Skip to content

Commit 0adf9d6

Browse files
ummakynesdavem330
ummakynes
authored and
davem330
committed
netfilter: ctnetlink: group errors into logical errno sets
This patch groups ctnetlink errors into three logical sets: * Malformed messages: if ctnetlink receives a message without some mandatory attribute, then it returns EINVAL. * Unsupported operations: if userspace tries to perform an unsupported operation, then it returns EOPNOTSUPP. * Unchangeable: if userspace tries to change some attribute of the conntrack object that can only be set once, then it returns EBUSY. This patch reduces the number of -EINVAL from 23 to 14 and it results in 5 -EBUSY and 6 -EOPNOTSUPP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 93f6515 commit 0adf9d6

File tree

1 file changed

+10
-11
lines changed

1 file changed

+10
-11
lines changed

net/netfilter/nf_conntrack_netlink.c

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
* (C) 2001 by Jay Schulist <jschlst@samba.org>
55
* (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
66
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
7-
* (C) 2005-2007 by Pablo Neira Ayuso <pablo@netfilter.org>
7+
* (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
88
*
99
* Initial connection tracking via netlink development funded and
1010
* generally made possible by Network Robots, Inc. (www.networkrobots.com)
@@ -891,20 +891,19 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
891891

892892
if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
893893
/* unchangeable */
894-
return -EINVAL;
894+
return -EBUSY;
895895

896896
if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
897897
/* SEEN_REPLY bit can only be set */
898-
return -EINVAL;
899-
898+
return -EBUSY;
900899

901900
if (d & IPS_ASSURED && !(status & IPS_ASSURED))
902901
/* ASSURED bit can only be set */
903-
return -EINVAL;
902+
return -EBUSY;
904903

905904
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
906905
#ifndef CONFIG_NF_NAT_NEEDED
907-
return -EINVAL;
906+
return -EOPNOTSUPP;
908907
#else
909908
struct nf_nat_range range;
910909

@@ -945,7 +944,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
945944

946945
/* don't change helper of sibling connections */
947946
if (ct->master)
948-
return -EINVAL;
947+
return -EBUSY;
949948

950949
err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
951950
if (err < 0)
@@ -963,7 +962,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
963962

964963
helper = __nf_conntrack_helper_find_byname(helpname);
965964
if (helper == NULL)
966-
return -EINVAL;
965+
return -EOPNOTSUPP;
967966

968967
if (help) {
969968
if (help->helper == helper)
@@ -1258,12 +1257,12 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
12581257
if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
12591258
/* we only allow nat config for new conntracks */
12601259
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
1261-
err = -EINVAL;
1260+
err = -EOPNOTSUPP;
12621261
goto out_unlock;
12631262
}
12641263
/* can't link an existing conntrack to a master */
12651264
if (cda[CTA_TUPLE_MASTER]) {
1266-
err = -EINVAL;
1265+
err = -EOPNOTSUPP;
12671266
goto out_unlock;
12681267
}
12691268
err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h),
@@ -1608,7 +1607,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
16081607
h = __nf_conntrack_helper_find_byname(name);
16091608
if (!h) {
16101609
spin_unlock_bh(&nf_conntrack_lock);
1611-
return -EINVAL;
1610+
return -EOPNOTSUPP;
16121611
}
16131612
for (i = 0; i < nf_ct_expect_hsize; i++) {
16141613
hlist_for_each_entry_safe(exp, n, next,

0 commit comments

Comments
 (0)