Commit df6fb868 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[NETFILTER]: nfnetlink: convert to generic netlink attribute functions

Get rid of the duplicated rtnetlink macros and use the generic netlink
attribute functions. The old duplicated stuff is moved to a new header
file that exists just for userspace.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7c8d4cb4
...@@ -40,5 +40,6 @@ unifdef-y += nf_conntrack_common.h ...@@ -40,5 +40,6 @@ unifdef-y += nf_conntrack_common.h
unifdef-y += nf_conntrack_ftp.h unifdef-y += nf_conntrack_ftp.h
unifdef-y += nf_conntrack_tcp.h unifdef-y += nf_conntrack_tcp.h
unifdef-y += nfnetlink.h unifdef-y += nfnetlink.h
unifdef-y += nfnetlink_compat.h
unifdef-y += x_tables.h unifdef-y += x_tables.h
unifdef-y += xt_physdev.h unifdef-y += xt_physdev.h
#ifndef _NFNETLINK_H #ifndef _NFNETLINK_H
#define _NFNETLINK_H #define _NFNETLINK_H
#include <linux/types.h> #include <linux/types.h>
#include <linux/netfilter/nfnetlink_compat.h>
#ifndef __KERNEL__
/* nfnetlink groups: Up to 32 maximum - backwards compatibility for userspace */
#define NF_NETLINK_CONNTRACK_NEW 0x00000001
#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
#endif
enum nfnetlink_groups { enum nfnetlink_groups {
NFNLGRP_NONE, NFNLGRP_NONE,
...@@ -31,48 +22,6 @@ enum nfnetlink_groups { ...@@ -31,48 +22,6 @@ enum nfnetlink_groups {
}; };
#define NFNLGRP_MAX (__NFNLGRP_MAX - 1) #define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
/* Generic structure for encapsulation optional netfilter information.
* It is reminiscent of sockaddr, but with sa_family replaced
* with attribute type.
* ! This should someday be put somewhere generic as now rtnetlink and
* ! nfnetlink use the same attributes methods. - J. Schulist.
*/
struct nfattr
{
u_int16_t nfa_len;
u_int16_t nfa_type; /* we use 15 bits for the type, and the highest
* bit to indicate whether the payload is nested */
};
/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from
* rtnetlink.h, it's time to put this in a generic file */
#define NFNL_NFA_NEST 0x8000
#define NFA_TYPE(attr) ((attr)->nfa_type & 0x7fff)
#define NFA_ALIGNTO 4
#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
&& (nfa)->nfa_len <= (len))
#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
(struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len))
#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
#define NFA_NEST(skb, type) \
({ struct nfattr *__start = (struct nfattr *)skb_tail_pointer(skb); \
NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \
__start; })
#define NFA_NEST_END(skb, start) \
({ (start)->nfa_len = skb_tail_pointer(skb) - (unsigned char *)(start); \
(skb)->len; })
#define NFA_NEST_CANCEL(skb, start) \
({ if (start) \
skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
-1; })
/* General form of address family dependent message. /* General form of address family dependent message.
*/ */
struct nfgenmsg { struct nfgenmsg {
...@@ -83,10 +32,6 @@ struct nfgenmsg { ...@@ -83,10 +32,6 @@ struct nfgenmsg {
#define NFNETLINK_V0 0 #define NFNETLINK_V0 0
#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
+ NLMSG_ALIGN(sizeof(struct nfgenmsg))))
#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
/* netfilter netlink message types are split in two pieces: /* netfilter netlink message types are split in two pieces:
* 8 bit subsystem, 8bit operation. * 8 bit subsystem, 8bit operation.
*/ */
...@@ -107,12 +52,13 @@ struct nfgenmsg { ...@@ -107,12 +52,13 @@ struct nfgenmsg {
#include <linux/netlink.h> #include <linux/netlink.h>
#include <linux/capability.h> #include <linux/capability.h>
#include <net/netlink.h>
struct nfnl_callback struct nfnl_callback
{ {
int (*call)(struct sock *nl, struct sk_buff *skb, int (*call)(struct sock *nl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nfattr *cda[]); struct nlmsghdr *nlh, struct nlattr *cda[]);
u_int16_t attr_count; /* number of nfattr's */ u_int16_t attr_count; /* number of nlattr's */
}; };
struct nfnetlink_subsystem struct nfnetlink_subsystem
...@@ -123,27 +69,15 @@ struct nfnetlink_subsystem ...@@ -123,27 +69,15 @@ struct nfnetlink_subsystem
const struct nfnl_callback *cb; /* callback for individual types */ const struct nfnl_callback *cb; /* callback for individual types */
}; };
extern void __nfa_fill(struct sk_buff *skb, int attrtype,
int attrlen, const void *data);
#define NFA_PUT(skb, attrtype, attrlen, data) \
({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \
__nfa_fill(skb, attrtype, attrlen, data); })
extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n); extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n);
extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n); extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n);
extern void nfattr_parse(struct nfattr *tb[], int maxattr,
struct nfattr *nfa, int len);
#define nfattr_parse_nested(tb, max, nfa) \
nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa)))
#define nfattr_bad_size(tb, max, cta_min) \ #define nfattr_bad_size(tb, max, cta_min) \
({ int __i, __res = 0; \ ({ int __i, __res = 0; \
for (__i=0; __i<max; __i++) { \ for (__i=1; __i <= max; __i++) { \
if (!cta_min[__i]) \ if (!cta_min[__i]) \
continue; \ continue; \
if (tb[__i] && NFA_PAYLOAD(tb[__i]) < cta_min[__i]){ \ if (tb[__i] && nla_len(tb[__i]) < cta_min[__i]){ \
__res = 1; \ __res = 1; \
break; \ break; \
} \ } \
......
#ifndef _NFNETLINK_COMPAT_H
#define _NFNETLINK_COMPAT_H
#ifndef __KERNEL
/* Old nfnetlink macros for userspace */
/* nfnetlink groups: Up to 32 maximum */
#define NF_NETLINK_CONNTRACK_NEW 0x00000001
#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
/* Generic structure for encapsulation optional netfilter information.
* It is reminiscent of sockaddr, but with sa_family replaced
* with attribute type.
* ! This should someday be put somewhere generic as now rtnetlink and
* ! nfnetlink use the same attributes methods. - J. Schulist.
*/
struct nfattr
{
u_int16_t nfa_len;
u_int16_t nfa_type; /* we use 15 bits for the type, and the highest
* bit to indicate whether the payload is nested */
};
/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from
* rtnetlink.h, it's time to put this in a generic file */
#define NFNL_NFA_NEST 0x8000
#define NFA_TYPE(attr) ((attr)->nfa_type & 0x7fff)
#define NFA_ALIGNTO 4
#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
&& (nfa)->nfa_len <= (len))
#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
(struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len))
#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
#define NFA_NEST(skb, type) \
({ struct nfattr *__start = (struct nfattr *)skb_tail_pointer(skb); \
NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \
__start; })
#define NFA_NEST_END(skb, start) \
({ (start)->nfa_len = skb_tail_pointer(skb) - (unsigned char *)(start); \
(skb)->len; })
#define NFA_NEST_CANCEL(skb, start) \
({ if (start) \
skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
-1; })
#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
+ NLMSG_ALIGN(sizeof(struct nfgenmsg))))
#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
#endif /* ! __KERNEL__ */
#endif /* _NFNETLINK_COMPAT_H */
...@@ -11,11 +11,10 @@ ...@@ -11,11 +11,10 @@
#ifndef _NF_CONNTRACK_L3PROTO_H #ifndef _NF_CONNTRACK_L3PROTO_H
#define _NF_CONNTRACK_L3PROTO_H #define _NF_CONNTRACK_L3PROTO_H
#include <linux/netlink.h>
#include <linux/seq_file.h> #include <linux/seq_file.h>
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
struct nfattr;
struct nf_conntrack_l3proto struct nf_conntrack_l3proto
{ {
/* L3 Protocol Family number. ex) PF_INET */ /* L3 Protocol Family number. ex) PF_INET */
...@@ -67,7 +66,7 @@ struct nf_conntrack_l3proto ...@@ -67,7 +66,7 @@ struct nf_conntrack_l3proto
int (*tuple_to_nfattr)(struct sk_buff *skb, int (*tuple_to_nfattr)(struct sk_buff *skb,
const struct nf_conntrack_tuple *t); const struct nf_conntrack_tuple *t);
int (*nfattr_to_tuple)(struct nfattr *tb[], int (*nfattr_to_tuple)(struct nlattr *tb[],
struct nf_conntrack_tuple *t); struct nf_conntrack_tuple *t);
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
......
...@@ -9,10 +9,10 @@ ...@@ -9,10 +9,10 @@
#ifndef _NF_CONNTRACK_L4PROTO_H #ifndef _NF_CONNTRACK_L4PROTO_H
#define _NF_CONNTRACK_L4PROTO_H #define _NF_CONNTRACK_L4PROTO_H
#include <linux/netlink.h>
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
struct seq_file; struct seq_file;
struct nfattr;
struct nf_conntrack_l4proto struct nf_conntrack_l4proto
{ {
...@@ -65,15 +65,15 @@ struct nf_conntrack_l4proto ...@@ -65,15 +65,15 @@ struct nf_conntrack_l4proto
int pf, unsigned int hooknum); int pf, unsigned int hooknum);
/* convert protoinfo to nfnetink attributes */ /* convert protoinfo to nfnetink attributes */
int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa, int (*to_nfattr)(struct sk_buff *skb, struct nlattr *nla,
const struct nf_conn *ct); const struct nf_conn *ct);
/* convert nfnetlink attributes to protoinfo */ /* convert nfnetlink attributes to protoinfo */
int (*from_nfattr)(struct nfattr *tb[], struct nf_conn *ct); int (*from_nfattr)(struct nlattr *tb[], struct nf_conn *ct);
int (*tuple_to_nfattr)(struct sk_buff *skb, int (*tuple_to_nfattr)(struct sk_buff *skb,
const struct nf_conntrack_tuple *t); const struct nf_conntrack_tuple *t);
int (*nfattr_to_tuple)(struct nfattr *tb[], int (*nfattr_to_tuple)(struct nlattr *tb[],
struct nf_conntrack_tuple *t); struct nf_conntrack_tuple *t);
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
...@@ -113,7 +113,7 @@ extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto); ...@@ -113,7 +113,7 @@ extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);
/* Generic netlink helpers */ /* Generic netlink helpers */
extern int nf_ct_port_tuple_to_nfattr(struct sk_buff *skb, extern int nf_ct_port_tuple_to_nfattr(struct sk_buff *skb,
const struct nf_conntrack_tuple *tuple); const struct nf_conntrack_tuple *tuple);
extern int nf_ct_port_nfattr_to_tuple(struct nfattr *tb[], extern int nf_ct_port_nfattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *t); struct nf_conntrack_tuple *t);
/* Log invalid packets */ /* Log invalid packets */
......
...@@ -41,7 +41,7 @@ struct nf_nat_protocol ...@@ -41,7 +41,7 @@ struct nf_nat_protocol
int (*range_to_nfattr)(struct sk_buff *skb, int (*range_to_nfattr)(struct sk_buff *skb,
const struct nf_nat_range *range); const struct nf_nat_range *range);
int (*nfattr_to_range)(struct nfattr *tb[], int (*nfattr_to_range)(struct nlattr *tb[],
struct nf_nat_range *range); struct nf_nat_range *range);
}; };
...@@ -64,7 +64,7 @@ extern struct nf_nat_protocol *find_nat_proto(u_int16_t protonum); ...@@ -64,7 +64,7 @@ extern struct nf_nat_protocol *find_nat_proto(u_int16_t protonum);
extern int nf_nat_port_range_to_nfattr(struct sk_buff *skb, extern int nf_nat_port_range_to_nfattr(struct sk_buff *skb,
const struct nf_nat_range *range); const struct nf_nat_range *range);
extern int nf_nat_port_nfattr_to_range(struct nfattr *tb[], extern int nf_nat_port_nfattr_to_range(struct nlattr *tb[],
struct nf_nat_range *range); struct nf_nat_range *range);
#endif /*_NF_NAT_PROTO_H*/ #endif /*_NF_NAT_PROTO_H*/
...@@ -363,32 +363,32 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len) ...@@ -363,32 +363,32 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len)
static int ipv4_tuple_to_nfattr(struct sk_buff *skb, static int ipv4_tuple_to_nfattr(struct sk_buff *skb,
const struct nf_conntrack_tuple *tuple) const struct nf_conntrack_tuple *tuple)
{ {
NFA_PUT(skb, CTA_IP_V4_SRC, sizeof(u_int32_t), NLA_PUT(skb, CTA_IP_V4_SRC, sizeof(u_int32_t),
&tuple->src.u3.ip); &tuple->src.u3.ip);
NFA_PUT(skb, CTA_IP_V4_DST, sizeof(u_int32_t), NLA_PUT(skb, CTA_IP_V4_DST, sizeof(u_int32_t),
&tuple->dst.u3.ip); &tuple->dst.u3.ip);
return 0; return 0;
nfattr_failure: nla_put_failure:
return -1; return -1;
} }
static const size_t cta_min_ip[CTA_IP_MAX] = { static const size_t cta_min_ip[CTA_IP_MAX+1] = {
[CTA_IP_V4_SRC-1] = sizeof(u_int32_t), [CTA_IP_V4_SRC] = sizeof(u_int32_t),
[CTA_IP_V4_DST-1] = sizeof(u_int32_t), [CTA_IP_V4_DST] = sizeof(u_int32_t),
}; };
static int ipv4_nfattr_to_tuple(struct nfattr *tb[], static int ipv4_nfattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *t) struct nf_conntrack_tuple *t)
{ {
if (!tb[CTA_IP_V4_SRC-1] || !tb[CTA_IP_V4_DST-1]) if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST])
return -EINVAL; return -EINVAL;
if (nfattr_bad_size(tb, CTA_IP_MAX, cta_min_ip)) if (nfattr_bad_size(tb, CTA_IP_MAX, cta_min_ip))
return -EINVAL; return -EINVAL;
t->src.u3.ip = *(__be32 *)NFA_DATA(tb[CTA_IP_V4_SRC-1]); t->src.u3.ip = *(__be32 *)nla_data(tb[CTA_IP_V4_SRC]);
t->dst.u3.ip = *(__be32 *)NFA_DATA(tb[CTA_IP_V4_DST-1]); t->dst.u3.ip = *(__be32 *)nla_data(tb[CTA_IP_V4_DST]);
return 0; return 0;
} }
......
...@@ -235,42 +235,42 @@ icmp_error(struct sk_buff *skb, unsigned int dataoff, ...@@ -235,42 +235,42 @@ icmp_error(struct sk_buff *skb, unsigned int dataoff,
static int icmp_tuple_to_nfattr(struct sk_buff *skb, static int icmp_tuple_to_nfattr(struct sk_buff *skb,
const struct nf_conntrack_tuple *t) const struct nf_conntrack_tuple *t)
{ {
NFA_PUT(skb, CTA_PROTO_ICMP_ID, sizeof(u_int16_t), NLA_PUT(skb, CTA_PROTO_ICMP_ID, sizeof(u_int16_t),
&t->src.u.icmp.id); &t->src.u.icmp.id);
NFA_PUT(skb, CTA_PROTO_ICMP_TYPE, sizeof(u_int8_t), NLA_PUT(skb, CTA_PROTO_ICMP_TYPE, sizeof(u_int8_t),
&t->dst.u.icmp.type); &t->dst.u.icmp.type);
NFA_PUT(skb, CTA_PROTO_ICMP_CODE, sizeof(u_int8_t), NLA_PUT(skb, CTA_PROTO_ICMP_CODE, sizeof(u_int8_t),
&t->dst.u.icmp.code); &t->dst.u.icmp.code);
return 0; return 0;
nfattr_failure: nla_put_failure:
return -1; return -1;
} }
static const size_t cta_min_proto[CTA_PROTO_MAX] = { static const size_t cta_min_proto[CTA_PROTO_MAX+1] = {
[CTA_PROTO_ICMP_TYPE-1] = sizeof(u_int8_t), [CTA_PROTO_ICMP_TYPE] = sizeof(u_int8_t),
[CTA_PROTO_ICMP_CODE-1] = sizeof(u_int8_t), [CTA_PROTO_ICMP_CODE] = sizeof(u_int8_t),
[CTA_PROTO_ICMP_ID-1] = sizeof(u_int16_t) [CTA_PROTO_ICMP_ID] = sizeof(u_int16_t)
}; };
static int icmp_nfattr_to_tuple(struct nfattr *tb[], static int icmp_nfattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *tuple) struct nf_conntrack_tuple *tuple)
{ {
if (!tb[CTA_PROTO_ICMP_TYPE-1] if (!tb[CTA_PROTO_ICMP_TYPE]
|| !tb[CTA_PROTO_ICMP_CODE-1] || !tb[CTA_PROTO_ICMP_CODE]
|| !tb[CTA_PROTO_ICMP_ID-1]) || !tb[CTA_PROTO_ICMP_ID])
return -EINVAL; return -EINVAL;
if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto)) if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
return -EINVAL; return -EINVAL;
tuple->dst.u.icmp.type = tuple->dst.u.icmp.type =
*(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMP_TYPE-1]); *(u_int8_t *)nla_data(tb[CTA_PROTO_ICMP_TYPE]);
tuple->dst.u.icmp.code = tuple->dst.u.icmp.code =
*(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMP_CODE-1]); *(u_int8_t *)nla_data(tb[CTA_PROTO_ICMP_CODE]);
tuple->src.u.icmp.id = tuple->src.u.icmp.id =
*(__be16 *)NFA_DATA(tb[CTA_PROTO_ICMP_ID-1]); *(__be16 *)nla_data(tb[CTA_PROTO_ICMP_ID]);
if (tuple->dst.u.icmp.type >= sizeof(invmap) if (tuple->dst.u.icmp.type >= sizeof(invmap)
|| !invmap[tuple->dst.u.icmp.type]) || !invmap[tuple->dst.u.icmp.type])
......
...@@ -547,38 +547,38 @@ int ...@@ -547,38 +547,38 @@ int
nf_nat_port_range_to_nfattr(struct sk_buff *skb, nf_nat_port_range_to_nfattr(struct sk_buff *skb,
const struct nf_nat_range *range) const struct nf_nat_range *range)
{ {
NFA_PUT(skb, CTA_PROTONAT_PORT_MIN, sizeof(__be16), NLA_PUT(skb, CTA_PROTONAT_PORT_MIN, sizeof(__be16),
&range->min.tcp.port); &range->min.tcp.port);
NFA_PUT(skb, CTA_PROTONAT_PORT_MAX, sizeof(__be16), NLA_PUT(skb, CTA_PROTONAT_PORT_MAX, sizeof(__be16),
&range->max.tcp.port); &range->max.tcp.port);
return 0; return 0;
nfattr_failure: nla_put_failure:
return -1; return -1;
} }
EXPORT_SYMBOL_GPL(nf_nat_port_nfattr_to_range); EXPORT_SYMBOL_GPL(nf_nat_port_nfattr_to_range);
int int
nf_nat_port_nfattr_to_range(struct nfattr *tb[], struct nf_nat_range *range) nf_nat_port_nfattr_to_range(struct nlattr *tb[], struct nf_nat_range *range)
{ {
int ret = 0; int ret = 0;
/* we have to return whether we actually parsed something or not */ /* we have to return whether we actually parsed something or not */
if (tb[CTA_PROTONAT_PORT_MIN-1]) { if (tb[CTA_PROTONAT_PORT_MIN]) {
ret = 1; ret = 1;
range->min.tcp.port = range->min.tcp.port =
*(__be16 *)NFA_DATA(tb[CTA_PROTONAT_PORT_MIN-1]); *(__be16 *)nla_data(tb[CTA_PROTONAT_PORT_MIN]);
} }
if (!tb[CTA_PROTONAT_PORT_MAX-1]) { if (!tb[CTA_PROTONAT_PORT_MAX]) {
if (ret) if (ret)
range->max.tcp.port = range->min.tcp.port; range->max.tcp.port = range->min.tcp.port;
} else { } else {
ret = 1; ret = 1;
range->max.tcp.port = range->max.tcp.port =
*(__be16 *)NFA_DATA(tb[CTA_PROTONAT_PORT_MAX-1]); *(__be16 *)nla_data(tb[CTA_PROTONAT_PORT_MAX]);
} }
return ret; return ret;
......
...@@ -340,33 +340,33 @@ static ctl_table nf_ct_ipv6_sysctl_table[] = { ...@@ -340,33 +340,33 @@ static ctl_table nf_ct_ipv6_sysctl_table[] = {
static int ipv6_tuple_to_nfattr(struct sk_buff *skb, static int ipv6_tuple_to_nfattr(struct sk_buff *skb,
const struct nf_conntrack_tuple *tuple) const struct nf_conntrack_tuple *tuple)
{ {
NFA_PUT(skb, CTA_IP_V6_SRC, sizeof(u_int32_t) * 4, NLA_PUT(skb, CTA_IP_V6_SRC, sizeof(u_int32_t) * 4,
&tuple->src.u3.ip6); &tuple->src.u3.ip6);
NFA_PUT(skb, CTA_IP_V6_DST, sizeof(u_int32_t) * 4, NLA_PUT(skb, CTA_IP_V6_DST, sizeof(u_int32_t) * 4,
&tuple->dst.u3.ip6); &tuple->dst.u3.ip6);
return 0; return 0;
nfattr_failure: nla_put_failure:
return -1; return -1;
} }
static const size_t cta_min_ip[CTA_IP_MAX] = { static const size_t cta_min_ip[CTA_IP_MAX+1] = {
[CTA_IP_V6_SRC-1] = sizeof(u_int32_t)*4, [CTA_IP_V6_SRC] = sizeof(u_int32_t)*4,
[CTA_IP_V6_DST-1] = sizeof(u_int32_t)*4, [CTA_IP_V6_DST] = sizeof(u_int32_t)*4,
}; };
static int ipv6_nfattr_to_tuple(struct nfattr *tb[], static int ipv6_nfattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *t) struct nf_conntrack_tuple *t)
{ {
if (!tb[CTA_IP_V6_SRC-1] || !tb[CTA_IP_V6_DST-1]) if (!tb[CTA_IP_V6_SRC] || !tb[CTA_IP_V6_DST])
return -EINVAL; return -EINVAL;
if (nfattr_bad_size(tb, CTA_IP_MAX, cta_min_ip)) if (nfattr_bad_size(tb, CTA_IP_MAX, cta_min_ip))
return -EINVAL; return -EINVAL;
memcpy(&t->src.u3.ip6, NFA_DATA(tb[CTA_IP_V6_SRC-1]), memcpy(&t->src.u3.ip6, nla_data(tb[CTA_IP_V6_SRC]),
sizeof(u_int32_t) * 4); sizeof(u_int32_t) * 4);
memcpy(&t->dst.u3.ip6, NFA_DATA(tb[CTA_IP_V6_DST-1]), memcpy(&t->dst.u3.ip6, nla_data(tb[CTA_IP_V6_DST]),
sizeof(u_int32_t) * 4); sizeof(u_int32_t) * 4);
return 0; return 0;
......
...@@ -213,42 +213,42 @@ icmpv6_error(struct sk_buff *skb, unsigned int dataoff, ...@@ -213,42 +213,42 @@ icmpv6_error(struct sk_buff *skb, unsigned int dataoff,
static int icmpv6_tuple_to_nfattr(struct sk_buff *skb, static int icmpv6_tuple_to_nfattr(struct sk_buff *skb,
const struct nf_conntrack_tuple *t) const struct nf_conntrack_tuple *t)
{ {
NFA_PUT(skb, CTA_PROTO_ICMPV6_ID, sizeof(u_int16_t), NLA_PUT(skb, CTA_PROTO_ICMPV6_ID, sizeof(u_int16_t),
&t->src.u.icmp.id); &t->src.u.icmp.id);
NFA_PUT(skb, CTA_PROTO_ICMPV6_TYPE, sizeof(u_int8_t), NLA_PUT(skb, CTA_PROTO_ICMPV6_TYPE, sizeof(u_int8_t),
&t->dst.u.icmp.type); &t->dst.u.icmp.type);
NFA_PUT(skb, CTA_PROTO_ICMPV6_CODE, sizeof(u_int8_t), NLA_PUT(skb, CTA_PROTO_ICMPV6_CODE, sizeof(u_int8_t),
&t->dst.u.icmp.code); &t->dst.u.icmp.code);
return 0; return 0;
nfattr_failure: nla_put_failure:
return -1; return -1;
} }
static const size_t cta_min_proto[CTA_PROTO_MAX] = { static const size_t cta_min_proto[CTA_PROTO_MAX+1] = {
[CTA_PROTO_ICMPV6_TYPE-1] = sizeof(u_int8_t), [CTA_PROTO_ICMPV6_TYPE] = sizeof(u_int8_t),
[CTA_PROTO_ICMPV6_CODE-1] = sizeof(u_int8_t), [CTA_PROTO_ICMPV6_CODE] = sizeof(u_int8_t),
[CTA_PROTO_ICMPV6_ID-1] = sizeof(u_int16_t) [CTA_PROTO_ICMPV6_ID] = sizeof(u_int16_t)
}; };
static int icmpv6_nfattr_to_tuple(struct nfattr *tb[], static int icmpv6_nfattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *tuple) struct nf_conntrack_tuple *tuple)
{ {
if (!tb[CTA_PROTO_ICMPV6_TYPE-1] if (!tb[CTA_PROTO_ICMPV6_TYPE]
|| !tb[CTA_PROTO_ICMPV6_CODE-1] || !tb[CTA_PROTO_ICMPV6_CODE]
|| !tb[CTA_PROTO_ICMPV6_ID-1]) || !tb[CTA_PROTO_ICMPV6_ID])
return -EINVAL; return -EINVAL;
if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto)) if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
return -EINVAL; return -EINVAL;
tuple->dst.u.icmp.type = tuple->dst.u.icmp.type =
*(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMPV6_TYPE-1]); *(u_int8_t *)nla_data(tb[CTA_PROTO_ICMPV6_TYPE]);
tuple->dst.u.icmp.code = tuple->dst.u.icmp.code =
*(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMPV6_CODE-1]); *(u_int8_t *)nla_data(tb[CTA_PROTO_ICMPV6_CODE]);
tuple->src.u.icmp.id = tuple->src.u.icmp.id =
*(__be16 *)NFA_DATA(tb[CTA_PROTO_ICMPV6_ID-1]); *(__be16 *)nla_data(tb[CTA_PROTO_ICMPV6_ID]);
if (tuple->dst.u.icmp.type < 128 if (tuple->dst.u.icmp.type < 128
|| tuple->dst.u.icmp.type - 128 >= sizeof(invmap) || tuple->dst.u.icmp.type - 128 >= sizeof(invmap)
......
...@@ -827,40 +827,39 @@ EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct); ...@@ -827,40 +827,39 @@ EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct);
#include <linux/netfilter/nfnetlink_conntrack.h> #include <linux/netfilter/nfnetlink_conntrack.h>
#include <linux/mutex.h> #include <linux/mutex.h>
/* Generic function for tcp/udp/sctp/dccp and alike. This needs to be /* Generic function for tcp/udp/sctp/dccp and alike. This needs to be
* in ip_conntrack_core, since we don't want the protocols to autoload * in ip_conntrack_core, since we don't want the protocols to autoload
* or depend on ctnetlink */ * or depend on ctnetlink */
int nf_ct_port_tuple_to_nfattr(struct sk_buff *skb, int nf_ct_port_tuple_to_nfattr(struct sk_buff *skb,
const struct nf_conntrack_tuple *tuple) const struct nf_conntrack_tuple *tuple)
{ {
NFA_PUT(skb, CTA_PROTO_SRC_PORT, sizeof(u_int16_t), NLA_PUT(skb, CTA_PROTO_SRC_PORT, sizeof(u_int16_t),
&tuple->src.u.tcp.port); &tuple->src.u.tcp.port);
NFA_PUT(skb, CTA_PROTO_DST_PORT, sizeof(u_int16_t), NLA_PUT(skb, CTA_PROTO_DST_PORT, sizeof(u_int16_t),
&tuple->dst.u.tcp.port); &tuple->dst.u.tcp.port);
return 0; return 0;
nfattr_failure: nla_put_failure:
return -1; return -1;
} }
EXPORT_SYMBOL_GPL(nf_ct_port_tuple_to_nfattr); EXPORT_SYMBOL_GPL(nf_ct_port_tuple_to_nfattr);
static const size_t cta_min_proto[CTA_PROTO_MAX] = { static const size_t cta_min_proto[CTA_PROTO_MAX+1] = {
[CTA_PROTO_SRC_PORT-1] = sizeof(u_int16_t), [CTA_PROTO_SRC_PORT] = sizeof(u_int16_t),
[CTA_PROTO_DST_PORT-1] = sizeof(u_int16_t) [CTA_PROTO_DST_PORT] = sizeof(u_int16_t)
}; };
int nf_ct_port_nfattr_to_tuple(struct nfattr *tb[], int nf_ct_port_nfattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *t) struct nf_conntrack_tuple *t)
{ {
if (!tb[CTA_PROTO_SRC_PORT-1] || !tb[CTA_PROTO_DST_PORT-1]) if (!tb[CTA_PROTO_SRC_PORT] || !tb[CTA_PROTO_DST_PORT])
return -EINVAL; return -EINVAL;
if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto)) if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
return -EINVAL; return -EINVAL;
t->src.u.tcp.port = *(__be16 *)NFA_DATA(tb[CTA_PROTO_SRC_PORT-1]); t->src.u.tcp.port = *(__be16 *)nla_data(tb[CTA_PROTO_SRC_PORT]);
t->dst.u.tcp.port = *(__be16 *)NFA_DATA(tb[CTA_PROTO_DST_PORT-1]); t->dst.u.tcp.port = *(__be16 *)nla_data(tb[CTA_PROTO_DST_PORT]);
return 0; return 0;
} }
......
This diff is collapsed.
...@@ -1067,93 +1067,96 @@ static int tcp_new(struct nf_conn *conntrack, ...@@ -1067,93 +1067,96 @@ static int tcp_new(struct nf_conn *conntrack,
#include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_conntrack.h> #include <linux/netfilter/nfnetlink_conntrack.h>
static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa, static int tcp_to_nfattr(struct sk_buff *skb, struct nlattr *nla,
const struct nf_conn *ct) const struct nf_conn *ct)
{ {
struct nfattr *nest_parms; struct nlattr *nest_parms;
struct nf_ct_tcp_flags tmp = {}; struct nf_ct_tcp_flags tmp = {};
read_lock_bh(&tcp_lock); read_lock_bh(&tcp_lock);
nest_parms = NFA_NEST(skb, CTA_PROTOINFO_TCP); nest_parms = nla_nest_start(skb, CTA_PROTOINFO_TCP | NLA_F_NESTED);
NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t), if (!nest_parms)
goto nla_put_failure;
NLA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t),
&ct->proto.tcp.state); &ct->proto.tcp.state);
NFA_PUT(skb, CTA_PROTOINFO_TCP_WSCALE_ORIGINAL, sizeof(u_int8_t), NLA_PUT(skb, CTA_PROTOINFO_TCP_WSCALE_ORIGINAL, sizeof(u_int8_t),
&ct->proto.tcp.seen[0].td_scale); &ct->proto.tcp.seen[0].td_scale);
NFA_PUT(skb, CTA_PROTOINFO_TCP_WSCALE_REPLY, sizeof(u_int8_t), NLA_PUT(skb, CTA_PROTOINFO_TCP_WSCALE_REPLY, sizeof(u_int8_t),
&ct->proto.tcp.seen[1].td_scale); &ct->proto.tcp.seen[1].td_scale);
tmp.flags = ct->proto.tcp.seen[0].flags; tmp.flags = ct->proto.tcp.seen[0].flags;
NFA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_ORIGINAL, NLA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
sizeof(struct nf_ct_tcp_flags), &tmp); sizeof(struct nf_ct_tcp_flags), &tmp);
tmp.flags = ct->proto.tcp.seen[1].flags; tmp.flags = ct->proto.tcp.seen[1].flags;
NFA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_REPLY, NLA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_REPLY,
sizeof(struct nf_ct_tcp_flags), &tmp); sizeof(struct nf_ct_tcp_flags), &tmp);
read_unlock_bh(&tcp_lock); read_unlock_bh(&tcp_lock);
NFA_NEST_END(skb, nest_parms); nla_nest_end(skb, nest_parms);
return 0; return 0;
nfattr_failure: nla_put_failure:
read_unlock_bh(&tcp_lock); read_unlock_bh(&tcp_lock);
return -1; return -1;
} }
static const size_t cta_min_tcp[CTA_PROTOINFO_TCP_MAX] = { static const size_t cta_min_tcp[CTA_PROTOINFO_TCP_MAX+1] = {
[CTA_PROTOINFO_TCP_STATE-1] = sizeof(u_int8_t), [CTA_PROTOINFO_TCP_STATE] = sizeof(u_int8_t),
[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL-1] = sizeof(u_int8_t), [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = sizeof(u_int8_t),
[CTA_PROTOINFO_TCP_WSCALE_REPLY-1] = sizeof(u_int8_t), [CTA_PROTOINFO_TCP_WSCALE_REPLY] = sizeof(u_int8_t),
[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL-1] = sizeof(struct nf_ct_tcp_flags), [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = sizeof(struct nf_ct_tcp_flags),
[CTA_PROTOINFO_TCP_FLAGS_REPLY-1] = sizeof(struct nf_ct_tcp_flags) [CTA_PROTOINFO_TCP_FLAGS_REPLY] = sizeof(struct nf_ct_tcp_flags)
}; };
static int nfattr_to_tcp(struct nfattr *cda[], struct nf_conn *ct) static int nfattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
{ {
struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1]; struct nlattr *attr = cda[CTA_PROTOINFO_TCP];
struct nfattr *tb[CTA_PROTOINFO_TCP_MAX]; struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1];
/* updates could not contain anything about the private /* updates could not contain anything about the private
* protocol info, in that case skip the parsing */ * protocol info, in that case skip the parsing */
if (!attr) if (!attr)
return 0; return 0;
nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr); nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr, NULL);
if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp)) if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp))
return -EINVAL; return -EINVAL;
if (!tb[CTA_PROTOINFO_TCP_STATE-1]) if (!tb[CTA_PROTOINFO_TCP_STATE])
return -EINVAL; return -EINVAL;
write_lock_bh(&tcp_lock); write_lock_bh(&tcp_lock);
ct->proto.tcp.state = ct->proto.tcp.state =
*(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); *(u_int8_t *)nla_data(tb[CTA_PROTOINFO_TCP_STATE]);
if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL-1]) { if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
struct nf_ct_tcp_flags *attr = struct nf_ct_tcp_flags *attr =
NFA_DATA(tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL-1]); nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]);
ct->proto.tcp.seen[0].flags &= ~attr->mask; ct->proto.tcp.seen[0].flags &= ~attr->mask;
ct->proto.tcp.seen[0].flags |= attr->flags & attr->mask; ct->proto.tcp.seen[0].flags |= attr->flags & attr->mask;
} }
if (tb[CTA_PROTOINFO_TCP_FLAGS_REPLY-1]) { if (tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]) {
struct nf_ct_tcp_flags *attr = struct nf_ct_tcp_flags *attr =
NFA_DATA(tb[CTA_PROTOINFO_TCP_FLAGS_REPLY-1]); nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]);
ct->proto.tcp.seen[1].flags &= ~attr->mask; ct->proto.tcp.seen[1].flags &= ~attr->mask;
ct->proto.tcp.seen[1].flags |= attr->flags & attr->mask; ct->proto.tcp.seen[1].flags |= attr->flags & attr->mask;
} }
if (tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL-1] && if (tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] &&
tb[CTA_PROTOINFO_TCP_WSCALE_REPLY-1] && tb[CTA_PROTOINFO_TCP_WSCALE_REPLY] &&
ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_WINDOW_SCALE && ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_WINDOW_SCALE &&
ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_WINDOW_SCALE) { ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
ct->proto.tcp.seen[0].td_scale = *(u_int8_t *) ct->proto.tcp.seen[0].td_scale = *(u_int8_t *)
NFA_DATA(tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL-1]); nla_data(tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL]);
ct->proto.tcp.seen[1].td_scale = *(u_int8_t *) ct->proto.tcp.seen[1].td_scale = *(u_int8_t *)
NFA_DATA(tb[CTA_PROTOINFO_TCP_WSCALE_REPLY-1]); nla_data(tb[CTA_PROTOINFO_TCP_WSCALE_REPLY]);
} }
write_unlock_bh(&tcp_lock); write_unlock_bh(&tcp_lock);
......
...@@ -111,44 +111,17 @@ nfnetlink_find_client(u_int16_t type, const struct nfnetlink_subsystem *ss) ...@@ -111,44 +111,17 @@ nfnetlink_find_client(u_int16_t type, const struct nfnetlink_subsystem *ss)
return &ss->cb[cb_id]; return &ss->cb[cb_id];
} }
void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen,
const void *data)
{
struct nfattr *nfa;
int size = NFA_LENGTH(attrlen);
nfa = (struct nfattr *)skb_put(skb, NFA_ALIGN(size));
nfa->nfa_type = attrtype;
nfa->nfa_len = size;
memcpy(NFA_DATA(nfa), data, attrlen);
memset(NFA_DATA(nfa) + attrlen, 0, NFA_ALIGN(size) - size);
}
EXPORT_SYMBOL_GPL(__nfa_fill);
void nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len)
{
memset(tb, 0, sizeof(struct nfattr *) * maxattr);
while (NFA_OK(nfa, len)) {
unsigned flavor = NFA_TYPE(nfa);
if (flavor && flavor <= maxattr)
tb[flavor-1] = nfa;
nfa = NFA_NEXT(nfa, len);
}
}
EXPORT_SYMBOL_GPL(nfattr_parse);
/** /**
* nfnetlink_check_attributes - check and parse nfnetlink attributes * nfnetlink_check_attributes - check and parse nfnetlink attributes
* *
* subsys: nfnl subsystem for which this message is to be parsed * subsys: nfnl subsystem for which this message is to be parsed
* nlmsghdr: netlink message to be checked/parsed * nlmsghdr: netlink message to be checked/parsed
* cda: array of pointers, needs to be at least subsys->attr_count big * cda: array of pointers, needs to be at least subsys->attr_count+1 big
* *
*/ */
static int static int
nfnetlink_check_attributes(const struct nfnetlink_subsystem *subsys, nfnetlink_check_attributes(const struct nfnetlink_subsystem *subsys,
struct nlmsghdr *nlh, struct nfattr *cda[]) struct nlmsghdr *nlh, struct nlattr *cda[])
{ {
int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg)); int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
u_int8_t cb_id = NFNL_MSG_TYPE(nlh->nlmsg_type); u_int8_t cb_id = NFNL_MSG_TYPE(nlh->nlmsg_type);
...@@ -156,9 +129,9 @@ nfnetlink_check_attributes(const struct nfnetlink_subsystem *subsys, ...@@ -156,9 +129,9 @@ nfnetlink_check_attributes(const struct nfnetlink_subsystem *subsys,
/* check attribute lengths. */ /* check attribute lengths. */
if (likely(nlh->nlmsg_len > min_len)) { if (likely(nlh->nlmsg_len > min_len)) {
struct nfattr *attr = NFM_NFA(NLMSG_DATA(nlh)); struct nlattr *attr = (void *)nlh + NLMSG_ALIGN(min_len);
int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len);
nfattr_parse(cda, attr_count, attr, attrlen); nla_parse(cda, attr_count, attr, attrlen, NULL);
} }
/* implicit: if nlmsg_len == min_len, we return 0, and an empty /* implicit: if nlmsg_len == min_len, we return 0, and an empty
...@@ -230,9 +203,9 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -230,9 +203,9 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{ {
u_int16_t attr_count = u_int16_t attr_count =
ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count; ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count;
struct nfattr *cda[attr_count]; struct nlattr *cda[attr_count+1];
memset(cda, 0, sizeof(struct nfattr *) * attr_count); memset(cda, 0, sizeof(struct nlattr *) * attr_count);
err = nfnetlink_check_attributes(ss, nlh, cda); err = nfnetlink_check_attributes(ss, nlh, cda);
if (err < 0) if (err < 0)
......
This diff is collapsed.
...@@ -299,7 +299,7 @@ __nfqnl_set_mode(struct nfqnl_instance *queue, ...@@ -299,7 +299,7 @@ __nfqnl_set_mode(struct nfqnl_instance *queue,
case NFQNL_COPY_PACKET: case NFQNL_COPY_PACKET:
queue->copy_mode = mode; queue->copy_mode = mode;
/* we're using struct nfattr which has 16bit nfa_len */ /* we're using struct nlattr which has 16bit nla_len */
if (range > 0xffff) if (range > 0xffff)
queue->copy_range = 0xffff; queue->copy_range = 0xffff;
else else
...@@ -353,18 +353,17 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -353,18 +353,17 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
QDEBUG("entered\n"); QDEBUG("entered\n");
/* all macros expand to constant values at compile time */ size = NLMSG_ALIGN(sizeof(struct nfgenmsg))
size = NLMSG_SPACE(sizeof(struct nfgenmsg)) + + nla_total_size(sizeof(struct nfqnl_msg_packet_hdr))
+ NFA_SPACE(sizeof(struct nfqnl_msg_packet_hdr)) + nla_total_size(sizeof(u_int32_t)) /* ifindex */
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ + nla_total_size(sizeof(u_int32_t)) /* ifindex */
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
#ifdef CONFIG_BRIDGE_NETFILTER #ifdef CONFIG_BRIDGE_NETFILTER
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ + nla_total_size(sizeof(u_int32_t)) /* ifindex */
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */ + nla_total_size(sizeof(u_int32_t)) /* ifindex */
#endif #endif
+ NFA_SPACE(sizeof(u_int32_t)) /* mark */ + nla_total_size(sizeof(u_int32_t)) /* mark */
+ NFA_SPACE(sizeof(struct nfqnl_msg_packet_hw)) + nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
+ NFA_SPACE(sizeof(struct nfqnl_msg_packet_timestamp)); + nla_total_size(sizeof(struct nfqnl_msg_packet_timestamp));
outdev = entinf->outdev; outdev = entinf->outdev;
...@@ -389,7 +388,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -389,7 +388,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
else else
data_len = queue->copy_range; data_len = queue->copy_range;
size += NFA_SPACE(data_len); size += nla_total_size(data_len);
break; break;
default: default:
...@@ -417,33 +416,33 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -417,33 +416,33 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
pmsg.hw_protocol = entskb->protocol; pmsg.hw_protocol = entskb->protocol;
pmsg.hook = entinf->hook; pmsg.hook = entinf->hook;
NFA_PUT(skb, NFQA_PACKET_HDR, sizeof(pmsg), &pmsg); NLA_PUT(skb, NFQA_PACKET_HDR, sizeof(pmsg), &pmsg);
indev = entinf->indev; indev = entinf->indev;
if (indev) { if (indev) {
tmp_uint = htonl(indev->ifindex); tmp_uint = htonl(indev->ifindex);
#ifndef CONFIG_BRIDGE_NETFILTER #ifndef CONFIG_BRIDGE_NETFILTER
NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), &tmp_uint); NLA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), &tmp_uint);
#else #else
if (entinf->pf == PF_BRIDGE) { if (entinf->pf == PF_BRIDGE) {
/* Case 1: indev is physical input device, we need to /* Case 1: indev is physical input device, we need to
* look for bridge group (when called from * look for bridge group (when called from
* netfilter_bridge) */ * netfilter_bridge) */
NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint), NLA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint),
&tmp_uint); &tmp_uint);
/* this is the bridge group "brX" */ /* this is the bridge group "brX" */
tmp_uint = htonl(indev->br_port->br->dev->ifindex); tmp_uint = htonl(indev->br_port->br->dev->ifindex);
NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), NLA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint),
&tmp_uint); &tmp_uint);
} else { } else {
/* Case 2: indev is bridge group, we need to look for /* Case 2: indev is bridge group, we need to look for
* physical device (when called from ipv4) */ * physical device (when called from ipv4) */
NFA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint), NLA_PUT(skb, NFQA_IFINDEX_INDEV, sizeof(tmp_uint),
&tmp_uint); &tmp_uint);
if (entskb->nf_bridge if (entskb->nf_bridge
&& entskb->nf_bridge->physindev) { && entskb->nf_bridge->physindev) {
tmp_uint = htonl(entskb->nf_bridge->physindev->ifindex); tmp_uint = htonl(entskb->nf_bridge->physindev->ifindex);
NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, NLA_PUT(skb, NFQA_IFINDEX_PHYSINDEV,
sizeof(tmp_uint), &tmp_uint); sizeof(tmp_uint), &tmp_uint);
} }
} }
...@@ -453,27 +452,27 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -453,27 +452,27 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
if (outdev) { if (outdev) {
tmp_uint = htonl(outdev->ifindex); tmp_uint = htonl(outdev->ifindex);
#ifndef CONFIG_BRIDGE_NETFILTER #ifndef CONFIG_BRIDGE_NETFILTER
NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), &tmp_uint); NLA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), &tmp_uint);
#else #else
if (entinf->pf == PF_BRIDGE) { if (entinf->pf == PF_BRIDGE) {
/* Case 1: outdev is physical output device, we need to /* Case 1: outdev is physical output device, we need to
* look for bridge group (when called from * look for bridge group (when called from
* netfilter_bridge) */ * netfilter_bridge) */
NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint), NLA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint),
&tmp_uint); &tmp_uint);
/* this is the bridge group "brX" */ /* this is the bridge group "brX" */
tmp_uint = htonl(outdev->br_port->br->dev->ifindex); tmp_uint = htonl(outdev->br_port->br->dev->ifindex);
NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), NLA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint),
&tmp_uint); &tmp_uint);
} else { } else {
/* Case 2: outdev is bridge group, we need to look for /* Case 2: outdev is bridge group, we need to look for
* physical output device (when called from ipv4) */ * physical output device (when called from ipv4) */
NFA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint), NLA_PUT(skb, NFQA_IFINDEX_OUTDEV, sizeof(tmp_uint),
&tmp_uint); &tmp_uint);
if (entskb->nf_bridge if (entskb->nf_bridge
&& entskb->nf_bridge->physoutdev) { && entskb->nf_bridge->physoutdev) {
tmp_uint = htonl(entskb->nf_bridge->physoutdev->ifindex); tmp_uint = htonl(entskb->nf_bridge->physoutdev->ifindex);
NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, NLA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV,
sizeof(tmp_uint), &tmp_uint); sizeof(tmp_uint), &tmp_uint);
} }
} }
...@@ -482,7 +481,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -482,7 +481,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
if (entskb->mark) { if (entskb->mark) {
tmp_uint = htonl(entskb->mark); tmp_uint = htonl(entskb->mark);
NFA_PUT(skb, NFQA_MARK, sizeof(u_int32_t), &tmp_uint); NLA_PUT(skb, NFQA_MARK, sizeof(u_int32_t), &tmp_uint);
} }
if (indev && entskb->dev) { if (indev && entskb->dev) {
...@@ -490,7 +489,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -490,7 +489,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
int len = dev_parse_header(entskb, phw.hw_addr); int len = dev_parse_header(entskb, phw.hw_addr);
if (len) { if (len) {
phw.hw_addrlen = htons(len); phw.hw_addrlen = htons(len);
NFA_PUT(skb, NFQA_HWADDR, sizeof(phw), &phw); NLA_PUT(skb, NFQA_HWADDR, sizeof(phw), &phw);
} }
} }
...@@ -500,23 +499,23 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -500,23 +499,23 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
ts.sec = cpu_to_be64(tv.tv_sec); ts.sec = cpu_to_be64(tv.tv_sec);
ts.usec = cpu_to_be64(tv.tv_usec); ts.usec = cpu_to_be64(tv.tv_usec);
NFA_PUT(skb, NFQA_TIMESTAMP, sizeof(ts), &ts); NLA_PUT(skb, NFQA_TIMESTAMP, sizeof(ts), &ts);
} }
if (data_len) { if (data_len) {
struct nfattr *nfa; struct nlattr *nla;
int size = NFA_LENGTH(data_len); int size = nla_attr_size(data_len);
if (skb_tailroom(skb) < (int)NFA_SPACE(data_len)) { if (skb_tailroom(skb) < nla_total_size(data_len)) {
printk(KERN_WARNING "nf_queue: no tailroom!\n"); printk(KERN_WARNING "nf_queue: no tailroom!\n");
goto nlmsg_failure; goto nlmsg_failure;
} }
nfa = (struct nfattr *)skb_put(skb, NFA_ALIGN(size)); nla = (struct nlattr *)skb_put(skb, nla_total_size(data_len));
nfa->nfa_type = NFQA_PAYLOAD; nla->nla_type = NFQA_PAYLOAD;
nfa->nfa_len = size; nla->nla_len = size;
if (skb_copy_bits(entskb, 0, NFA_DATA(nfa), data_len)) if (skb_copy_bits(entskb, 0, nla_data(nla), data_len))
BUG(); BUG();
} }
...@@ -524,7 +523,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -524,7 +523,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
return skb; return skb;
nlmsg_failure: nlmsg_failure:
nfattr_failure: nla_put_failure:
if (skb) if (skb)
kfree_skb(skb); kfree_skb(skb);
*errp = -EINVAL; *errp = -EINVAL;
...@@ -778,15 +777,15 @@ static struct notifier_block nfqnl_rtnl_notifier = { ...@@ -778,15 +777,15 @@ static struct notifier_block nfqnl_rtnl_notifier = {
.notifier_call = nfqnl_rcv_nl_event, .notifier_call = nfqnl_rcv_nl_event,
}; };
static const int nfqa_verdict_min[NFQA_MAX] = { static const int nfqa_verdict_min[NFQA_MAX+1] = {
[NFQA_VERDICT_HDR-1] = sizeof(struct nfqnl_msg_verdict_hdr), [NFQA_VERDICT_HDR] = sizeof(struct nfqnl_msg_verdict_hdr),
[NFQA_MARK-1] = sizeof(u_int32_t), [NFQA_MARK] = sizeof(u_int32_t),
[NFQA_PAYLOAD-1] = 0, [NFQA_PAYLOAD] = 0,
}; };
static int static int
nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nfattr *nfqa[]) struct nlmsghdr *nlh, struct nlattr *nfqa[])
{ {
struct nfgenmsg *nfmsg = NLMSG_DATA(nlh); struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
u_int16_t queue_num = ntohs(nfmsg->res_id); u_int16_t queue_num = ntohs(nfmsg->res_id);
...@@ -811,12 +810,12 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, ...@@ -811,12 +810,12 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
goto err_out_put; goto err_out_put;
} }
if (!nfqa[NFQA_VERDICT_HDR-1]) { if (!nfqa[NFQA_VERDICT_HDR]) {
err = -EINVAL; err = -EINVAL;
goto err_out_put; goto err_out_put;
} }
vhdr = NFA_DATA(nfqa[NFQA_VERDICT_HDR-1]); vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]);
verdict = ntohl(vhdr->verdict); verdict = ntohl(vhdr->verdict);
if ((verdict & NF_VERDICT_MASK) > NF_MAX_VERDICT) { if ((verdict & NF_VERDICT_MASK) > NF_MAX_VERDICT) {
...@@ -830,15 +829,15 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, ...@@ -830,15 +829,15 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
goto err_out_put; goto err_out_put;
} }
if (nfqa[NFQA_PAYLOAD-1]) { if (nfqa[NFQA_PAYLOAD]) {
if (nfqnl_mangle(NFA_DATA(nfqa[NFQA_PAYLOAD-1]), if (nfqnl_mangle(nla_data(nfqa[NFQA_PAYLOAD]),
NFA_PAYLOAD(nfqa[NFQA_PAYLOAD-1]), entry) < 0) nla_len(nfqa[NFQA_PAYLOAD]), entry) < 0)
verdict = NF_DROP; verdict = NF_DROP;
} }
if (nfqa[NFQA_MARK-1]) if (nfqa[NFQA_MARK])
entry->skb->mark = ntohl(*(__be32 *) entry->skb->mark = ntohl(*(__be32 *)
NFA_DATA(nfqa[NFQA_MARK-1])); nla_data(nfqa[NFQA_MARK]));
issue_verdict(entry, verdict); issue_verdict(entry, verdict);
instance_put(queue); instance_put(queue);
...@@ -851,14 +850,14 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, ...@@ -851,14 +850,14 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
static int static int
nfqnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb, nfqnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nfattr *nfqa[]) struct nlmsghdr *nlh, struct nlattr *nfqa[])
{ {
return -ENOTSUPP; return -ENOTSUPP;
} }
static const int nfqa_cfg_min[NFQA_CFG_MAX] = { static const int nfqa_cfg_min[NFQA_CFG_MAX+1] = {
[NFQA_CFG_CMD-1] = sizeof(struct nfqnl_msg_config_cmd), [NFQA_CFG_CMD] = sizeof(struct nfqnl_msg_config_cmd),
[NFQA_CFG_PARAMS-1] = sizeof(struct nfqnl_msg_config_params), [NFQA_CFG_PARAMS] = sizeof(struct nfqnl_msg_config_params),
}; };
static struct nf_queue_handler nfqh = { static struct nf_queue_handler nfqh = {
...@@ -868,7 +867,7 @@ static struct nf_queue_handler nfqh = { ...@@ -868,7 +867,7 @@ static struct nf_queue_handler nfqh = {
static int static int
nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb, nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nfattr *nfqa[]) struct nlmsghdr *nlh, struct nlattr *nfqa[])
{ {
struct nfgenmsg *nfmsg = NLMSG_DATA(nlh); struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
u_int16_t queue_num = ntohs(nfmsg->res_id); u_int16_t queue_num = ntohs(nfmsg->res_id);
...@@ -883,9 +882,9 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -883,9 +882,9 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
} }
queue = instance_lookup_get(queue_num); queue = instance_lookup_get(queue_num);
if (nfqa[NFQA_CFG_CMD-1]) { if (nfqa[NFQA_CFG_CMD]) {
struct nfqnl_msg_config_cmd *cmd; struct nfqnl_msg_config_cmd *cmd;
cmd = NFA_DATA(nfqa[NFQA_CFG_CMD-1]); cmd = nla_data(nfqa[NFQA_CFG_CMD]);
QDEBUG("found CFG_CMD\n"); QDEBUG("found CFG_CMD\n");
switch (cmd->command) { switch (cmd->command) {
...@@ -936,21 +935,21 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -936,21 +935,21 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
} }
} }
if (nfqa[NFQA_CFG_PARAMS-1]) { if (nfqa[NFQA_CFG_PARAMS]) {
struct nfqnl_msg_config_params *params; struct nfqnl_msg_config_params *params;
if (!queue) { if (!queue) {
ret = -ENOENT; ret = -ENOENT;
goto out_put; goto out_put;
} }
params = NFA_DATA(nfqa[NFQA_CFG_PARAMS-1]); params = nla_data(nfqa[NFQA_CFG_PARAMS]);
nfqnl_set_mode(queue, params->copy_mode, nfqnl_set_mode(queue, params->copy_mode,
ntohl(params->copy_range)); ntohl(params->copy_range));
} }
if (nfqa[NFQA_CFG_QUEUE_MAXLEN-1]) { if (nfqa[NFQA_CFG_QUEUE_MAXLEN]) {
__be32 *queue_maxlen; __be32 *queue_maxlen;
queue_maxlen = NFA_DATA(nfqa[NFQA_CFG_QUEUE_MAXLEN-1]); queue_maxlen = nla_data(nfqa[NFQA_CFG_QUEUE_MAXLEN]);
spin_lock_bh(&queue->lock); spin_lock_bh(&queue->lock);
queue->queue_maxlen = ntohl(*queue_maxlen); queue->queue_maxlen = ntohl(*queue_maxlen);
spin_unlock_bh(&queue->lock); spin_unlock_bh(&queue->lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment