Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ff4ca827 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by David S. Miller
Browse files

[NETFILTER]: ctnetlink: return EEXIST instead of EINVAL for existing nat'ed conntracks 



ctnetlink must return EEXIST for existing nat'ed conntracks instead of
EINVAL. Only return EINVAL if we try to update a conntrack with NAT
handlings (that is not allowed).

Decadence:libnetfilter_conntrack/utils# ./conntrack_create_nat
TEST: create conntrack (0)(Success)
Decadence:libnetfilter_conntrack/utils# ./conntrack_create_nat
TEST: create conntrack (-1)(Invalid argument)

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 3af8e31c

net/netfilter/nf_conntrack_netlink.c

+9 −8
Original line number Diff line number Diff line
@@ -1052,17 +1052,18 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, 
	}

	/* implicit 'else' */



	/* We manipulate the conntrack inside the global conntrack table lock,

	 * so there's no need to increase the refcount */

	err = -EEXIST;

	if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {

		/* we only allow nat config for new conntracks */

		if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {

			err = -EINVAL;

			goto out_unlock;

		}



	/* We manipulate the conntrack inside the global conntrack table lock,

	 * so there's no need to increase the refcount */

	err = -EEXIST;

	if (!(nlh->nlmsg_flags & NLM_F_EXCL))

		err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), cda);

		err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),

						 cda);

	}



out_unlock:

	write_unlock_bh(&nf_conntrack_lock);