Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7b621c1e authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by David S. Miller
Browse files

[NETFILTER]: ctnetlink: rework conntrack fields dumping logic on events 



               |   NEW   | UPDATE  | DESTROY |
     ----------------------------------------|
     tuples    |    Y    |    Y    |    Y    |
     status    |    Y    |    Y    |    N    |
     timeout   |    Y    |    Y    |    N    |
     protoinfo |    S    |    S    |    N    |
     helper    |    S    |    S    |    N    |
     mark      |    S    |    S    |    N    |
     counters  |    F    |    F    |    Y    |

 Leyend:
         Y: yes
         N: no
         S: iif the field is set
	 F: iif overflow

This patch also replace IPCT_HELPINFO by IPCT_HELPER since we want to
track the helper assignation process, not the changes in the private
information held by the helper.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent bbb3357d

net/ipv4/netfilter/ip_conntrack_netlink.c

+27 −22
Original line number Diff line number Diff line
@@ -320,8 +320,6 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, 
	} else if (events & (IPCT_NEW | IPCT_RELATED)) {

		type = IPCTNL_MSG_CT_NEW;

		flags = NLM_F_CREATE|NLM_F_EXCL;

		/* dump everything */

		events = ~0UL;

		group = NFNLGRP_CONNTRACK_NEW;

	} else if (events & (IPCT_STATUS | IPCT_PROTOINFO)) {

		type = IPCTNL_MSG_CT_NEW;
@@ -357,27 +355,34 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, 
		goto nfattr_failure;

	NFA_NEST_END(skb, nest_parms);



	/* NAT stuff is now a status flag */

	if ((events & IPCT_STATUS || events & IPCT_NATINFO)

	    && ctnetlink_dump_status(skb, ct) < 0)

	if (events & IPCT_DESTROY) {

		if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||

		    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)

			goto nfattr_failure;

	if (events & IPCT_REFRESH

	    && ctnetlink_dump_timeout(skb, ct) < 0)

	} else {

		if (ctnetlink_dump_status(skb, ct) < 0)

			goto nfattr_failure;



		if (ctnetlink_dump_timeout(skb, ct) < 0)

			goto nfattr_failure;



		if (events & IPCT_PROTOINFO

		    && ctnetlink_dump_protoinfo(skb, ct) < 0)

		    	goto nfattr_failure;

	if (events & IPCT_HELPINFO



		if ((events & IPCT_HELPER || ct->helper)

		    && ctnetlink_dump_helpinfo(skb, ct) < 0)

		    	goto nfattr_failure;



	if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||

	    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)

		if ((events & IPCT_MARK || ct->mark)

		    && ctnetlink_dump_mark(skb, ct) < 0)

		    	goto nfattr_failure;



	if (events & IPCT_MARK

	    && ctnetlink_dump_mark(skb, ct) < 0)

		if (events & IPCT_COUNTER_FILLING &&

		    (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||

		     ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0))

			goto nfattr_failure;

	}



	nlh->nlmsg_len = skb->tail - b;

	nfnetlink_send(skb, 0, group, 0);

net/netfilter/nf_conntrack_netlink.c

+27 −22
Original line number Diff line number Diff line
@@ -331,8 +331,6 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, 
	} else  if (events & (IPCT_NEW | IPCT_RELATED)) {

		type = IPCTNL_MSG_CT_NEW;

		flags = NLM_F_CREATE|NLM_F_EXCL;

		/* dump everything */

		events = ~0UL;

		group = NFNLGRP_CONNTRACK_NEW;

	} else  if (events & (IPCT_STATUS | IPCT_PROTOINFO)) {

		type = IPCTNL_MSG_CT_NEW;
@@ -368,27 +366,34 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, 
		goto nfattr_failure;

	NFA_NEST_END(skb, nest_parms);



	/* NAT stuff is now a status flag */

	if ((events & IPCT_STATUS || events & IPCT_NATINFO)

	    && ctnetlink_dump_status(skb, ct) < 0)

	if (events & IPCT_DESTROY) {

		if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||

		    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)

			goto nfattr_failure;

	if (events & IPCT_REFRESH

	    && ctnetlink_dump_timeout(skb, ct) < 0)

	} else {

		if (ctnetlink_dump_status(skb, ct) < 0)

			goto nfattr_failure;



		if (ctnetlink_dump_timeout(skb, ct) < 0)

			goto nfattr_failure;



		if (events & IPCT_PROTOINFO

		    && ctnetlink_dump_protoinfo(skb, ct) < 0)

		    	goto nfattr_failure;

	if (events & IPCT_HELPINFO



		if ((events & IPCT_HELPER || nfct_help(ct))

		    && ctnetlink_dump_helpinfo(skb, ct) < 0)

		    	goto nfattr_failure;



	if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||

	    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)

		if ((events & IPCT_MARK || ct->mark)

		    && ctnetlink_dump_mark(skb, ct) < 0)

		    	goto nfattr_failure;



	if (events & IPCT_MARK

	    && ctnetlink_dump_mark(skb, ct) < 0)

		if (events & IPCT_COUNTER_FILLING &&

		    (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||

		     ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0))

			goto nfattr_failure;

	}



	nlh->nlmsg_len = skb->tail - b;

	nfnetlink_send(skb, 0, group, 0);