提交 f73e924c 编写于 作者: P Patrick McHardy 提交者: David S. Miller

[NETFILTER]: ctnetlink: use netlink policy

Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 5bf75853
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
#ifndef _NF_CONNTRACK_L3PROTO_H #ifndef _NF_CONNTRACK_L3PROTO_H
#define _NF_CONNTRACK_L3PROTO_H #define _NF_CONNTRACK_L3PROTO_H
#include <linux/netlink.h> #include <linux/netlink.h>
#include <net/netlink.h>
#include <linux/seq_file.h> #include <linux/seq_file.h>
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
...@@ -68,6 +69,7 @@ struct nf_conntrack_l3proto ...@@ -68,6 +69,7 @@ struct nf_conntrack_l3proto
int (*nlattr_to_tuple)(struct nlattr *tb[], int (*nlattr_to_tuple)(struct nlattr *tb[],
struct nf_conntrack_tuple *t); struct nf_conntrack_tuple *t);
const struct nla_policy *nla_policy;
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
struct ctl_table_header *ctl_table_header; struct ctl_table_header *ctl_table_header;
......
...@@ -10,6 +10,7 @@ ...@@ -10,6 +10,7 @@
#ifndef _NF_CONNTRACK_L4PROTO_H #ifndef _NF_CONNTRACK_L4PROTO_H
#define _NF_CONNTRACK_L4PROTO_H #define _NF_CONNTRACK_L4PROTO_H
#include <linux/netlink.h> #include <linux/netlink.h>
#include <net/netlink.h>
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
struct seq_file; struct seq_file;
...@@ -75,6 +76,7 @@ struct nf_conntrack_l4proto ...@@ -75,6 +76,7 @@ struct nf_conntrack_l4proto
const struct nf_conntrack_tuple *t); const struct nf_conntrack_tuple *t);
int (*nlattr_to_tuple)(struct nlattr *tb[], int (*nlattr_to_tuple)(struct nlattr *tb[],
struct nf_conntrack_tuple *t); struct nf_conntrack_tuple *t);
const struct nla_policy *nla_policy;
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
struct ctl_table_header **ctl_table_header; struct ctl_table_header **ctl_table_header;
...@@ -115,6 +117,7 @@ extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb, ...@@ -115,6 +117,7 @@ extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
const struct nf_conntrack_tuple *tuple); const struct nf_conntrack_tuple *tuple);
extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[], extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *t); struct nf_conntrack_tuple *t);
extern const struct nla_policy nf_ct_port_nla_policy[];
/* Log invalid packets */ /* Log invalid packets */
extern unsigned int nf_ct_log_invalid; extern unsigned int nf_ct_log_invalid;
......
...@@ -373,9 +373,9 @@ static int ipv4_tuple_to_nlattr(struct sk_buff *skb, ...@@ -373,9 +373,9 @@ static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
return -1; return -1;
} }
static const size_t cta_min_ip[CTA_IP_MAX+1] = { static const struct nla_policy ipv4_nla_policy[CTA_IP_MAX+1] = {
[CTA_IP_V4_SRC] = sizeof(u_int32_t), [CTA_IP_V4_SRC] = { .type = NLA_U32 },
[CTA_IP_V4_DST] = sizeof(u_int32_t), [CTA_IP_V4_DST] = { .type = NLA_U32 },
}; };
static int ipv4_nlattr_to_tuple(struct nlattr *tb[], static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
...@@ -384,9 +384,6 @@ static int ipv4_nlattr_to_tuple(struct nlattr *tb[], ...@@ -384,9 +384,6 @@ static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST]) if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST])
return -EINVAL; return -EINVAL;
if (nlattr_bad_size(tb, CTA_IP_MAX, cta_min_ip))
return -EINVAL;
t->src.u3.ip = *(__be32 *)nla_data(tb[CTA_IP_V4_SRC]); t->src.u3.ip = *(__be32 *)nla_data(tb[CTA_IP_V4_SRC]);
t->dst.u3.ip = *(__be32 *)nla_data(tb[CTA_IP_V4_DST]); t->dst.u3.ip = *(__be32 *)nla_data(tb[CTA_IP_V4_DST]);
...@@ -413,6 +410,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = { ...@@ -413,6 +410,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = ipv4_tuple_to_nlattr, .tuple_to_nlattr = ipv4_tuple_to_nlattr,
.nlattr_to_tuple = ipv4_nlattr_to_tuple, .nlattr_to_tuple = ipv4_nlattr_to_tuple,
.nla_policy = ipv4_nla_policy,
#endif #endif
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
.ctl_table_path = nf_net_ipv4_netfilter_sysctl_path, .ctl_table_path = nf_net_ipv4_netfilter_sysctl_path,
......
...@@ -248,10 +248,10 @@ static int icmp_tuple_to_nlattr(struct sk_buff *skb, ...@@ -248,10 +248,10 @@ static int icmp_tuple_to_nlattr(struct sk_buff *skb,
return -1; return -1;
} }
static const size_t cta_min_proto[CTA_PROTO_MAX+1] = { static const struct nla_policy icmp_nla_policy[CTA_PROTO_MAX+1] = {
[CTA_PROTO_ICMP_TYPE] = sizeof(u_int8_t), [CTA_PROTO_ICMP_TYPE] = { .type = NLA_U8 },
[CTA_PROTO_ICMP_CODE] = sizeof(u_int8_t), [CTA_PROTO_ICMP_CODE] = { .type = NLA_U8 },
[CTA_PROTO_ICMP_ID] = sizeof(u_int16_t) [CTA_PROTO_ICMP_ID] = { .type = NLA_U16 },
}; };
static int icmp_nlattr_to_tuple(struct nlattr *tb[], static int icmp_nlattr_to_tuple(struct nlattr *tb[],
...@@ -262,9 +262,6 @@ static int icmp_nlattr_to_tuple(struct nlattr *tb[], ...@@ -262,9 +262,6 @@ static int icmp_nlattr_to_tuple(struct nlattr *tb[],
|| !tb[CTA_PROTO_ICMP_ID]) || !tb[CTA_PROTO_ICMP_ID])
return -EINVAL; return -EINVAL;
if (nlattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
return -EINVAL;
tuple->dst.u.icmp.type = tuple->dst.u.icmp.type =
*(u_int8_t *)nla_data(tb[CTA_PROTO_ICMP_TYPE]); *(u_int8_t *)nla_data(tb[CTA_PROTO_ICMP_TYPE]);
tuple->dst.u.icmp.code = tuple->dst.u.icmp.code =
...@@ -329,6 +326,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly = ...@@ -329,6 +326,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = icmp_tuple_to_nlattr, .tuple_to_nlattr = icmp_tuple_to_nlattr,
.nlattr_to_tuple = icmp_nlattr_to_tuple, .nlattr_to_tuple = icmp_nlattr_to_tuple,
.nla_policy = icmp_nla_policy,
#endif #endif
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
.ctl_table_header = &icmp_sysctl_header, .ctl_table_header = &icmp_sysctl_header,
......
...@@ -350,9 +350,9 @@ static int ipv6_tuple_to_nlattr(struct sk_buff *skb, ...@@ -350,9 +350,9 @@ static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
return -1; return -1;
} }
static const size_t cta_min_ip[CTA_IP_MAX+1] = { static const struct nla_policy ipv6_nla_policy[CTA_IP_MAX+1] = {
[CTA_IP_V6_SRC] = sizeof(u_int32_t)*4, [CTA_IP_V6_SRC] = { .len = sizeof(u_int32_t)*4 },
[CTA_IP_V6_DST] = sizeof(u_int32_t)*4, [CTA_IP_V6_DST] = { .len = sizeof(u_int32_t)*4 },
}; };
static int ipv6_nlattr_to_tuple(struct nlattr *tb[], static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
...@@ -361,9 +361,6 @@ static int ipv6_nlattr_to_tuple(struct nlattr *tb[], ...@@ -361,9 +361,6 @@ static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
if (!tb[CTA_IP_V6_SRC] || !tb[CTA_IP_V6_DST]) if (!tb[CTA_IP_V6_SRC] || !tb[CTA_IP_V6_DST])
return -EINVAL; return -EINVAL;
if (nlattr_bad_size(tb, CTA_IP_MAX, cta_min_ip))
return -EINVAL;
memcpy(&t->src.u3.ip6, nla_data(tb[CTA_IP_V6_SRC]), memcpy(&t->src.u3.ip6, nla_data(tb[CTA_IP_V6_SRC]),
sizeof(u_int32_t) * 4); sizeof(u_int32_t) * 4);
memcpy(&t->dst.u3.ip6, nla_data(tb[CTA_IP_V6_DST]), memcpy(&t->dst.u3.ip6, nla_data(tb[CTA_IP_V6_DST]),
...@@ -384,6 +381,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = { ...@@ -384,6 +381,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = {
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = ipv6_tuple_to_nlattr, .tuple_to_nlattr = ipv6_tuple_to_nlattr,
.nlattr_to_tuple = ipv6_nlattr_to_tuple, .nlattr_to_tuple = ipv6_nlattr_to_tuple,
.nla_policy = ipv6_nla_policy,
#endif #endif
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
.ctl_table_path = nf_net_netfilter_sysctl_path, .ctl_table_path = nf_net_netfilter_sysctl_path,
......
...@@ -226,10 +226,10 @@ static int icmpv6_tuple_to_nlattr(struct sk_buff *skb, ...@@ -226,10 +226,10 @@ static int icmpv6_tuple_to_nlattr(struct sk_buff *skb,
return -1; return -1;
} }
static const size_t cta_min_proto[CTA_PROTO_MAX+1] = { static const struct nla_policy icmpv6_nla_policy[CTA_PROTO_MAX+1] = {
[CTA_PROTO_ICMPV6_TYPE] = sizeof(u_int8_t), [CTA_PROTO_ICMPV6_TYPE] = { .type = NLA_U8 },
[CTA_PROTO_ICMPV6_CODE] = sizeof(u_int8_t), [CTA_PROTO_ICMPV6_CODE] = { .type = NLA_U8 },
[CTA_PROTO_ICMPV6_ID] = sizeof(u_int16_t) [CTA_PROTO_ICMPV6_ID] = { .type = NLA_U16 },
}; };
static int icmpv6_nlattr_to_tuple(struct nlattr *tb[], static int icmpv6_nlattr_to_tuple(struct nlattr *tb[],
...@@ -240,9 +240,6 @@ static int icmpv6_nlattr_to_tuple(struct nlattr *tb[], ...@@ -240,9 +240,6 @@ static int icmpv6_nlattr_to_tuple(struct nlattr *tb[],
|| !tb[CTA_PROTO_ICMPV6_ID]) || !tb[CTA_PROTO_ICMPV6_ID])
return -EINVAL; return -EINVAL;
if (nlattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
return -EINVAL;
tuple->dst.u.icmp.type = tuple->dst.u.icmp.type =
*(u_int8_t *)nla_data(tb[CTA_PROTO_ICMPV6_TYPE]); *(u_int8_t *)nla_data(tb[CTA_PROTO_ICMPV6_TYPE]);
tuple->dst.u.icmp.code = tuple->dst.u.icmp.code =
...@@ -291,6 +288,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly = ...@@ -291,6 +288,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = icmpv6_tuple_to_nlattr, .tuple_to_nlattr = icmpv6_tuple_to_nlattr,
.nlattr_to_tuple = icmpv6_nlattr_to_tuple, .nlattr_to_tuple = icmpv6_nlattr_to_tuple,
.nla_policy = icmpv6_nla_policy,
#endif #endif
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
.ctl_table_header = &icmpv6_sysctl_header, .ctl_table_header = &icmpv6_sysctl_header,
......
...@@ -844,10 +844,11 @@ int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb, ...@@ -844,10 +844,11 @@ int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
} }
EXPORT_SYMBOL_GPL(nf_ct_port_tuple_to_nlattr); EXPORT_SYMBOL_GPL(nf_ct_port_tuple_to_nlattr);
static const size_t cta_min_proto[CTA_PROTO_MAX+1] = { const struct nla_policy nf_ct_port_nla_policy[CTA_PROTO_MAX+1] = {
[CTA_PROTO_SRC_PORT] = sizeof(u_int16_t), [CTA_PROTO_SRC_PORT] = { .type = NLA_U16 },
[CTA_PROTO_DST_PORT] = sizeof(u_int16_t) [CTA_PROTO_DST_PORT] = { .type = NLA_U16 },
}; };
EXPORT_SYMBOL_GPL(nf_ct_port_nla_policy);
int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[], int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *t) struct nf_conntrack_tuple *t)
...@@ -855,9 +856,6 @@ int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[], ...@@ -855,9 +856,6 @@ int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[],
if (!tb[CTA_PROTO_SRC_PORT] || !tb[CTA_PROTO_DST_PORT]) if (!tb[CTA_PROTO_SRC_PORT] || !tb[CTA_PROTO_DST_PORT])
return -EINVAL; return -EINVAL;
if (nlattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
return -EINVAL;
t->src.u.tcp.port = *(__be16 *)nla_data(tb[CTA_PROTO_SRC_PORT]); t->src.u.tcp.port = *(__be16 *)nla_data(tb[CTA_PROTO_SRC_PORT]);
t->dst.u.tcp.port = *(__be16 *)nla_data(tb[CTA_PROTO_DST_PORT]); t->dst.u.tcp.port = *(__be16 *)nla_data(tb[CTA_PROTO_DST_PORT]);
......
...@@ -512,16 +512,20 @@ ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple) ...@@ -512,16 +512,20 @@ ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)
l3proto = nf_ct_l3proto_find_get(tuple->src.l3num); l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
if (likely(l3proto->nlattr_to_tuple)) if (likely(l3proto->nlattr_to_tuple)) {
ret = nla_validate_nested(attr, CTA_IP_MAX,
l3proto->nla_policy);
if (ret == 0)
ret = l3proto->nlattr_to_tuple(tb, tuple); ret = l3proto->nlattr_to_tuple(tb, tuple);
}
nf_ct_l3proto_put(l3proto); nf_ct_l3proto_put(l3proto);
return ret; return ret;
} }
static const size_t cta_min_proto[CTA_PROTO_MAX+1] = { static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
[CTA_PROTO_NUM] = sizeof(u_int8_t), [CTA_PROTO_NUM] = { .type = NLA_U8 },
}; };
static inline int static inline int
...@@ -532,10 +536,9 @@ ctnetlink_parse_tuple_proto(struct nlattr *attr, ...@@ -532,10 +536,9 @@ ctnetlink_parse_tuple_proto(struct nlattr *attr,
struct nf_conntrack_l4proto *l4proto; struct nf_conntrack_l4proto *l4proto;
int ret = 0; int ret = 0;
nla_parse_nested(tb, CTA_PROTO_MAX, attr, NULL); ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
if (ret < 0)
if (nlattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto)) return ret;
return -EINVAL;
if (!tb[CTA_PROTO_NUM]) if (!tb[CTA_PROTO_NUM])
return -EINVAL; return -EINVAL;
...@@ -543,8 +546,12 @@ ctnetlink_parse_tuple_proto(struct nlattr *attr, ...@@ -543,8 +546,12 @@ ctnetlink_parse_tuple_proto(struct nlattr *attr,
l4proto = nf_ct_l4proto_find_get(tuple->src.l3num, tuple->dst.protonum); l4proto = nf_ct_l4proto_find_get(tuple->src.l3num, tuple->dst.protonum);
if (likely(l4proto->nlattr_to_tuple)) if (likely(l4proto->nlattr_to_tuple)) {
ret = nla_validate_nested(attr, CTA_PROTO_MAX,
l4proto->nla_policy);
if (ret == 0)
ret = l4proto->nlattr_to_tuple(tb, tuple); ret = l4proto->nlattr_to_tuple(tb, tuple);
}
nf_ct_l4proto_put(l4proto); nf_ct_l4proto_put(l4proto);
...@@ -588,9 +595,9 @@ ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple, ...@@ -588,9 +595,9 @@ ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple,
} }
#ifdef CONFIG_NF_NAT_NEEDED #ifdef CONFIG_NF_NAT_NEEDED
static const size_t cta_min_protonat[CTA_PROTONAT_MAX+1] = { static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
[CTA_PROTONAT_PORT_MIN] = sizeof(u_int16_t), [CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 },
[CTA_PROTONAT_PORT_MAX] = sizeof(u_int16_t), [CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 },
}; };
static int nfnetlink_parse_nat_proto(struct nlattr *attr, static int nfnetlink_parse_nat_proto(struct nlattr *attr,
...@@ -599,11 +606,11 @@ static int nfnetlink_parse_nat_proto(struct nlattr *attr, ...@@ -599,11 +606,11 @@ static int nfnetlink_parse_nat_proto(struct nlattr *attr,
{ {
struct nlattr *tb[CTA_PROTONAT_MAX+1]; struct nlattr *tb[CTA_PROTONAT_MAX+1];
struct nf_nat_protocol *npt; struct nf_nat_protocol *npt;
int err;
nla_parse_nested(tb, CTA_PROTONAT_MAX, attr, NULL); err = nla_parse_nested(tb, CTA_PROTONAT_MAX, attr, protonat_nla_policy);
if (err < 0)
if (nlattr_bad_size(tb, CTA_PROTONAT_MAX, cta_min_protonat)) return err;
return -EINVAL;
npt = nf_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum); npt = nf_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
...@@ -621,9 +628,9 @@ static int nfnetlink_parse_nat_proto(struct nlattr *attr, ...@@ -621,9 +628,9 @@ static int nfnetlink_parse_nat_proto(struct nlattr *attr,
return 0; return 0;
} }
static const size_t cta_min_nat[CTA_NAT_MAX+1] = { static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
[CTA_NAT_MINIP] = sizeof(u_int32_t), [CTA_NAT_MINIP] = { .type = NLA_U32 },
[CTA_NAT_MAXIP] = sizeof(u_int32_t), [CTA_NAT_MAXIP] = { .type = NLA_U32 },
}; };
static inline int static inline int
...@@ -635,10 +642,9 @@ nfnetlink_parse_nat(struct nlattr *nat, ...@@ -635,10 +642,9 @@ nfnetlink_parse_nat(struct nlattr *nat,
memset(range, 0, sizeof(*range)); memset(range, 0, sizeof(*range));
nla_parse_nested(tb, CTA_NAT_MAX, nat, NULL); err = nla_parse_nested(tb, CTA_NAT_MAX, nat, nat_nla_policy);
if (err < 0)
if (nlattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat)) return err;
return -EINVAL;
if (tb[CTA_NAT_MINIP]) if (tb[CTA_NAT_MINIP])
range->min_ip = *(__be32 *)nla_data(tb[CTA_NAT_MINIP]); range->min_ip = *(__be32 *)nla_data(tb[CTA_NAT_MINIP]);
...@@ -677,12 +683,12 @@ ctnetlink_parse_help(struct nlattr *attr, char **helper_name) ...@@ -677,12 +683,12 @@ ctnetlink_parse_help(struct nlattr *attr, char **helper_name)
return 0; return 0;
} }
static const size_t cta_min[CTA_MAX+1] = { static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
[CTA_STATUS] = sizeof(u_int32_t), [CTA_STATUS] = { .type = NLA_U32 },
[CTA_TIMEOUT] = sizeof(u_int32_t), [CTA_TIMEOUT] = { .type = NLA_U32 },
[CTA_MARK] = sizeof(u_int32_t), [CTA_MARK] = { .type = NLA_U32 },
[CTA_USE] = sizeof(u_int32_t), [CTA_USE] = { .type = NLA_U32 },
[CTA_ID] = sizeof(u_int32_t) [CTA_ID] = { .type = NLA_U32 },
}; };
static int static int
...@@ -696,9 +702,6 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, ...@@ -696,9 +702,6 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
u_int8_t u3 = nfmsg->nfgen_family; u_int8_t u3 = nfmsg->nfgen_family;
int err = 0; int err = 0;
if (nlattr_bad_size(cda, CTA_MAX, cta_min))
return -EINVAL;
if (cda[CTA_TUPLE_ORIG]) if (cda[CTA_TUPLE_ORIG])
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
else if (cda[CTA_TUPLE_REPLY]) else if (cda[CTA_TUPLE_REPLY])
...@@ -754,9 +757,6 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, ...@@ -754,9 +757,6 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
ctnetlink_done); ctnetlink_done);
} }
if (nlattr_bad_size(cda, CTA_MAX, cta_min))
return -EINVAL;
if (cda[CTA_TUPLE_ORIG]) if (cda[CTA_TUPLE_ORIG])
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
else if (cda[CTA_TUPLE_REPLY]) else if (cda[CTA_TUPLE_REPLY])
...@@ -1045,9 +1045,6 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, ...@@ -1045,9 +1045,6 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
u_int8_t u3 = nfmsg->nfgen_family; u_int8_t u3 = nfmsg->nfgen_family;
int err = 0; int err = 0;
if (nlattr_bad_size(cda, CTA_MAX, cta_min))
return -EINVAL;
if (cda[CTA_TUPLE_ORIG]) { if (cda[CTA_TUPLE_ORIG]) {
err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3); err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
if (err < 0) if (err < 0)
...@@ -1313,9 +1310,9 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -1313,9 +1310,9 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
return skb->len; return skb->len;
} }
static const size_t cta_min_exp[CTA_EXPECT_MAX+1] = { static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
[CTA_EXPECT_TIMEOUT] = sizeof(u_int32_t), [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
[CTA_EXPECT_ID] = sizeof(u_int32_t) [CTA_EXPECT_ID] = { .type = NLA_U32 },
}; };
static int static int
...@@ -1329,9 +1326,6 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, ...@@ -1329,9 +1326,6 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
u_int8_t u3 = nfmsg->nfgen_family; u_int8_t u3 = nfmsg->nfgen_family;
int err = 0; int err = 0;
if (nlattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
return -EINVAL;
if (nlh->nlmsg_flags & NLM_F_DUMP) { if (nlh->nlmsg_flags & NLM_F_DUMP) {
return netlink_dump_start(ctnl, skb, nlh, return netlink_dump_start(ctnl, skb, nlh,
ctnetlink_exp_dump_table, ctnetlink_exp_dump_table,
...@@ -1393,9 +1387,6 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, ...@@ -1393,9 +1387,6 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
unsigned int i; unsigned int i;
int err; int err;
if (nlattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
return -EINVAL;
if (cda[CTA_EXPECT_TUPLE]) { if (cda[CTA_EXPECT_TUPLE]) {
/* delete a single expect by tuple */ /* delete a single expect by tuple */
err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
...@@ -1534,9 +1525,6 @@ ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, ...@@ -1534,9 +1525,6 @@ ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
u_int8_t u3 = nfmsg->nfgen_family; u_int8_t u3 = nfmsg->nfgen_family;
int err = 0; int err = 0;
if (nlattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
return -EINVAL;
if (!cda[CTA_EXPECT_TUPLE] if (!cda[CTA_EXPECT_TUPLE]
|| !cda[CTA_EXPECT_MASK] || !cda[CTA_EXPECT_MASK]
|| !cda[CTA_EXPECT_MASTER]) || !cda[CTA_EXPECT_MASTER])
...@@ -1577,22 +1565,29 @@ static struct notifier_block ctnl_notifier_exp = { ...@@ -1577,22 +1565,29 @@ static struct notifier_block ctnl_notifier_exp = {
static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
[IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
.attr_count = CTA_MAX, }, .attr_count = CTA_MAX,
.policy = ct_nla_policy },
[IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
.attr_count = CTA_MAX, }, .attr_count = CTA_MAX,
.policy = ct_nla_policy },
[IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
.attr_count = CTA_MAX, }, .attr_count = CTA_MAX,
.policy = ct_nla_policy },
[IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
.attr_count = CTA_MAX, }, .attr_count = CTA_MAX,
.policy = ct_nla_policy },
}; };
static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
[IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
.attr_count = CTA_EXPECT_MAX, }, .attr_count = CTA_EXPECT_MAX,
.policy = exp_nla_policy },
[IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
.attr_count = CTA_EXPECT_MAX, }, .attr_count = CTA_EXPECT_MAX,
.policy = exp_nla_policy },
[IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
.attr_count = CTA_EXPECT_MAX, }, .attr_count = CTA_EXPECT_MAX,
.policy = exp_nla_policy },
}; };
static const struct nfnetlink_subsystem ctnl_subsys = { static const struct nfnetlink_subsystem ctnl_subsys = {
......
...@@ -276,6 +276,7 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = { ...@@ -276,6 +276,7 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = {
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
.nla_policy = nf_ct_port_nla_policy,
#endif #endif
}; };
......
...@@ -1105,28 +1105,28 @@ static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, ...@@ -1105,28 +1105,28 @@ static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
return -1; return -1;
} }
static const size_t cta_min_tcp[CTA_PROTOINFO_TCP_MAX+1] = { static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {
[CTA_PROTOINFO_TCP_STATE] = sizeof(u_int8_t), [CTA_PROTOINFO_TCP_STATE] = { .type = NLA_U8 },
[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = sizeof(u_int8_t), [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },
[CTA_PROTOINFO_TCP_WSCALE_REPLY] = sizeof(u_int8_t), [CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 },
[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = sizeof(struct nf_ct_tcp_flags), [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) },
[CTA_PROTOINFO_TCP_FLAGS_REPLY] = sizeof(struct nf_ct_tcp_flags) [CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) },
}; };
static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct) static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
{ {
struct nlattr *attr = cda[CTA_PROTOINFO_TCP]; struct nlattr *attr = cda[CTA_PROTOINFO_TCP];
struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1]; struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1];
int err;
/* updates could not contain anything about the private /* updates could not contain anything about the private
* protocol info, in that case skip the parsing */ * protocol info, in that case skip the parsing */
if (!attr) if (!attr)
return 0; return 0;
nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr, NULL); err = nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr, tcp_nla_policy);
if (err < 0)
if (nlattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp)) return err;
return -EINVAL;
if (!tb[CTA_PROTOINFO_TCP_STATE]) if (!tb[CTA_PROTOINFO_TCP_STATE])
return -EINVAL; return -EINVAL;
...@@ -1391,6 +1391,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly = ...@@ -1391,6 +1391,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
.from_nlattr = nlattr_to_tcp, .from_nlattr = nlattr_to_tcp,
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
.nla_policy = nf_ct_port_nla_policy,
#endif #endif
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
.ctl_table_users = &tcp_sysctl_table_users, .ctl_table_users = &tcp_sysctl_table_users,
...@@ -1420,6 +1421,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly = ...@@ -1420,6 +1421,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
.from_nlattr = nlattr_to_tcp, .from_nlattr = nlattr_to_tcp,
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
.nla_policy = nf_ct_port_nla_policy,
#endif #endif
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
.ctl_table_users = &tcp_sysctl_table_users, .ctl_table_users = &tcp_sysctl_table_users,
......
...@@ -205,6 +205,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly = ...@@ -205,6 +205,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
.nla_policy = nf_ct_port_nla_policy,
#endif #endif
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
.ctl_table_users = &udp_sysctl_table_users, .ctl_table_users = &udp_sysctl_table_users,
...@@ -232,6 +233,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly = ...@@ -232,6 +233,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
.nla_policy = nf_ct_port_nla_policy,
#endif #endif
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
.ctl_table_users = &udp_sysctl_table_users, .ctl_table_users = &udp_sysctl_table_users,
......
...@@ -205,6 +205,7 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly = ...@@ -205,6 +205,7 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
.nla_policy = nf_ct_port_nla_policy,
#endif #endif
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
.ctl_table_users = &udplite_sysctl_table_users, .ctl_table_users = &udplite_sysctl_table_users,
...@@ -228,6 +229,7 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly = ...@@ -228,6 +229,7 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
.nla_policy = nf_ct_port_nla_policy,
#endif #endif
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
.ctl_table_users = &udplite_sysctl_table_users, .ctl_table_users = &udplite_sysctl_table_users,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册