Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit b20ab9cc63ca4605aec154cf54faa8455749f3f6

Authored by Pablo Neira Ayuso
1 parent 38124328fb
Exists in smarc-l5.0.0_1.0.0-ga and in 5 other branches imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga

netfilter: nf_ct_helper: better logging for dropped packets 

Connection tracking helpers have to drop packets under exceptional
situations. Currently, the user gets the following logging message
in case that happens:

	nf_ct_%s: dropping packet ...

However, depending on the helper, there are different reasons why a
packet can be dropped.

This patch modifies the existing code to provide more specific
error message in the scope of each helper to help users to debug
the reason why the packet has been dropped, ie:

	nf_ct_%s: dropping packet: reason ...

Thanks to Joe Perches for many formatting suggestions.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Showing 16 changed files with 164 additions and 65 deletions Side-by-side Diff

include/net/netfilter/nf_conntrack_helper.h
Diff comments   View file @ b20ab9c
... ... @@ -100,6 +100,10 @@
100 100 void (*expectfn)(struct nf_conn *ct, struct nf_conntrack_expect *exp);
101 101 };
102 102  
  103 +__printf(3,4)
  104 +void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
  105 + const char *fmt, ...);
  106 +
103 107 void nf_ct_helper_expectfn_register(struct nf_ct_helper_expectfn *n);
104 108 void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n);
105 109 struct nf_ct_helper_expectfn *
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
Diff comments   View file @ b20ab9c
... ... @@ -100,7 +100,6 @@
100 100 enum ip_conntrack_info ctinfo;
101 101 const struct nf_conn_help *help;
102 102 const struct nf_conntrack_helper *helper;
103   - unsigned int ret;
104 103  
105 104 /* This is where we call the helper: as the packet goes out. */
106 105 ct = nf_ct_get(skb, &ctinfo);
... ... @@ -116,13 +115,8 @@
116 115 if (!helper)
117 116 return NF_ACCEPT;
118 117  
119   - ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
120   - ct, ctinfo);
121   - if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
122   - nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
123   - "nf_ct_%s: dropping packet", helper->name);
124   - }
125   - return ret;
  118 + return helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
  119 + ct, ctinfo);
126 120 }
127 121  
128 122 static unsigned int ipv4_confirm(unsigned int hooknum,
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
Diff comments   View file @ b20ab9c
... ... @@ -104,7 +104,6 @@
104 104 const struct nf_conn_help *help;
105 105 const struct nf_conntrack_helper *helper;
106 106 enum ip_conntrack_info ctinfo;
107   - unsigned int ret;
108 107 __be16 frag_off;
109 108 int protoff;
110 109 u8 nexthdr;
... ... @@ -130,12 +129,7 @@
130 129 return NF_ACCEPT;
131 130 }
132 131  
133   - ret = helper->help(skb, protoff, ct, ctinfo);
134   - if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
135   - nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
136   - "nf_ct_%s: dropping packet", helper->name);
137   - }
138   - return ret;
  132 + return helper->help(skb, protoff, ct, ctinfo);
139 133 }
140 134  
141 135 static unsigned int ipv6_confirm(unsigned int hooknum,
net/netfilter/nf_conntrack_amanda.c
Diff comments   View file @ b20ab9c
... ... @@ -145,6 +145,7 @@
145 145  
146 146 exp = nf_ct_expect_alloc(ct);
147 147 if (exp == NULL) {
  148 + nf_ct_helper_log(skb, ct, "cannot alloc expectation");
148 149 ret = NF_DROP;
149 150 goto out;
150 151 }
151 152  
... ... @@ -158,8 +159,10 @@
158 159 if (nf_nat_amanda && ct->status & IPS_NAT_MASK)
159 160 ret = nf_nat_amanda(skb, ctinfo, protoff,
160 161 off - dataoff, len, exp);
161   - else if (nf_ct_expect_related(exp) != 0)
  162 + else if (nf_ct_expect_related(exp) != 0) {
  163 + nf_ct_helper_log(skb, ct, "cannot add expectation");
162 164 ret = NF_DROP;
  165 + }
163 166 nf_ct_expect_put(exp);
164 167 }
165 168  
net/netfilter/nf_conntrack_ftp.c
Diff comments   View file @ b20ab9c
... ... @@ -435,8 +435,8 @@
435 435 connection tracking, not packet filtering.
436 436 However, it is necessary for accurate tracking in
437 437 this case. */
438   - pr_debug("conntrack_ftp: partial %s %u+%u\n",
439   - search[dir][i].pattern, ntohl(th->seq), datalen);
  438 + nf_ct_helper_log(skb, ct, "partial matching of `%s'",
  439 + search[dir][i].pattern);
440 440 ret = NF_DROP;
441 441 goto out;
442 442 } else if (found == 0) { /* No match */
... ... @@ -450,6 +450,7 @@
450 450  
451 451 exp = nf_ct_expect_alloc(ct);
452 452 if (exp == NULL) {
  453 + nf_ct_helper_log(skb, ct, "cannot alloc expectation");
453 454 ret = NF_DROP;
454 455 goto out;
455 456 }
456 457  
... ... @@ -500,9 +501,10 @@
500 501 protoff, matchoff, matchlen, exp);
501 502 else {
502 503 /* Can't expect this? Best to drop packet now. */
503   - if (nf_ct_expect_related(exp) != 0)
  504 + if (nf_ct_expect_related(exp) != 0) {
  505 + nf_ct_helper_log(skb, ct, "cannot add expectation");
504 506 ret = NF_DROP;
505   - else
  507 + } else
506 508 ret = NF_ACCEPT;
507 509 }
508 510  
net/netfilter/nf_conntrack_h323_main.c
Diff comments   View file @ b20ab9c
... ... @@ -623,7 +623,7 @@
623 623  
624 624 drop:
625 625 spin_unlock_bh(&nf_h323_lock);
626   - net_info_ratelimited("nf_ct_h245: packet dropped\n");
  626 + nf_ct_helper_log(skb, ct, "cannot process H.245 message");
627 627 return NF_DROP;
628 628 }
629 629  
... ... @@ -1197,7 +1197,7 @@
1197 1197  
1198 1198 drop:
1199 1199 spin_unlock_bh(&nf_h323_lock);
1200   - net_info_ratelimited("nf_ct_q931: packet dropped\n");
  1200 + nf_ct_helper_log(skb, ct, "cannot process Q.931 message");
1201 1201 return NF_DROP;
1202 1202 }
1203 1203  
... ... @@ -1795,7 +1795,7 @@
1795 1795  
1796 1796 drop:
1797 1797 spin_unlock_bh(&nf_h323_lock);
1798   - net_info_ratelimited("nf_ct_ras: packet dropped\n");
  1798 + nf_ct_helper_log(skb, ct, "cannot process RAS message");
1799 1799 return NF_DROP;
1800 1800 }
1801 1801  
net/netfilter/nf_conntrack_helper.c
Diff comments   View file @ b20ab9c
... ... @@ -28,6 +28,7 @@
28 28 #include <net/netfilter/nf_conntrack_helper.h>
29 29 #include <net/netfilter/nf_conntrack_core.h>
30 30 #include <net/netfilter/nf_conntrack_extend.h>
  31 +#include <net/netfilter/nf_log.h>
31 32  
32 33 static DEFINE_MUTEX(nf_ct_helper_mutex);
33 34 struct hlist_head *nf_ct_helper_hash __read_mostly;
... ... @@ -331,6 +332,24 @@
331 332 return found ? cur : NULL;
332 333 }
333 334 EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_symbol);
  335 +
  336 +__printf(3, 4)
  337 +void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
  338 + const char *fmt, ...)
  339 +{
  340 + const struct nf_conn_help *help;
  341 + const struct nf_conntrack_helper *helper;
  342 +
  343 + /* Called from the helper function, this call never fails */
  344 + help = nfct_help(ct);
  345 +
  346 + /* rcu_read_lock()ed by nf_hook_slow */
  347 + helper = rcu_dereference(help->helper);
  348 +
  349 + nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
  350 + "nf_ct_%s: dropping packet: %s ", helper->name, fmt);
  351 +}
  352 +EXPORT_SYMBOL_GPL(nf_ct_helper_log);
334 353  
335 354 int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
336 355 {
net/netfilter/nf_conntrack_irc.c
Diff comments   View file @ b20ab9c
... ... @@ -194,6 +194,8 @@
194 194  
195 195 exp = nf_ct_expect_alloc(ct);
196 196 if (exp == NULL) {
  197 + nf_ct_helper_log(skb, ct,
  198 + "cannot alloc expectation");
197 199 ret = NF_DROP;
198 200 goto out;
199 201 }
200 202  
... ... @@ -210,8 +212,11 @@
210 212 addr_beg_p - ib_ptr,
211 213 addr_end_p - addr_beg_p,
212 214 exp);
213   - else if (nf_ct_expect_related(exp) != 0)
  215 + else if (nf_ct_expect_related(exp) != 0) {
  216 + nf_ct_helper_log(skb, ct,
  217 + "cannot add expectation");
214 218 ret = NF_DROP;
  219 + }
215 220 nf_ct_expect_put(exp);
216 221 goto out;
217 222 }
net/netfilter/nf_conntrack_sane.c
Diff comments   View file @ b20ab9c
... ... @@ -138,6 +138,7 @@
138 138  
139 139 exp = nf_ct_expect_alloc(ct);
140 140 if (exp == NULL) {
  141 + nf_ct_helper_log(skb, ct, "cannot alloc expectation");
141 142 ret = NF_DROP;
142 143 goto out;
143 144 }
144 145  
... ... @@ -151,8 +152,10 @@
151 152 nf_ct_dump_tuple(&exp->tuple);
152 153  
153 154 /* Can't expect this? Best to drop packet now. */
154   - if (nf_ct_expect_related(exp) != 0)
  155 + if (nf_ct_expect_related(exp) != 0) {
  156 + nf_ct_helper_log(skb, ct, "cannot add expectation");
155 157 ret = NF_DROP;
  158 + }
156 159  
157 160 nf_ct_expect_put(exp);
158 161  
net/netfilter/nf_conntrack_sip.c
Diff comments   View file @ b20ab9c
... ... @@ -1095,8 +1095,10 @@
1095 1095 port = simple_strtoul(*dptr + mediaoff, NULL, 10);
1096 1096 if (port == 0)
1097 1097 continue;
1098   - if (port < 1024 || port > 65535)
  1098 + if (port < 1024 || port > 65535) {
  1099 + nf_ct_helper_log(skb, ct, "wrong port %u", port);
1099 1100 return NF_DROP;
  1101 + }
1100 1102  
1101 1103 /* The media description overrides the session description. */
1102 1104 maddr_len = 0;
1103 1105  
1104 1106  
1105 1107  
... ... @@ -1107,15 +1109,20 @@
1107 1109 memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
1108 1110 } else if (caddr_len)
1109 1111 memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
1110   - else
  1112 + else {
  1113 + nf_ct_helper_log(skb, ct, "cannot parse SDP message");
1111 1114 return NF_DROP;
  1115 + }
1112 1116  
1113 1117 ret = set_expected_rtp_rtcp(skb, protoff, dataoff,
1114 1118 dptr, datalen,
1115 1119 &rtp_addr, htons(port), t->class,
1116 1120 mediaoff, medialen);
1117   - if (ret != NF_ACCEPT)
  1121 + if (ret != NF_ACCEPT) {
  1122 + nf_ct_helper_log(skb, ct,
  1123 + "cannot add expectation for voice");
1118 1124 return ret;
  1125 + }
1119 1126  
1120 1127 /* Update media connection address if present */
1121 1128 if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) {
1122 1129  
... ... @@ -1123,8 +1130,10 @@
1123 1130 dptr, datalen, mediaoff,
1124 1131 SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
1125 1132 &rtp_addr);
1126   - if (ret != NF_ACCEPT)
  1133 + if (ret != NF_ACCEPT) {
  1134 + nf_ct_helper_log(skb, ct, "cannot mangle SDP");
1127 1135 return ret;
  1136 + }
1128 1137 }
1129 1138 i++;
1130 1139 }
1131 1140  
... ... @@ -1258,9 +1267,10 @@
1258 1267 ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1259 1268 SIP_HDR_CONTACT, NULL,
1260 1269 &matchoff, &matchlen, &daddr, &port);
1261   - if (ret < 0)
  1270 + if (ret < 0) {
  1271 + nf_ct_helper_log(skb, ct, "cannot parse contact");
1262 1272 return NF_DROP;
1263   - else if (ret == 0)
  1273 + } else if (ret == 0)
1264 1274 return NF_ACCEPT;
1265 1275  
1266 1276 /* We don't support third-party registrations */
1267 1277  
... ... @@ -1273,8 +1283,10 @@
1273 1283  
1274 1284 if (ct_sip_parse_numerical_param(ct, *dptr,
1275 1285 matchoff + matchlen, *datalen,
1276   - "expires=", NULL, NULL, &expires) < 0)
  1286 + "expires=", NULL, NULL, &expires) < 0) {
  1287 + nf_ct_helper_log(skb, ct, "cannot parse expires");
1277 1288 return NF_DROP;
  1289 + }
1278 1290  
1279 1291 if (expires == 0) {
1280 1292 ret = NF_ACCEPT;
1281 1293  
... ... @@ -1282,8 +1294,10 @@
1282 1294 }
1283 1295  
1284 1296 exp = nf_ct_expect_alloc(ct);
1285   - if (!exp)
  1297 + if (!exp) {
  1298 + nf_ct_helper_log(skb, ct, "cannot alloc expectation");
1286 1299 return NF_DROP;
  1300 + }
1287 1301  
1288 1302 saddr = NULL;
1289 1303 if (sip_direct_signalling)
1290 1304  
... ... @@ -1300,9 +1314,10 @@
1300 1314 ret = nf_nat_sip_expect(skb, protoff, dataoff, dptr, datalen,
1301 1315 exp, matchoff, matchlen);
1302 1316 else {
1303   - if (nf_ct_expect_related(exp) != 0)
  1317 + if (nf_ct_expect_related(exp) != 0) {
  1318 + nf_ct_helper_log(skb, ct, "cannot add expectation");
1304 1319 ret = NF_DROP;
1305   - else
  1320 + } else
1306 1321 ret = NF_ACCEPT;
1307 1322 }
1308 1323 nf_ct_expect_put(exp);
1309 1324  
... ... @@ -1356,9 +1371,10 @@
1356 1371 SIP_HDR_CONTACT, &in_contact,
1357 1372 &matchoff, &matchlen,
1358 1373 &addr, &port);
1359   - if (ret < 0)
  1374 + if (ret < 0) {
  1375 + nf_ct_helper_log(skb, ct, "cannot parse contact");
1360 1376 return NF_DROP;
1361   - else if (ret == 0)
  1377 + } else if (ret == 0)
1362 1378 break;
1363 1379  
1364 1380 /* We don't support third-party registrations */
1365 1381  
... ... @@ -1373,8 +1389,10 @@
1373 1389 matchoff + matchlen,
1374 1390 *datalen, "expires=",
1375 1391 NULL, NULL, &c_expires);
1376   - if (ret < 0)
  1392 + if (ret < 0) {
  1393 + nf_ct_helper_log(skb, ct, "cannot parse expires");
1377 1394 return NF_DROP;
  1395 + }
1378 1396 if (c_expires == 0)
1379 1397 break;
1380 1398 if (refresh_signalling_expectation(ct, &addr, proto, port,
1381 1399  
1382 1400  
1383 1401  
1384 1402  
1385 1403  
... ... @@ -1408,15 +1426,21 @@
1408 1426 if (*datalen < strlen("SIP/2.0 200"))
1409 1427 return NF_ACCEPT;
1410 1428 code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
1411   - if (!code)
  1429 + if (!code) {
  1430 + nf_ct_helper_log(skb, ct, "cannot get code");
1412 1431 return NF_DROP;
  1432 + }
1413 1433  
1414 1434 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1415   - &matchoff, &matchlen) <= 0)
  1435 + &matchoff, &matchlen) <= 0) {
  1436 + nf_ct_helper_log(skb, ct, "cannot parse cseq");
1416 1437 return NF_DROP;
  1438 + }
1417 1439 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1418   - if (!cseq)
  1440 + if (!cseq) {
  1441 + nf_ct_helper_log(skb, ct, "cannot get cseq");
1419 1442 return NF_DROP;
  1443 + }
1420 1444 matchend = matchoff + matchlen + 1;
1421 1445  
1422 1446 for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1423 1447  
1424 1448  
1425 1449  
... ... @@ -1471,11 +1495,15 @@
1471 1495 continue;
1472 1496  
1473 1497 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1474   - &matchoff, &matchlen) <= 0)
  1498 + &matchoff, &matchlen) <= 0) {
  1499 + nf_ct_helper_log(skb, ct, "cannot parse cseq");
1475 1500 return NF_DROP;
  1501 + }
1476 1502 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1477   - if (!cseq)
  1503 + if (!cseq) {
  1504 + nf_ct_helper_log(skb, ct, "cannot get cseq");
1478 1505 return NF_DROP;
  1506 + }
1479 1507  
1480 1508 return handler->request(skb, protoff, dataoff, dptr, datalen,
1481 1509 cseq);
1482 1510  
... ... @@ -1498,8 +1526,10 @@
1498 1526 if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1499 1527 nf_nat_sip = rcu_dereference(nf_nat_sip_hook);
1500 1528 if (nf_nat_sip && !nf_nat_sip(skb, protoff, dataoff,
1501   - dptr, datalen))
  1529 + dptr, datalen)) {
  1530 + nf_ct_helper_log(skb, ct, "cannot NAT SIP message");
1502 1531 ret = NF_DROP;
  1532 + }
1503 1533 }
1504 1534  
1505 1535 return ret;
1506 1536  
1507 1537  
... ... @@ -1563,11 +1593,14 @@
1563 1593 end += strlen("\r\n\r\n") + clen;
1564 1594  
1565 1595 msglen = origlen = end - dptr;
1566   - if (msglen > datalen)
  1596 + if (msglen > datalen) {
  1597 + nf_ct_helper_log(skb, ct, "incomplete/bad SIP message");
1567 1598 return NF_DROP;
  1599 + }
1568 1600  
1569 1601 ret = process_sip_msg(skb, ct, protoff, dataoff,
1570 1602 &dptr, &msglen);
  1603 + /* process_sip_* functions report why this packet is dropped */
1571 1604 if (ret != NF_ACCEPT)
1572 1605 break;
1573 1606 diff = msglen - origlen;
net/netfilter/nf_conntrack_tftp.c
Diff comments   View file @ b20ab9c
... ... @@ -60,8 +60,10 @@
60 60 nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
61 61  
62 62 exp = nf_ct_expect_alloc(ct);
63   - if (exp == NULL)
  63 + if (exp == NULL) {
  64 + nf_ct_helper_log(skb, ct, "cannot alloc expectation");
64 65 return NF_DROP;
  66 + }
65 67 tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
66 68 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT,
67 69 nf_ct_l3num(ct),
68 70  
... ... @@ -74,8 +76,10 @@
74 76 nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook);
75 77 if (nf_nat_tftp && ct->status & IPS_NAT_MASK)
76 78 ret = nf_nat_tftp(skb, ctinfo, exp);
77   - else if (nf_ct_expect_related(exp) != 0)
  79 + else if (nf_ct_expect_related(exp) != 0) {
  80 + nf_ct_helper_log(skb, ct, "cannot add expectation");
78 81 ret = NF_DROP;
  82 + }
79 83 nf_ct_expect_put(exp);
80 84 break;
81 85 case TFTP_OPCODE_DATA:
net/netfilter/nf_nat_amanda.c
Diff comments   View file @ b20ab9c
... ... @@ -56,15 +56,19 @@
56 56 }
57 57 }
58 58  
59   - if (port == 0)
  59 + if (port == 0) {
  60 + nf_ct_helper_log(skb, exp->master, "all ports in use");
60 61 return NF_DROP;
  62 + }
61 63  
62 64 sprintf(buffer, "%u", port);
63 65 ret = nf_nat_mangle_udp_packet(skb, exp->master, ctinfo,
64 66 protoff, matchoff, matchlen,
65 67 buffer, strlen(buffer));
66   - if (ret != NF_ACCEPT)
  68 + if (ret != NF_ACCEPT) {
  69 + nf_ct_helper_log(skb, exp->master, "cannot mangle packet");
67 70 nf_ct_unexpect_related(exp);
  71 + }
68 72 return ret;
69 73 }
70 74  
net/netfilter/nf_nat_ftp.c
Diff comments   View file @ b20ab9c
... ... @@ -96,8 +96,10 @@
96 96 }
97 97 }
98 98  
99   - if (port == 0)
  99 + if (port == 0) {
  100 + nf_ct_helper_log(skb, ct, "all ports in use");
100 101 return NF_DROP;
  102 + }
101 103  
102 104 buflen = nf_nat_ftp_fmt_cmd(ct, type, buffer, sizeof(buffer),
103 105 &newaddr, port);
... ... @@ -113,6 +115,7 @@
113 115 return NF_ACCEPT;
114 116  
115 117 out:
  118 + nf_ct_helper_log(skb, ct, "cannot mangle packet");
116 119 nf_ct_unexpect_related(exp);
117 120 return NF_DROP;
118 121 }
net/netfilter/nf_nat_irc.c
Diff comments   View file @ b20ab9c
... ... @@ -56,14 +56,18 @@
56 56 }
57 57 }
58 58  
59   - if (port == 0)
  59 + if (port == 0) {
  60 + nf_ct_helper_log(skb, exp->master, "all ports in use");
60 61 return NF_DROP;
  62 + }
61 63  
62 64 ret = nf_nat_mangle_tcp_packet(skb, exp->master, ctinfo,
63 65 protoff, matchoff, matchlen, buffer,
64 66 strlen(buffer));
65   - if (ret != NF_ACCEPT)
  67 + if (ret != NF_ACCEPT) {
  68 + nf_ct_helper_log(skb, exp->master, "cannot mangle packet");
66 69 nf_ct_unexpect_related(exp);
  70 + }
67 71 return ret;
68 72 }
69 73  
net/netfilter/nf_nat_sip.c
Diff comments   View file @ b20ab9c
... ... @@ -159,8 +159,10 @@
159 159 &matchoff, &matchlen,
160 160 &addr, &port) > 0 &&
161 161 !map_addr(skb, protoff, dataoff, dptr, datalen,
162   - matchoff, matchlen, &addr, port))
  162 + matchoff, matchlen, &addr, port)) {
  163 + nf_ct_helper_log(skb, ct, "cannot mangle SIP message");
163 164 return NF_DROP;
  165 + }
164 166 request = 1;
165 167 } else
166 168 request = 0;
167 169  
... ... @@ -193,8 +195,10 @@
193 195  
194 196 olen = *datalen;
195 197 if (!map_addr(skb, protoff, dataoff, dptr, datalen,
196   - matchoff, matchlen, &addr, port))
  198 + matchoff, matchlen, &addr, port)) {
  199 + nf_ct_helper_log(skb, ct, "cannot mangle Via header");
197 200 return NF_DROP;
  201 + }
198 202  
199 203 matchend = matchoff + matchlen + *datalen - olen;
200 204  
201 205  
... ... @@ -209,8 +213,10 @@
209 213 &ct->tuplehash[!dir].tuple.dst.u3,
210 214 true);
211 215 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
212   - poff, plen, buffer, buflen))
  216 + poff, plen, buffer, buflen)) {
  217 + nf_ct_helper_log(skb, ct, "cannot mangle maddr");
213 218 return NF_DROP;
  219 + }
214 220 }
215 221  
216 222 /* The received= parameter (RFC 2361) contains the address
... ... @@ -225,6 +231,7 @@
225 231 false);
226 232 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
227 233 poff, plen, buffer, buflen))
  234 + nf_ct_helper_log(skb, ct, "cannot mangle received");
228 235 return NF_DROP;
229 236 }
230 237  
231 238  
... ... @@ -238,8 +245,10 @@
238 245 __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
239 246 buflen = sprintf(buffer, "%u", ntohs(p));
240 247 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
241   - poff, plen, buffer, buflen))
  248 + poff, plen, buffer, buflen)) {
  249 + nf_ct_helper_log(skb, ct, "cannot mangle rport");
242 250 return NF_DROP;
  251 + }
243 252 }
244 253 }
245 254  
246 255  
247 256  
248 257  
249 258  
250 259  
251 260  
252 261  
... ... @@ -253,27 +262,35 @@
253 262 &addr, &port) > 0) {
254 263 if (!map_addr(skb, protoff, dataoff, dptr, datalen,
255 264 matchoff, matchlen,
256   - &addr, port))
  265 + &addr, port)) {
  266 + nf_ct_helper_log(skb, ct, "cannot mangle contact");
257 267 return NF_DROP;
  268 + }
258 269 }
259 270  
260 271 if (!map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_FROM) ||
261   - !map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_TO))
  272 + !map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_TO)) {
  273 + nf_ct_helper_log(skb, ct, "cannot mangle SIP from/to");
262 274 return NF_DROP;
  275 + }
263 276  
264 277 /* Mangle destination port for Cisco phones, then fix up checksums */
265 278 if (dir == IP_CT_DIR_REPLY && ct_sip_info->forced_dport) {
266 279 struct udphdr *uh;
267 280  
268   - if (!skb_make_writable(skb, skb->len))
  281 + if (!skb_make_writable(skb, skb->len)) {
  282 + nf_ct_helper_log(skb, ct, "cannot mangle packet");
269 283 return NF_DROP;
  284 + }
270 285  
271 286 uh = (void *)skb->data + protoff;
272 287 uh->dest = ct_sip_info->forced_dport;
273 288  
274 289 if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, protoff,
275   - 0, 0, NULL, 0))
  290 + 0, 0, NULL, 0)) {
  291 + nf_ct_helper_log(skb, ct, "cannot mangle packet");
276 292 return NF_DROP;
  293 + }
277 294 }
278 295  
279 296 return NF_ACCEPT;
280 297  
281 298  
282 299  
... ... @@ -372,15 +389,19 @@
372 389 }
373 390 }
374 391  
375   - if (port == 0)
  392 + if (port == 0) {
  393 + nf_ct_helper_log(skb, ct, "all ports in use for SIP");
376 394 return NF_DROP;
  395 + }
377 396  
378 397 if (!nf_inet_addr_cmp(&exp->tuple.dst.u3, &exp->saved_addr) ||
379 398 exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
380 399 buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, port);
381 400 if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
382   - matchoff, matchlen, buffer, buflen))
  401 + matchoff, matchlen, buffer, buflen)) {
  402 + nf_ct_helper_log(skb, ct, "cannot mangle packet");
383 403 goto err;
  404 + }
384 405 }
385 406 return NF_ACCEPT;
386 407  
387 408  
388 409  
389 410  
... ... @@ -573,14 +594,18 @@
573 594 }
574 595 }
575 596  
576   - if (port == 0)
  597 + if (port == 0) {
  598 + nf_ct_helper_log(skb, ct, "all ports in use for SDP media");
577 599 goto err1;
  600 + }
578 601  
579 602 /* Update media port. */
580 603 if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port &&
581 604 !nf_nat_sdp_port(skb, protoff, dataoff, dptr, datalen,
582   - mediaoff, medialen, port))
  605 + mediaoff, medialen, port)) {
  606 + nf_ct_helper_log(skb, ct, "cannot mangle SDP message");
583 607 goto err2;
  608 + }
584 609  
585 610 return NF_ACCEPT;
586 611  
net/netfilter/nf_nat_tftp.c
Diff comments   View file @ b20ab9c
... ... @@ -28,8 +28,10 @@
28 28 = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
29 29 exp->dir = IP_CT_DIR_REPLY;
30 30 exp->expectfn = nf_nat_follow_master;
31   - if (nf_ct_expect_related(exp) != 0)
  31 + if (nf_ct_expect_related(exp) != 0) {
  32 + nf_ct_helper_log(skb, exp->master, "cannot add expectation");
32 33 return NF_DROP;
  34 + }
33 35 return NF_ACCEPT;
34 36 }
35 37