netfilter: cttimeout: fix dependency with l4protocol conntrack module

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch introduces nf_conntrack_l4proto_find_get() and
nf_conntrack_l4proto_put() to fix module dependencies between
timeout objects and l4-protocol conntrack modules.

Thus, we make sure that the module cannot be removed if it is
used by any of the cttimeout objects.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 14 years ago c1ebd7df a0f65a26

+53 -25

5 changed files

expand all

include

net

netfilter

nf_conntrack_l4proto.h

nf_conntrack_timeout.h

net

netfilter

nf_conntrack_proto.c

nfnetlink_cttimeout.c

xt_CT.c

include/net/netfilter/nf_conntrack_l4proto.h

··· 118 118 extern struct nf_conntrack_l4proto * 119 119 __nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto); 120 120 121 + extern struct nf_conntrack_l4proto * 122 + nf_ct_l4proto_find_get(u_int16_t l3proto, u_int8_t l4proto); 123 + extern void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p); 124 + 121 125 /* Protocol registration. */ 122 126 extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto); 123 127 extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);

+1 -1

include/net/netfilter/nf_conntrack_timeout.h

··· 15 15 atomic_t refcnt; 16 16 char name[CTNL_TIMEOUT_NAME_MAX]; 17 17 __u16 l3num; 18 - __u8 l4num; 18 + struct nf_conntrack_l4proto *l4proto; 19 19 char data[0]; 20 20 }; 21 21

+21

net/netfilter/nf_conntrack_proto.c

··· 127 127 } 128 128 EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put); 129 129 130 + struct nf_conntrack_l4proto * 131 + nf_ct_l4proto_find_get(u_int16_t l3num, u_int8_t l4num) 132 + { 133 + struct nf_conntrack_l4proto *p; 134 + 135 + rcu_read_lock(); 136 + p = __nf_ct_l4proto_find(l3num, l4num); 137 + if (!try_module_get(p->me)) 138 + p = &nf_conntrack_l4proto_generic; 139 + rcu_read_unlock(); 140 + 141 + return p; 142 + } 143 + EXPORT_SYMBOL_GPL(nf_ct_l4proto_find_get); 144 + 145 + void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p) 146 + { 147 + module_put(p->me); 148 + } 149 + EXPORT_SYMBOL_GPL(nf_ct_l4proto_put); 150 + 130 151 static int kill_l3proto(struct nf_conn *i, void *data) 131 152 { 132 153 return nf_ct_l3num(i) == ((struct nf_conntrack_l3proto *)data)->l3proto;

+23 -22

net/netfilter/nfnetlink_cttimeout.c

··· 98 98 break; 99 99 } 100 100 101 - l4proto = __nf_ct_l4proto_find(l3num, l4num); 101 + l4proto = nf_ct_l4proto_find_get(l3num, l4num); 102 102 103 103 /* This protocol is not supportted, skip. */ 104 - if (l4proto->l4proto != l4num) 105 - return -EOPNOTSUPP; 104 + if (l4proto->l4proto != l4num) { 105 + ret = -EOPNOTSUPP; 106 + goto err_proto_put; 107 + } 106 108 107 109 if (matching) { 108 110 if (nlh->nlmsg_flags & NLM_F_REPLACE) { ··· 112 110 * different kind, sorry. 113 111 */ 114 112 if (matching->l3num != l3num || 115 - matching->l4num != l4num) 116 - return -EINVAL; 113 + matching->l4proto->l4proto != l4num) { 114 + ret = -EINVAL; 115 + goto err_proto_put; 116 + } 117 117 118 118 ret = ctnl_timeout_parse_policy(matching, l4proto, 119 119 cda[CTA_TIMEOUT_DATA]); 120 120 return ret; 121 121 } 122 - return -EBUSY; 122 + ret = -EBUSY; 123 + goto err_proto_put; 123 124 } 124 125 125 126 timeout = kzalloc(sizeof(struct ctnl_timeout) + 126 127 l4proto->ctnl_timeout.obj_size, GFP_KERNEL); 127 - if (timeout == NULL) 128 - return -ENOMEM; 128 + if (timeout == NULL) { 129 + ret = -ENOMEM; 130 + goto err_proto_put; 131 + } 129 132 130 133 ret = ctnl_timeout_parse_policy(timeout, l4proto, 131 134 cda[CTA_TIMEOUT_DATA]); ··· 139 132 140 133 strcpy(timeout->name, nla_data(cda[CTA_TIMEOUT_NAME])); 141 134 timeout->l3num = l3num; 142 - timeout->l4num = l4num; 135 + timeout->l4proto = l4proto; 143 136 atomic_set(&timeout->refcnt, 1); 144 137 list_add_tail_rcu(&timeout->head, &cttimeout_list); 145 138 146 139 return 0; 147 140 err: 148 141 kfree(timeout); 142 + err_proto_put: 143 + nf_ct_l4proto_put(l4proto); 149 144 return ret; 150 145 } 151 146 ··· 158 149 struct nlmsghdr *nlh; 159 150 struct nfgenmsg *nfmsg; 160 151 unsigned int flags = pid ? NLM_F_MULTI : 0; 161 - struct nf_conntrack_l4proto *l4proto; 152 + struct nf_conntrack_l4proto *l4proto = timeout->l4proto; 162 153 163 154 event |= NFNL_SUBSYS_CTNETLINK_TIMEOUT << 8; 164 155 nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags); ··· 172 163 173 164 NLA_PUT_STRING(skb, CTA_TIMEOUT_NAME, timeout->name); 174 165 NLA_PUT_BE16(skb, CTA_TIMEOUT_L3PROTO, htons(timeout->l3num)); 175 - NLA_PUT_U8(skb, CTA_TIMEOUT_L4PROTO, timeout->l4num); 166 + NLA_PUT_U8(skb, CTA_TIMEOUT_L4PROTO, timeout->l4proto->l4proto); 176 167 NLA_PUT_BE32(skb, CTA_TIMEOUT_USE, 177 168 htonl(atomic_read(&timeout->refcnt))); 178 - 179 - l4proto = __nf_ct_l4proto_find(timeout->l3num, timeout->l4num); 180 - 181 - /* If the timeout object does not match the layer 4 protocol tracker, 182 - * then skip dumping the data part since we don't know how to 183 - * interpret it. This may happen for UPDlite, SCTP and DCCP since 184 - * you can unload the module. 185 - */ 186 - if (timeout->l4num != l4proto->l4proto) 187 - goto out; 188 169 189 170 if (likely(l4proto->ctnl_timeout.obj_to_nlattr)) { 190 171 struct nlattr *nest_parms; ··· 191 192 192 193 nla_nest_end(skb, nest_parms); 193 194 } 194 - out: 195 + 195 196 nlmsg_end(skb, nlh); 196 197 return skb->len; 197 198 ··· 292 293 if (atomic_dec_and_test(&timeout->refcnt)) { 293 294 /* We are protected by nfnl mutex. */ 294 295 list_del_rcu(&timeout->head); 296 + nf_ct_l4proto_put(timeout->l4proto); 295 297 kfree_rcu(timeout, rcu_head); 296 298 } else { 297 299 /* still in use, restore reference counter. */ ··· 417 417 /* We are sure that our objects have no clients at this point, 418 418 * it's safe to release them all without checking refcnt. 419 419 */ 420 + nf_ct_l4proto_put(cur->l4proto); 420 421 kfree_rcu(cur, rcu_head); 421 422 } 422 423 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT

+4 -2

net/netfilter/xt_CT.c

··· 16 16 #include <net/netfilter/nf_conntrack.h> 17 17 #include <net/netfilter/nf_conntrack_helper.h> 18 18 #include <net/netfilter/nf_conntrack_ecache.h> 19 + #include <net/netfilter/nf_conntrack_l4proto.h> 19 20 #include <net/netfilter/nf_conntrack_timeout.h> 20 21 #include <net/netfilter/nf_conntrack_zones.h> 21 22 ··· 244 243 info->timeout, timeout->l3num); 245 244 goto err3; 246 245 } 247 - if (timeout->l4num != e->ip.proto) { 246 + if (timeout->l4proto->l4proto != e->ip.proto) { 248 247 ret = -EINVAL; 249 248 pr_info("Timeout policy `%s' can only be " 250 249 "used by L4 protocol number %d\n", 251 - info->timeout, timeout->l4num); 250 + info->timeout, 251 + timeout->l4proto->l4proto); 252 252 goto err3; 253 253 } 254 254 timeout_ext = nf_ct_timeout_ext_add(ct, timeout,