Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5b92b61f authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Patrick McHardy
Browse files

netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers 



This patch improves the situation in which the expectation table is
full for conntrack NAT helpers. Basically, we give up if we don't
find a place in the table instead of looping over nf_ct_expect_related()
with a different port (we should only do this if it returns -EBUSY, for
-EMFILE or -ESHUTDOWN I think that it's better to skip this).

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 26c15cfd

net/ipv4/netfilter/nf_nat_amanda.c

+8 −1
Original line number Diff line number Diff line
@@ -44,10 +44,17 @@ static unsigned int help(struct sk_buff *skb, 


	/* Try to get same port: if not, try to change it. */

	for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(port);

		if (nf_ct_expect_related(exp) == 0)

		ret = nf_ct_expect_related(exp);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			port = 0;

			break;

		}

	}



	if (port == 0)

		return NF_DROP;

net/ipv4/netfilter/nf_nat_ftp.c

+8 −1
Original line number Diff line number Diff line
@@ -79,10 +79,17 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb, 


	/* Try to get same port: if not, try to change it. */

	for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(port);

		if (nf_ct_expect_related(exp) == 0)

		ret = nf_ct_expect_related(exp);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			port = 0;

			break;

		}

	}



	if (port == 0)

		return NF_DROP;

net/ipv4/netfilter/nf_nat_h323.c

+46 −7
Original line number Diff line number Diff line
@@ -222,13 +222,24 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct, 
	/* Try to get a pair of ports. */

	for (nated_port = ntohs(rtp_exp->tuple.dst.u.udp.port);

	     nated_port != 0; nated_port += 2) {

		int ret;



		rtp_exp->tuple.dst.u.udp.port = htons(nated_port);

		if (nf_ct_expect_related(rtp_exp) == 0) {

		ret = nf_ct_expect_related(rtp_exp);

		if (ret == 0) {

			rtcp_exp->tuple.dst.u.udp.port =

			    htons(nated_port + 1);

			if (nf_ct_expect_related(rtcp_exp) == 0)

			ret = nf_ct_expect_related(rtcp_exp);

			if (ret == 0)

				break;

			else if (ret != -EBUSY) {

				nf_ct_unexpect_related(rtp_exp);

				nated_port = 0;

				break;

			}

		} else if (ret != -EBUSY) {

			nated_port = 0;

			break;

		}

	}
@@ -284,10 +295,17 @@ static int nat_t120(struct sk_buff *skb, struct nf_conn *ct, 


	/* Try to get same port: if not, try to change it. */

	for (; nated_port != 0; nated_port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(nated_port);

		if (nf_ct_expect_related(exp) == 0)

		ret = nf_ct_expect_related(exp);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			nated_port = 0;

			break;

		}

	}



	if (nated_port == 0) {	/* No port available */

		if (net_ratelimit())
@@ -334,9 +352,16 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct, 


	/* Try to get same port: if not, try to change it. */

	for (; nated_port != 0; nated_port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(nated_port);

		if (nf_ct_expect_related(exp) == 0)

		ret = nf_ct_expect_related(exp);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			nated_port = 0;

			break;

		}

	}



	if (nated_port == 0) {	/* No port available */
@@ -418,10 +443,17 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct, 


	/* Try to get same port: if not, try to change it. */

	for (; nated_port != 0; nated_port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(nated_port);

		if (nf_ct_expect_related(exp) == 0)

		ret = nf_ct_expect_related(exp);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			nated_port = 0;

			break;

		}

	}



	if (nated_port == 0) {	/* No port available */

		if (net_ratelimit())
@@ -500,9 +532,16 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct, 


	/* Try to get same port: if not, try to change it. */

	for (nated_port = ntohs(port); nated_port != 0; nated_port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(nated_port);

		if (nf_ct_expect_related(exp) == 0)

		ret = nf_ct_expect_related(exp);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			nated_port = 0;

			break;

		}

	}



	if (nated_port == 0) {	/* No port available */

net/ipv4/netfilter/nf_nat_irc.c

+8 −1
Original line number Diff line number Diff line
@@ -45,10 +45,17 @@ static unsigned int help(struct sk_buff *skb, 


	/* Try to get same port: if not, try to change it. */

	for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(port);

		if (nf_ct_expect_related(exp) == 0)

		ret = nf_ct_expect_related(exp);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			port = 0;

			break;

		}

	}



	if (port == 0)

		return NF_DROP;

net/ipv4/netfilter/nf_nat_sip.c

+23 −4
Original line number Diff line number Diff line
@@ -307,10 +307,17 @@ static unsigned int ip_nat_sip_expect(struct sk_buff *skb, unsigned int dataoff, 
	exp->expectfn = ip_nat_sip_expected;



	for (; port != 0; port++) {

		int ret;



		exp->tuple.dst.u.udp.port = htons(port);

		if (nf_ct_expect_related(exp) == 0)

		ret = nf_ct_expect_related(exp);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			port = 0;

			break;

		}

	}



	if (port == 0)

		return NF_DROP;
@@ -480,13 +487,25 @@ static unsigned int ip_nat_sdp_media(struct sk_buff *skb, unsigned int dataoff, 
	/* Try to get same pair of ports: if not, try to change them. */

	for (port = ntohs(rtp_exp->tuple.dst.u.udp.port);

	     port != 0; port += 2) {

		int ret;



		rtp_exp->tuple.dst.u.udp.port = htons(port);

		if (nf_ct_expect_related(rtp_exp) != 0)

		ret = nf_ct_expect_related(rtp_exp);

		if (ret == -EBUSY)

			continue;

		else if (ret < 0) {

			port = 0;

			break;

		}

		rtcp_exp->tuple.dst.u.udp.port = htons(port + 1);

		if (nf_ct_expect_related(rtcp_exp) == 0)

		ret = nf_ct_expect_related(rtcp_exp);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			nf_ct_unexpect_related(rtp_exp);

			port = 0;

			break;

		}

	}



	if (port == 0)