提交 0adf9d67 编写于 作者: P Pablo Neira Ayuso 提交者: David S. Miller

netfilter: ctnetlink: group errors into logical errno sets

This patch groups ctnetlink errors into three logical sets:

* Malformed messages: if ctnetlink receives a message without some mandatory
attribute, then it returns EINVAL.
* Unsupported operations: if userspace tries to perform an unsupported
operation, then it returns EOPNOTSUPP.
* Unchangeable: if userspace tries to change some attribute of the
conntrack object that can only be set once, then it returns EBUSY.

This patch reduces the number of -EINVAL from 23 to 14 and it results in
5 -EBUSY and 6 -EOPNOTSUPP.
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 93f65158
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
* (C) 2001 by Jay Schulist <jschlst@samba.org> * (C) 2001 by Jay Schulist <jschlst@samba.org>
* (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
* (C) 2003 by Patrick Mchardy <kaber@trash.net> * (C) 2003 by Patrick Mchardy <kaber@trash.net>
* (C) 2005-2007 by Pablo Neira Ayuso <pablo@netfilter.org> * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
* *
* Initial connection tracking via netlink development funded and * Initial connection tracking via netlink development funded and
* generally made possible by Network Robots, Inc. (www.networkrobots.com) * generally made possible by Network Robots, Inc. (www.networkrobots.com)
...@@ -891,20 +891,19 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[]) ...@@ -891,20 +891,19 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
/* unchangeable */ /* unchangeable */
return -EINVAL; return -EBUSY;
if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
/* SEEN_REPLY bit can only be set */ /* SEEN_REPLY bit can only be set */
return -EINVAL; return -EBUSY;
if (d & IPS_ASSURED && !(status & IPS_ASSURED)) if (d & IPS_ASSURED && !(status & IPS_ASSURED))
/* ASSURED bit can only be set */ /* ASSURED bit can only be set */
return -EINVAL; return -EBUSY;
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
#ifndef CONFIG_NF_NAT_NEEDED #ifndef CONFIG_NF_NAT_NEEDED
return -EINVAL; return -EOPNOTSUPP;
#else #else
struct nf_nat_range range; struct nf_nat_range range;
...@@ -945,7 +944,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[]) ...@@ -945,7 +944,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
/* don't change helper of sibling connections */ /* don't change helper of sibling connections */
if (ct->master) if (ct->master)
return -EINVAL; return -EBUSY;
err = ctnetlink_parse_help(cda[CTA_HELP], &helpname); err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
if (err < 0) if (err < 0)
...@@ -963,7 +962,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[]) ...@@ -963,7 +962,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
helper = __nf_conntrack_helper_find_byname(helpname); helper = __nf_conntrack_helper_find_byname(helpname);
if (helper == NULL) if (helper == NULL)
return -EINVAL; return -EOPNOTSUPP;
if (help) { if (help) {
if (help->helper == helper) if (help->helper == helper)
...@@ -1258,12 +1257,12 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, ...@@ -1258,12 +1257,12 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
/* we only allow nat config for new conntracks */ /* we only allow nat config for new conntracks */
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
err = -EINVAL; err = -EOPNOTSUPP;
goto out_unlock; goto out_unlock;
} }
/* can't link an existing conntrack to a master */ /* can't link an existing conntrack to a master */
if (cda[CTA_TUPLE_MASTER]) { if (cda[CTA_TUPLE_MASTER]) {
err = -EINVAL; err = -EOPNOTSUPP;
goto out_unlock; goto out_unlock;
} }
err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
...@@ -1608,7 +1607,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, ...@@ -1608,7 +1607,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
h = __nf_conntrack_helper_find_byname(name); h = __nf_conntrack_helper_find_byname(name);
if (!h) { if (!h) {
spin_unlock_bh(&nf_conntrack_lock); spin_unlock_bh(&nf_conntrack_lock);
return -EINVAL; return -EOPNOTSUPP;
} }
for (i = 0; i < nf_ct_expect_hsize; i++) { for (i = 0; i < nf_ct_expect_hsize; i++) {
hlist_for_each_entry_safe(exp, n, next, hlist_for_each_entry_safe(exp, n, next,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册