %u+%u\n", 438 nf_ct_helper_log(skb, ct, "partial matching of `%s'",
439 search[dir][i].pattern, ntohl(th->seq), datalen); 439 search[dir][i].pattern);
440 ret = NF_DROP; 440 ret = NF_DROP;
441 goto out; 441 goto out;
442 } else if (found == 0) { /* No match */ 442 } else if (found == 0) { /* No match */
@@ -450,6 +450,7 @@ skip_nl_seq:
450 450
451 exp = nf_ct_expect_alloc(ct); 451 exp = nf_ct_expect_alloc(ct);
452 if (exp == NULL) { 452 if (exp == NULL) {
453 nf_ct_helper_log(skb, ct, "cannot alloc expectation");
453 ret = NF_DROP; 454 ret = NF_DROP;
454 goto out; 455 goto out;
455 } 456 }
@@ -500,9 +501,10 @@ skip_nl_seq:
500 protoff, matchoff, matchlen, exp); 501 protoff, matchoff, matchlen, exp);
501 else { 502 else {
502 /* Can't expect this? Best to drop packet now. */ 503 /* Can't expect this? Best to drop packet now. */
503 if (nf_ct_expect_related(exp) != 0) 504 if (nf_ct_expect_related(exp) != 0) {
505 nf_ct_helper_log(skb, ct, "cannot add expectation");
504 ret = NF_DROP; 506 ret = NF_DROP;
505 else 507 } else
506 ret = NF_ACCEPT; 508 ret = NF_ACCEPT;
507 } 509 }
508 510
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 962795e839ab..7df7b36d2e24 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -623,7 +623,7 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
623 623
624 drop: 624 drop:
625 spin_unlock_bh(&nf_h323_lock); 625 spin_unlock_bh(&nf_h323_lock);
626 net_info_ratelimited("nf_ct_h245: packet dropped\n"); 626 nf_ct_helper_log(skb, ct, "cannot process H.245 message");
627 return NF_DROP; 627 return NF_DROP;
628} 628}
629 629
@@ -1197,7 +1197,7 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
1197 1197
1198 drop: 1198 drop:
1199 spin_unlock_bh(&nf_h323_lock); 1199 spin_unlock_bh(&nf_h323_lock);
1200 net_info_ratelimited("nf_ct_q931: packet dropped\n"); 1200 nf_ct_helper_log(skb, ct, "cannot process Q.931 message");
1201 return NF_DROP; 1201 return NF_DROP;
1202} 1202}
1203 1203
@@ -1795,7 +1795,7 @@ static int ras_help(struct sk_buff *skb, unsigned int protoff,
1795 1795
1796 drop: 1796 drop:
1797 spin_unlock_bh(&nf_h323_lock); 1797 spin_unlock_bh(&nf_h323_lock);
1798 net_info_ratelimited("nf_ct_ras: packet dropped\n"); 1798 nf_ct_helper_log(skb, ct, "cannot process RAS message");
1799 return NF_DROP; 1799 return NF_DROP;
1800} 1800}
1801 1801
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 2f380f73c4c0..c08768da7936 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -28,6 +28,7 @@
28#include <net/netfilter/nf_conntrack_helper.h> 28#include <net/netfilter/nf_conntrack_helper.h>
29#include <net/netfilter/nf_conntrack_core.h> 29#include <net/netfilter/nf_conntrack_core.h>
30#include <net/netfilter/nf_conntrack_extend.h> 30#include <net/netfilter/nf_conntrack_extend.h>
31#include <net/netfilter/nf_log.h>
31 32
32static DEFINE_MUTEX(nf_ct_helper_mutex); 33static DEFINE_MUTEX(nf_ct_helper_mutex);
33struct hlist_head *nf_ct_helper_hash __read_mostly; 34struct hlist_head *nf_ct_helper_hash __read_mostly;
@@ -332,6 +333,24 @@ nf_ct_helper_expectfn_find_by_symbol(const void *symbol)
332} 333}
333EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_symbol); 334EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_symbol);
334 335
336__printf(3, 4)
337void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
338 const char *fmt, ...)
339{
340 const struct nf_conn_help *help;
341 const struct nf_conntrack_helper *helper;
342
343 /* Called from the helper function, this call never fails */
344 help = nfct_help(ct);
345
346 /* rcu_read_lock()ed by nf_hook_slow */
347 helper = rcu_dereference(help->helper);
348
349 nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
350 "nf_ct_%s: dropping packet: %s ", helper->name, fmt);
351}
352EXPORT_SYMBOL_GPL(nf_ct_helper_log);
353
335int nf_conntrack_helper_register(struct nf_conntrack_helper *me) 354int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
336{ 355{
337 int ret = 0; 356 int ret = 0;
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 3b20aa77cfc8..70985c5d0ffa 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -194,6 +194,8 @@ static int help(struct sk_buff *skb, unsigned int protoff,
194 194
195 exp = nf_ct_expect_alloc(ct); 195 exp = nf_ct_expect_alloc(ct);
196 if (exp == NULL) { 196 if (exp == NULL) {
197 nf_ct_helper_log(skb, ct,
198 "cannot alloc expectation");
197 ret = NF_DROP; 199 ret = NF_DROP;
198 goto out; 200 goto out;
199 } 201 }
@@ -210,8 +212,11 @@ static int help(struct sk_buff *skb, unsigned int protoff,
210 addr_beg_p - ib_ptr, 212 addr_beg_p - ib_ptr,
211 addr_end_p - addr_beg_p, 213 addr_end_p - addr_beg_p,
212 exp); 214 exp);
213 else if (nf_ct_expect_related(exp) != 0) 215 else if (nf_ct_expect_related(exp) != 0) {
216 nf_ct_helper_log(skb, ct,
217 "cannot add expectation");
214 ret = NF_DROP; 218 ret = NF_DROP;
219 }
215 nf_ct_expect_put(exp); 220 nf_ct_expect_put(exp);
216 goto out; 221 goto out;
217 } 222 }
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index 295429f39088..4a2134fd3fcb 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -138,6 +138,7 @@ static int help(struct sk_buff *skb,
138 138
139 exp = nf_ct_expect_alloc(ct); 139 exp = nf_ct_expect_alloc(ct);
140 if (exp == NULL) { 140 if (exp == NULL) {
141 nf_ct_helper_log(skb, ct, "cannot alloc expectation");
141 ret = NF_DROP; 142 ret = NF_DROP;
142 goto out; 143 goto out;
143 } 144 }
@@ -151,8 +152,10 @@ static int help(struct sk_buff *skb,
151 nf_ct_dump_tuple(&exp->tuple); 152 nf_ct_dump_tuple(&exp->tuple);
152 153
153 /* Can't expect this? Best to drop packet now. */ 154 /* Can't expect this? Best to drop packet now. */
154 if (nf_ct_expect_related(exp) != 0) 155 if (nf_ct_expect_related(exp) != 0) {
156 nf_ct_helper_log(skb, ct, "cannot add expectation");
155 ret = NF_DROP; 157 ret = NF_DROP;
158 }
156 159
157 nf_ct_expect_put(exp); 160 nf_ct_expect_put(exp);
158 161
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 72a67bbe3518..069229d919b6 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1095,8 +1095,10 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
1095 port = simple_strtoul(*dptr + mediaoff, NULL, 10); 1095 port = simple_strtoul(*dptr + mediaoff, NULL, 10);
1096 if (port == 0) 1096 if (port == 0)
1097 continue; 1097 continue;
1098 if (port < 1024 || port > 65535) 1098 if (port < 1024 || port > 65535) {
1099 nf_ct_helper_log(skb, ct, "wrong port %u", port);
1099 return NF_DROP; 1100 return NF_DROP;
1101 }
1100 1102
1101 /* The media description overrides the session description. */ 1103 /* The media description overrides the session description. */
1102 maddr_len = 0; 1104 maddr_len = 0;
@@ -1107,15 +1109,20 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
1107 memcpy(&rtp_addr, &maddr, sizeof(rtp_addr)); 1109 memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
1108 } else if (caddr_len) 1110 } else if (caddr_len)
1109 memcpy(&rtp_addr, &caddr, sizeof(rtp_addr)); 1111 memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
1110 else 1112 else {
1113 nf_ct_helper_log(skb, ct, "cannot parse SDP message");
1111 return NF_DROP; 1114 return NF_DROP;
1115 }
1112 1116
1113 ret = set_expected_rtp_rtcp(skb, protoff, dataoff, 1117 ret = set_expected_rtp_rtcp(skb, protoff, dataoff,
1114 dptr, datalen, 1118 dptr, datalen,
1115 &rtp_addr, htons(port), t->class, 1119 &rtp_addr, htons(port), t->class,
1116 mediaoff, medialen); 1120 mediaoff, medialen);
1117 if (ret != NF_ACCEPT) 1121 if (ret != NF_ACCEPT) {
1122 nf_ct_helper_log(skb, ct,
1123 "cannot add expectation for voice");
1118 return ret; 1124 return ret;
1125 }
1119 1126
1120 /* Update media connection address if present */ 1127 /* Update media connection address if present */
1121 if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) { 1128 if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) {
@@ -1123,8 +1130,10 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
1123 dptr, datalen, mediaoff, 1130 dptr, datalen, mediaoff,
1124 SDP_HDR_CONNECTION, SDP_HDR_MEDIA, 1131 SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
1125 &rtp_addr); 1132 &rtp_addr);
1126 if (ret != NF_ACCEPT) 1133 if (ret != NF_ACCEPT) {
1134 nf_ct_helper_log(skb, ct, "cannot mangle SDP");
1127 return ret; 1135 return ret;
1136 }
1128 } 1137 }
1129 i++; 1138 i++;
1130 } 1139 }
@@ -1258,9 +1267,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
1258 ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, 1267 ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1259 SIP_HDR_CONTACT, NULL, 1268 SIP_HDR_CONTACT, NULL,
1260 &matchoff, &matchlen, &daddr, &port); 1269 &matchoff, &matchlen, &daddr, &port);
1261 if (ret < 0) 1270 if (ret < 0) {
1271 nf_ct_helper_log(skb, ct, "cannot parse contact");
1262 return NF_DROP; 1272 return NF_DROP;
1263 else if (ret == 0) 1273 } else if (ret == 0)
1264 return NF_ACCEPT; 1274 return NF_ACCEPT;
1265 1275
1266 /* We don't support third-party registrations */ 1276 /* We don't support third-party registrations */
@@ -1273,8 +1283,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
1273 1283
1274 if (ct_sip_parse_numerical_param(ct, *dptr, 1284 if (ct_sip_parse_numerical_param(ct, *dptr,
1275 matchoff + matchlen, *datalen, 1285 matchoff + matchlen, *datalen,
1276 "expires=", NULL, NULL, &expires) < 0) 1286 "expires=", NULL, NULL, &expires) < 0) {
1287 nf_ct_helper_log(skb, ct, "cannot parse expires");
1277 return NF_DROP; 1288 return NF_DROP;
1289 }
1278 1290
1279 if (expires == 0) { 1291 if (expires == 0) {
1280 ret = NF_ACCEPT; 1292 ret = NF_ACCEPT;
@@ -1282,8 +1294,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
1282 } 1294 }
1283 1295
1284 exp = nf_ct_expect_alloc(ct); 1296 exp = nf_ct_expect_alloc(ct);
1285 if (!exp) 1297 if (!exp) {
1298 nf_ct_helper_log(skb, ct, "cannot alloc expectation");
1286 return NF_DROP; 1299 return NF_DROP;
1300 }
1287 1301
1288 saddr = NULL; 1302 saddr = NULL;
1289 if (sip_direct_signalling) 1303 if (sip_direct_signalling)
@@ -1300,9 +1314,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
1300 ret = nf_nat_sip_expect(skb, protoff, dataoff, dptr, datalen, 1314 ret = nf_nat_sip_expect(skb, protoff, dataoff, dptr, datalen,
1301 exp, matchoff, matchlen); 1315 exp, matchoff, matchlen);
1302 else { 1316 else {
1303 if (nf_ct_expect_related(exp) != 0) 1317 if (nf_ct_expect_related(exp) != 0) {
1318 nf_ct_helper_log(skb, ct, "cannot add expectation");
1304 ret = NF_DROP; 1319 ret = NF_DROP;
1305 else 1320 } else
1306 ret = NF_ACCEPT; 1321 ret = NF_ACCEPT;
1307 } 1322 }
1308 nf_ct_expect_put(exp); 1323 nf_ct_expect_put(exp);
@@ -1356,9 +1371,10 @@ static int process_register_response(struct sk_buff *skb, unsigned int protoff,
1356 SIP_HDR_CONTACT, &in_contact, 1371 SIP_HDR_CONTACT, &in_contact,
1357 &matchoff, &matchlen, 1372 &matchoff, &matchlen,
1358 &addr, &port); 1373 &addr, &port);
1359 if (ret < 0) 1374 if (ret < 0) {
1375 nf_ct_helper_log(skb, ct, "cannot parse contact");
1360 return NF_DROP; 1376 return NF_DROP;
1361 else if (ret == 0) 1377 } else if (ret == 0)
1362 break; 1378 break;
1363 1379
1364 /* We don't support third-party registrations */ 1380 /* We don't support third-party registrations */
@@ -1373,8 +1389,10 @@ static int process_register_response(struct sk_buff *skb, unsigned int protoff,
1373 matchoff + matchlen, 1389 matchoff + matchlen,
1374 *datalen, "expires=", 1390 *datalen, "expires=",
1375 NULL, NULL, &c_expires); 1391 NULL, NULL, &c_expires);
1376 if (ret < 0) 1392 if (ret < 0) {
1393 nf_ct_helper_log(skb, ct, "cannot parse expires");
1377 return NF_DROP; 1394 return NF_DROP;
1395 }
1378 if (c_expires == 0) 1396 if (c_expires == 0)
1379 break; 1397 break;
1380 if (refresh_signalling_expectation(ct, &addr, proto, port, 1398 if (refresh_signalling_expectation(ct, &addr, proto, port,
@@ -1408,15 +1426,21 @@ static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
1408 if (*datalen < strlen("SIP/2.0 200")) 1426 if (*datalen < strlen("SIP/2.0 200"))
1409 return NF_ACCEPT; 1427 return NF_ACCEPT;
1410 code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10); 1428 code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
1411 if (!code) 1429 if (!code) {
1430 nf_ct_helper_log(skb, ct, "cannot get code");
1412 return NF_DROP; 1431 return NF_DROP;
1432 }
1413 1433
1414 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ, 1434 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1415 &matchoff, &matchlen) <= 0) 1435 &matchoff, &matchlen) <= 0) {
1436 nf_ct_helper_log(skb, ct, "cannot parse cseq");
1416 return NF_DROP; 1437 return NF_DROP;
1438 }
1417 cseq = simple_strtoul(*dptr + matchoff, NULL, 10); 1439 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1418 if (!cseq) 1440 if (!cseq) {
1441 nf_ct_helper_log(skb, ct, "cannot get cseq");
1419 return NF_DROP; 1442 return NF_DROP;
1443 }
1420 matchend = matchoff + matchlen + 1; 1444 matchend = matchoff + matchlen + 1;
1421 1445
1422 for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) { 1446 for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
@@ -1471,11 +1495,15 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
1471 continue; 1495 continue;
1472 1496
1473 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ, 1497 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1474 &matchoff, &matchlen) <= 0) 1498 &matchoff, &matchlen) <= 0) {
1499 nf_ct_helper_log(skb, ct, "cannot parse cseq");
1475 return NF_DROP; 1500 return NF_DROP;
1501 }
1476 cseq = simple_strtoul(*dptr + matchoff, NULL, 10); 1502 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1477 if (!cseq) 1503 if (!cseq) {
1504 nf_ct_helper_log(skb, ct, "cannot get cseq");
1478 return NF_DROP; 1505 return NF_DROP;
1506 }
1479 1507
1480 return handler->request(skb, protoff, dataoff, dptr, datalen, 1508 return handler->request(skb, protoff, dataoff, dptr, datalen,
1481 cseq); 1509 cseq);
@@ -1498,8 +1526,10 @@ static int process_sip_msg(struct sk_buff *skb, struct nf_conn *ct,
1498 if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) { 1526 if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1499 nf_nat_sip = rcu_dereference(nf_nat_sip_hook); 1527 nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
1500 if (nf_nat_sip && !nf_nat_sip(skb, protoff, dataoff, 1528 if (nf_nat_sip && !nf_nat_sip(skb, protoff, dataoff,
1501 dptr, datalen)) 1529 dptr, datalen)) {
1530 nf_ct_helper_log(skb, ct, "cannot NAT SIP message");
1502 ret = NF_DROP; 1531 ret = NF_DROP;
1532 }
1503 } 1533 }
1504 1534
1505 return ret; 1535 return ret;
@@ -1563,11 +1593,14 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1563 end += strlen("\r\n\r\n") + clen; 1593 end += strlen("\r\n\r\n") + clen;
1564 1594
1565 msglen = origlen = end - dptr; 1595 msglen = origlen = end - dptr;
1566 if (msglen > datalen) 1596 if (msglen > datalen) {
1597 nf_ct_helper_log(skb, ct, "incomplete/bad SIP message");
1567 return NF_DROP; 1598 return NF_DROP;
1599 }
1568 1600
1569 ret = process_sip_msg(skb, ct, protoff, dataoff, 1601 ret = process_sip_msg(skb, ct, protoff, dataoff,
1570 &dptr, &msglen); 1602 &dptr, &msglen);
1603 /* process_sip_* functions report why this packet is dropped */
1571 if (ret != NF_ACCEPT) 1604 if (ret != NF_ACCEPT)
1572 break; 1605 break;
1573 diff = msglen - origlen; 1606 diff = msglen - origlen;
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index 81fc61c05263..e9936c830208 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -60,8 +60,10 @@ static int tftp_help(struct sk_buff *skb,
60 nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); 60 nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
61 61
62 exp = nf_ct_expect_alloc(ct); 62 exp = nf_ct_expect_alloc(ct);
63 if (exp == NULL) 63 if (exp == NULL) {
64 nf_ct_helper_log(skb, ct, "cannot alloc expectation");
64 return NF_DROP; 65 return NF_DROP;
66 }
65 tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple; 67 tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
66 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, 68 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT,
67 nf_ct_l3num(ct), 69 nf_ct_l3num(ct),
@@ -74,8 +76,10 @@ static int tftp_help(struct sk_buff *skb,
74 nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook); 76 nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook);
75 if (nf_nat_tftp && ct->status & IPS_NAT_MASK) 77 if (nf_nat_tftp && ct->status & IPS_NAT_MASK)
76 ret = nf_nat_tftp(skb, ctinfo, exp); 78 ret = nf_nat_tftp(skb, ctinfo, exp);
77 else if (nf_ct_expect_related(exp) != 0) 79 else if (nf_ct_expect_related(exp) != 0) {
80 nf_ct_helper_log(skb, ct, "cannot add expectation");
78 ret = NF_DROP; 81 ret = NF_DROP;
82 }
79 nf_ct_expect_put(exp); 83 nf_ct_expect_put(exp);
80 break; 84 break;
81 case TFTP_OPCODE_DATA: 85 case TFTP_OPCODE_DATA:
diff --git a/net/netfilter/nf_nat_amanda.c b/net/netfilter/nf_nat_amanda.c
index 42d337881171..3b67c9d11273 100644
--- a/net/netfilter/nf_nat_amanda.c
+++ b/net/netfilter/nf_nat_amanda.c
@@ -56,15 +56,19 @@ static unsigned int help(struct sk_buff *skb,
56 } 56 }
57 } 57 }
58 58
59 if (port == 0) 59 if (port == 0) {
60 nf_ct_helper_log(skb, exp->master, "all ports in use");
60 return NF_DROP; 61 return NF_DROP;
62 }
61 63
62 sprintf(buffer, "%u", port); 64 sprintf(buffer, "%u", port);
63 ret = nf_nat_mangle_udp_packet(skb, exp->master, ctinfo, 65 ret = nf_nat_mangle_udp_packet(skb, exp->master, ctinfo,
64 protoff, matchoff, matchlen, 66 protoff, matchoff, matchlen,
65 buffer, strlen(buffer)); 67 buffer, strlen(buffer));
66 if (ret != NF_ACCEPT) 68 if (ret != NF_ACCEPT) {
69 nf_ct_helper_log(skb, exp->master, "cannot mangle packet");
67 nf_ct_unexpect_related(exp); 70 nf_ct_unexpect_related(exp);
71 }
68 return ret; 72 return ret;
69} 73}
70 74
diff --git a/net/netfilter/nf_nat_ftp.c b/net/netfilter/nf_nat_ftp.c
index e839b97b2863..e84a578dbe35 100644
--- a/net/netfilter/nf_nat_ftp.c
+++ b/net/netfilter/nf_nat_ftp.c
@@ -96,8 +96,10 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb,
96 } 96 }
97 } 97 }
98 98
99 if (port == 0) 99 if (port == 0) {
100 nf_ct_helper_log(skb, ct, "all ports in use");
100 return NF_DROP; 101 return NF_DROP;
102 }
101 103
102 buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer), 104 buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer),
103 &newaddr, port); 105 &newaddr, port);
@@ -113,6 +115,7 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb,
113 return NF_ACCEPT; 115 return NF_ACCEPT;
114 116
115out: 117out:
118 nf_ct_helper_log(skb, ct, "cannot mangle packet");
116 nf_ct_unexpect_related(exp); 119 nf_ct_unexpect_related(exp);
117 return NF_DROP; 120 return NF_DROP;
118} 121}
diff --git a/net/netfilter/nf_nat_irc.c b/net/netfilter/nf_nat_irc.c
index 1fedee6e7fb6..f02b3605823e 100644
--- a/net/netfilter/nf_nat_irc.c
+++ b/net/netfilter/nf_nat_irc.c
@@ -56,14 +56,18 @@ static unsigned int help(struct sk_buff *skb,
56 } 56 }
57 } 57 }
58 58
59 if (port == 0) 59 if (port == 0) {
60 nf_ct_helper_log(skb, exp->master, "all ports in use");
60 return NF_DROP; 61 return NF_DROP;
62 }
61 63
62 ret = nf_nat_mangle_tcp_packet(skb, exp->master, ctinfo, 64 ret = nf_nat_mangle_tcp_packet(skb, exp->master, ctinfo,
63 protoff, matchoff, matchlen, buffer, 65 protoff, matchoff, matchlen, buffer,
64 strlen(buffer)); 66 strlen(buffer));
65 if (ret != NF_ACCEPT) 67 if (ret != NF_ACCEPT) {
68 nf_ct_helper_log(skb, exp->master, "cannot mangle packet");
66 nf_ct_unexpect_related(exp); 69 nf_ct_unexpect_related(exp);
70 }
67 return ret; 71 return ret;
68} 72}
69 73
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index 5951146e7688..96ccdf78a29f 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -159,8 +159,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
159 &matchoff, &matchlen, 159 &matchoff, &matchlen,
160 &addr, &port) > 0 && 160 &addr, &port) > 0 &&
161 !map_addr(skb, protoff, dataoff, dptr, datalen, 161 !map_addr(skb, protoff, dataoff, dptr, datalen,
162 matchoff, matchlen, &addr, port)) 162 matchoff, matchlen, &addr, port)) {
163 nf_ct_helper_log(skb, ct, "cannot mangle SIP message");
163 return NF_DROP; 164 return NF_DROP;
165 }
164 request = 1; 166 request = 1;
165 } else 167 } else
166 request = 0; 168 request = 0;
@@ -193,8 +195,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
193 195
194 olen = *datalen; 196 olen = *datalen;
195 if (!map_addr(skb, protoff, dataoff, dptr, datalen, 197 if (!map_addr(skb, protoff, dataoff, dptr, datalen,
196 matchoff, matchlen, &addr, port)) 198 matchoff, matchlen, &addr, port)) {
199 nf_ct_helper_log(skb, ct, "cannot mangle Via header");
197 return NF_DROP; 200 return NF_DROP;
201 }
198 202
199 matchend = matchoff + matchlen + *datalen - olen; 203 matchend = matchoff + matchlen + *datalen - olen;
200 204
@@ -209,8 +213,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
209 &ct->tuplehash[!dir].tuple.dst.u3, 213 &ct->tuplehash[!dir].tuple.dst.u3,
210 true); 214 true);
211 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, 215 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
212 poff, plen, buffer, buflen)) 216 poff, plen, buffer, buflen)) {
217 nf_ct_helper_log(skb, ct, "cannot mangle maddr");
213 return NF_DROP; 218 return NF_DROP;
219 }
214 } 220 }
215 221
216 /* The received= parameter (RFC 2361) contains the address 222 /* The received= parameter (RFC 2361) contains the address
@@ -225,6 +231,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
225 false); 231 false);
226 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, 232 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
227 poff, plen, buffer, buflen)) 233 poff, plen, buffer, buflen))
234 nf_ct_helper_log(skb, ct, "cannot mangle received");
228 return NF_DROP; 235 return NF_DROP;
229 } 236 }
230 237
@@ -238,8 +245,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
238 __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port; 245 __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
239 buflen = sprintf(buffer, "%u", ntohs(p)); 246 buflen = sprintf(buffer, "%u", ntohs(p));
240 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, 247 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
241 poff, plen, buffer, buflen)) 248 poff, plen, buffer, buflen)) {
249 nf_ct_helper_log(skb, ct, "cannot mangle rport");
242 return NF_DROP; 250 return NF_DROP;
251 }
243 } 252 }
244 } 253 }
245 254
@@ -253,27 +262,35 @@ next:
253 &addr, &port) > 0) { 262 &addr, &port) > 0) {
254 if (!map_addr(skb, protoff, dataoff, dptr, datalen, 263 if (!map_addr(skb, protoff, dataoff, dptr, datalen,
255 matchoff, matchlen, 264 matchoff, matchlen,
256 &addr, port)) 265 &addr, port)) {
266 nf_ct_helper_log(skb, ct, "cannot mangle contact");
257 return NF_DROP; 267 return NF_DROP;
268 }
258 } 269 }
259 270
260 if (!map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_FROM) || 271 if (!map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_FROM) ||
261 !map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_TO)) 272 !map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_TO)) {
273 nf_ct_helper_log(skb, ct, "cannot mangle SIP from/to");
262 return NF_DROP; 274 return NF_DROP;
275 }
263 276
264 /* Mangle destination port for Cisco phones, then fix up checksums */ 277 /* Mangle destination port for Cisco phones, then fix up checksums */
265 if (dir == IP_CT_DIR_REPLY && ct_sip_info->forced_dport) { 278 if (dir == IP_CT_DIR_REPLY && ct_sip_info->forced_dport) {
266 struct udphdr *uh; 279 struct udphdr *uh;
267 280
268 if (!skb_make_writable(skb, skb->len)) 281 if (!skb_make_writable(skb, skb->len)) {
282 nf_ct_helper_log(skb, ct, "cannot mangle packet");
269 return NF_DROP; 283 return NF_DROP;
284 }
270 285
271 uh = (void *)skb->data + protoff; 286 uh = (void *)skb->data + protoff;
272 uh->dest = ct_sip_info->forced_dport; 287 uh->dest = ct_sip_info->forced_dport;
273 288
274 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, protoff, 289 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, protoff,
275 0, 0, NULL, 0)) 290 0, 0, NULL, 0)) {
291 nf_ct_helper_log(skb, ct, "cannot mangle packet");
276 return NF_DROP; 292 return NF_DROP;
293 }
277 } 294 }
278 295
279 return NF_ACCEPT; 296 return NF_ACCEPT;
@@ -372,15 +389,19 @@ static unsigned int nf_nat_sip_expect(struct sk_buff *skb, unsigned int protoff,
372 } 389 }
373 } 390 }
374 391
375 if (port == 0) 392 if (port == 0) {
393 nf_ct_helper_log(skb, ct, "all ports in use for SIP");
376 return NF_DROP; 394 return NF_DROP;
395 }
377 396
378 if (!nf_inet_addr_cmp(&exp->tuple.dst.u3, &exp->saved_addr) || 397 if (!nf_inet_addr_cmp(&exp->tuple.dst.u3, &exp->saved_addr) ||
379 exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) { 398 exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
380 buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, port); 399 buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, port);
381 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, 400 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
382 matchoff, matchlen, buffer, buflen)) 401 matchoff, matchlen, buffer, buflen)) {
402 nf_ct_helper_log(skb, ct, "cannot mangle packet");
383 goto err; 403 goto err;
404 }
384 } 405 }
385 return NF_ACCEPT; 406 return NF_ACCEPT;
386 407
@@ -573,14 +594,18 @@ static unsigned int nf_nat_sdp_media(struct sk_buff *skb, unsigned int protoff,
573 } 594 }
574 } 595 }
575 596
576 if (port == 0) 597 if (port == 0) {
598 nf_ct_helper_log(skb, ct, "all ports in use for SDP media");
577 goto err1; 599 goto err1;
600 }
578 601
579 /* Update media port. */ 602 /* Update media port. */
580 if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port && 603 if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port &&
581 !nf_nat_sdp_port(skb, protoff, dataoff, dptr, datalen, 604 !nf_nat_sdp_port(skb, protoff, dataoff, dptr, datalen,
582 mediaoff, medialen, port)) 605 mediaoff, medialen, port)) {
606 nf_ct_helper_log(skb, ct, "cannot mangle SDP message");
583 goto err2; 607 goto err2;
608 }
584 609
585 return NF_ACCEPT; 610 return NF_ACCEPT;
586 611
diff --git a/net/netfilter/nf_nat_tftp.c b/net/netfilter/nf_nat_tftp.c
index ccabbda71a3e..7f67e1d5310d 100644
--- a/net/netfilter/nf_nat_tftp.c
+++ b/net/netfilter/nf_nat_tftp.c
@@ -28,8 +28,10 @@ static unsigned int help(struct sk_buff *skb,
28 = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port; 28 = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
29 exp->dir = IP_CT_DIR_REPLY; 29 exp->dir = IP_CT_DIR_REPLY;
30 exp->expectfn = nf_nat_follow_master; 30 exp->expectfn = nf_nat_follow_master;
31 if (nf_ct_expect_related(exp) != 0) 31 if (nf_ct_expect_related(exp) != 0) {
32 nf_ct_helper_log(skb, exp->master, "cannot add expectation");
32 return NF_DROP; 33 return NF_DROP;
34 }
33 return NF_ACCEPT; 35 return NF_ACCEPT;
34} 36}
35 37
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-08 18:36:29 -0500