netfilter: ctnetlink: group errors into logical errno sets
This patch groups ctnetlink errors into three logical sets: * Malformed messages: if ctnetlink receives a message without some mandatory attribute, then it returns EINVAL. * Unsupported operations: if userspace tries to perform an unsupported operation, then it returns EOPNOTSUPP. * Unchangeable: if userspace tries to change some attribute of the conntrack object that can only be set once, then it returns EBUSY. This patch reduces the number of -EINVAL from 23 to 14 and it results in 5 -EBUSY and 6 -EOPNOTSUPP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Родитель
93f6515872
Коммит
0adf9d6748
|
@ -4,7 +4,7 @@
|
||||||
* (C) 2001 by Jay Schulist <jschlst@samba.org>
|
* (C) 2001 by Jay Schulist <jschlst@samba.org>
|
||||||
* (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
|
* (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
|
||||||
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
|
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
|
||||||
* (C) 2005-2007 by Pablo Neira Ayuso <pablo@netfilter.org>
|
* (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
*
|
*
|
||||||
* Initial connection tracking via netlink development funded and
|
* Initial connection tracking via netlink development funded and
|
||||||
* generally made possible by Network Robots, Inc. (www.networkrobots.com)
|
* generally made possible by Network Robots, Inc. (www.networkrobots.com)
|
||||||
|
@ -891,20 +891,19 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
|
||||||
|
|
||||||
if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
|
if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
|
||||||
/* unchangeable */
|
/* unchangeable */
|
||||||
return -EINVAL;
|
return -EBUSY;
|
||||||
|
|
||||||
if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
|
if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
|
||||||
/* SEEN_REPLY bit can only be set */
|
/* SEEN_REPLY bit can only be set */
|
||||||
return -EINVAL;
|
return -EBUSY;
|
||||||
|
|
||||||
|
|
||||||
if (d & IPS_ASSURED && !(status & IPS_ASSURED))
|
if (d & IPS_ASSURED && !(status & IPS_ASSURED))
|
||||||
/* ASSURED bit can only be set */
|
/* ASSURED bit can only be set */
|
||||||
return -EINVAL;
|
return -EBUSY;
|
||||||
|
|
||||||
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
|
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
|
||||||
#ifndef CONFIG_NF_NAT_NEEDED
|
#ifndef CONFIG_NF_NAT_NEEDED
|
||||||
return -EINVAL;
|
return -EOPNOTSUPP;
|
||||||
#else
|
#else
|
||||||
struct nf_nat_range range;
|
struct nf_nat_range range;
|
||||||
|
|
||||||
|
@ -945,7 +944,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
|
||||||
|
|
||||||
/* don't change helper of sibling connections */
|
/* don't change helper of sibling connections */
|
||||||
if (ct->master)
|
if (ct->master)
|
||||||
return -EINVAL;
|
return -EBUSY;
|
||||||
|
|
||||||
err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
|
err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
|
||||||
if (err < 0)
|
if (err < 0)
|
||||||
|
@ -963,7 +962,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
|
||||||
|
|
||||||
helper = __nf_conntrack_helper_find_byname(helpname);
|
helper = __nf_conntrack_helper_find_byname(helpname);
|
||||||
if (helper == NULL)
|
if (helper == NULL)
|
||||||
return -EINVAL;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
if (help) {
|
if (help) {
|
||||||
if (help->helper == helper)
|
if (help->helper == helper)
|
||||||
|
@ -1258,12 +1257,12 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
||||||
if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
|
if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
|
||||||
/* we only allow nat config for new conntracks */
|
/* we only allow nat config for new conntracks */
|
||||||
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
|
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
|
||||||
err = -EINVAL;
|
err = -EOPNOTSUPP;
|
||||||
goto out_unlock;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
/* can't link an existing conntrack to a master */
|
/* can't link an existing conntrack to a master */
|
||||||
if (cda[CTA_TUPLE_MASTER]) {
|
if (cda[CTA_TUPLE_MASTER]) {
|
||||||
err = -EINVAL;
|
err = -EOPNOTSUPP;
|
||||||
goto out_unlock;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
|
err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
|
||||||
|
@ -1608,7 +1607,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
|
||||||
h = __nf_conntrack_helper_find_byname(name);
|
h = __nf_conntrack_helper_find_byname(name);
|
||||||
if (!h) {
|
if (!h) {
|
||||||
spin_unlock_bh(&nf_conntrack_lock);
|
spin_unlock_bh(&nf_conntrack_lock);
|
||||||
return -EINVAL;
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
for (i = 0; i < nf_ct_expect_hsize; i++) {
|
for (i = 0; i < nf_ct_expect_hsize; i++) {
|
||||||
hlist_for_each_entry_safe(exp, n, next,
|
hlist_for_each_entry_safe(exp, n, next,
|
||||||
|
|
Загрузка…
Ссылка в новой задаче