iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netfilter: ctnetlink: only assign helpers for matching protocols

Browse Source 
Make sure not to assign a helper for a different network or transport
layer protocol to a connection.

Additionally change expectation deletion by helper to compare the name
directly - there might be multiple helper registrations using the same
name, currently one of them is chosen in an unpredictable manner and
only those expectations are removed.

Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
Patrick McHardy 2010-02-03 13:41:29 +01:00
parent 2eff25c18c
commit 794e68716b
3 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/net/netfilter/nf_conntrack_helper.h
View File

@ -40,7 +40,7 @@ struct nf_conntrack_helper {
}; };
extern struct nf_conntrack_helper * extern struct nf_conntrack_helper *
__nf_conntrack_helper_find_byname(const char *name); __nf_conntrack_helper_find(const char *name, u16 l3num, u8 protonum);
extern int nf_conntrack_helper_register(struct nf_conntrack_helper *); extern int nf_conntrack_helper_register(struct nf_conntrack_helper *);
extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *);

8
net/netfilter/nf_conntrack_helper.c
View File

@ -65,7 +65,7 @@ __nf_ct_helper_find(const struct nf_conntrack_tuple *tuple)
} }
struct nf_conntrack_helper * struct nf_conntrack_helper *
__nf_conntrack_helper_find_byname(const char *name) __nf_conntrack_helper_find(const char *name, u16 l3num, u8 protonum)
{ {
struct nf_conntrack_helper *h; struct nf_conntrack_helper *h;
struct hlist_node *n; struct hlist_node *n;
@ -73,13 +73,15 @@ __nf_conntrack_helper_find_byname(const char *name)
for (i = 0; i < nf_ct_helper_hsize; i++) { for (i = 0; i < nf_ct_helper_hsize; i++) {
hlist_for_each_entry_rcu(h, n, &nf_ct_helper_hash[i], hnode) { hlist_for_each_entry_rcu(h, n, &nf_ct_helper_hash[i], hnode) {
if (!strcmp(h->name, name)) if (!strcmp(h->name, name) &&
h->tuple.src.l3num == l3num &&
h->tuple.dst.protonum == protonum)
return h; return h;
} }
} }
return NULL; return NULL;
} }
EXPORT_SYMBOL_GPL(__nf_conntrack_helper_find_byname); EXPORT_SYMBOL_GPL(__nf_conntrack_helper_find);
struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp) struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp)
{ {

23
net/netfilter/nf_conntrack_netlink.c
View File

@ -1001,7 +1001,8 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
return 0; return 0;
} }
helper = __nf_conntrack_helper_find_byname(helpname); helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
nf_ct_protonum(ct));
if (helper == NULL) { if (helper == NULL) {
#ifdef CONFIG_MODULES #ifdef CONFIG_MODULES
spin_unlock_bh(&nf_conntrack_lock); spin_unlock_bh(&nf_conntrack_lock);
@ -1012,7 +1013,8 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
} }
spin_lock_bh(&nf_conntrack_lock); spin_lock_bh(&nf_conntrack_lock);
helper = __nf_conntrack_helper_find_byname(helpname); helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
nf_ct_protonum(ct));
if (helper) if (helper)
return -EAGAIN; return -EAGAIN;
#endif #endif
@ -1211,7 +1213,8 @@ ctnetlink_create_conntrack(struct net *net,
if (err < 0) if (err < 0)
goto err2; goto err2;
helper = __nf_conntrack_helper_find_byname(helpname); helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
nf_ct_protonum(ct));
if (helper == NULL) { if (helper == NULL) {
rcu_read_unlock(); rcu_read_unlock();
#ifdef CONFIG_MODULES #ifdef CONFIG_MODULES
@ -1221,7 +1224,9 @@ ctnetlink_create_conntrack(struct net *net,
} }
rcu_read_lock(); rcu_read_lock();
helper = __nf_conntrack_helper_find_byname(helpname); helper = __nf_conntrack_helper_find(helpname,
nf_ct_l3num(ct),
nf_ct_protonum(ct));
if (helper) { if (helper) {
err = -EAGAIN; err = -EAGAIN;
goto err2; goto err2;
@ -1714,7 +1719,6 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
struct net *net = sock_net(ctnl); struct net *net = sock_net(ctnl);
struct nf_conntrack_expect *exp; struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple tuple; struct nf_conntrack_tuple tuple;
struct nf_conntrack_helper *h;
struct nfgenmsg *nfmsg = nlmsg_data(nlh); struct nfgenmsg *nfmsg = nlmsg_data(nlh);
struct hlist_node *n, *next; struct hlist_node *n, *next;
u_int8_t u3 = nfmsg->nfgen_family; u_int8_t u3 = nfmsg->nfgen_family;
@ -1751,18 +1755,13 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
/* delete all expectations for this helper */ /* delete all expectations for this helper */
spin_lock_bh(&nf_conntrack_lock); spin_lock_bh(&nf_conntrack_lock);
h = __nf_conntrack_helper_find_byname(name);
if (!h) {
spin_unlock_bh(&nf_conntrack_lock);
return -EOPNOTSUPP;
}
for (i = 0; i < nf_ct_expect_hsize; i++) { for (i = 0; i < nf_ct_expect_hsize; i++) {
hlist_for_each_entry_safe(exp, n, next, hlist_for_each_entry_safe(exp, n, next,
&net->ct.expect_hash[i], &net->ct.expect_hash[i],
hnode) { hnode) {
m_help = nfct_help(exp->master); m_help = nfct_help(exp->master);
if (m_help->helper == h if (!strcmp(m_help->helper->name, name) &&
&& del_timer(&exp->timeout)) { del_timer(&exp->timeout)) {
nf_ct_unlink_expect(exp); nf_ct_unlink_expect(exp);
nf_ct_expect_put(exp); nf_ct_expect_put(exp);
} }