netfilter: nf_ct_helper: better logging for dropped packets (b20ab9cc) · Commits · e / devices / android_kernel_fairphone_FP3

include/net/netfilter/nf_conntrack_helper.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -100,6 +100,10 @@ struct nf_ct_helper_expectfn {
		void (expectfn)(struct nf_conn ct, struct nf_conntrack_expect *exp);
		};

		__printf(3,4)
		void nf_ct_helper_log(struct sk_buff skb, const struct nf_conn ct,
		const char *fmt, ...);

		void nf_ct_helper_expectfn_register(struct nf_ct_helper_expectfn *n);
		void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n);
		struct nf_ct_helper_expectfn *

+2 −8

Original line number	Diff line number	Diff line
		@@ -100,7 +100,6 @@ static unsigned int ipv4_helper(unsigned int hooknum,
		enum ip_conntrack_info ctinfo;
		const struct nf_conn_help *help;
		const struct nf_conntrack_helper *helper;
		unsigned int ret;

		/* This is where we call the helper: as the packet goes out. */
		ct = nf_ct_get(skb, &ctinfo);
		@@ -116,13 +115,8 @@ static unsigned int ipv4_helper(unsigned int hooknum,
		if (!helper)
		return NF_ACCEPT;

		ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
		return helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
		ct, ctinfo);
		if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
		nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
		"nf_ct_%s: dropping packet", helper->name);
		}
		return ret;
		}

		static unsigned int ipv4_confirm(unsigned int hooknum,

+1 −7

Original line number	Diff line number	Diff line
		@@ -104,7 +104,6 @@ static unsigned int ipv6_helper(unsigned int hooknum,
		const struct nf_conn_help *help;
		const struct nf_conntrack_helper *helper;
		enum ip_conntrack_info ctinfo;
		unsigned int ret;
		__be16 frag_off;
		int protoff;
		u8 nexthdr;
		@@ -130,12 +129,7 @@ static unsigned int ipv6_helper(unsigned int hooknum,
		return NF_ACCEPT;
		}

		ret = helper->help(skb, protoff, ct, ctinfo);
		if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
		nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
		"nf_ct_%s: dropping packet", helper->name);
		}
		return ret;
		return helper->help(skb, protoff, ct, ctinfo);
		}

		static unsigned int ipv6_confirm(unsigned int hooknum,

+4 −1

Original line number	Diff line number	Diff line
		@@ -145,6 +145,7 @@ static int amanda_help(struct sk_buff *skb,

		exp = nf_ct_expect_alloc(ct);
		if (exp == NULL) {
		nf_ct_helper_log(skb, ct, "cannot alloc expectation");
		ret = NF_DROP;
		goto out;
		}
		@@ -158,8 +159,10 @@ static int amanda_help(struct sk_buff *skb,
		if (nf_nat_amanda && ct->status & IPS_NAT_MASK)
		ret = nf_nat_amanda(skb, ctinfo, protoff,
		off - dataoff, len, exp);
		else if (nf_ct_expect_related(exp) != 0)
		else if (nf_ct_expect_related(exp) != 0) {
		nf_ct_helper_log(skb, ct, "cannot add expectation");
		ret = NF_DROP;
		}
		nf_ct_expect_put(exp);
		}

+6 −4

Original line number	Diff line number	Diff line
		@@ -435,8 +435,8 @@ static int help(struct sk_buff *skb,
		connection tracking, not packet filtering.
		However, it is necessary for accurate tracking in
		this case. */
		pr_debug("conntrack_ftp: partial %s %u+%u\n",
		search[dir][i].pattern, ntohl(th->seq), datalen);
		nf_ct_helper_log(skb, ct, "partial matching of `%s'",
		search[dir][i].pattern);
		ret = NF_DROP;
		goto out;
		} else if (found == 0) { /* No match */
		@@ -450,6 +450,7 @@ static int help(struct sk_buff *skb,

		exp = nf_ct_expect_alloc(ct);
		if (exp == NULL) {
		nf_ct_helper_log(skb, ct, "cannot alloc expectation");
		ret = NF_DROP;
		goto out;
		}
		@@ -500,9 +501,10 @@ static int help(struct sk_buff *skb,
		protoff, matchoff, matchlen, exp);
		else {
		/* Can't expect this? Best to drop packet now. */
		if (nf_ct_expect_related(exp) != 0)
		if (nf_ct_expect_related(exp) != 0) {
		nf_ct_helper_log(skb, ct, "cannot add expectation");
		ret = NF_DROP;
		else
		} else
		ret = NF_ACCEPT;
		}