| Message ID | 1489934162-7415-2-git-send-email-zlpnobody@163.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
On Sun, Mar 19, 2017 at 10:35:58PM +0800, Liping Zhang wrote: > From: Liping Zhang <zlpnobody@gmail.com> > > Currently, when we create cthelper via nfnetlink, -EINVAL will be > returned if the NFCTH_PRIV_DATA_LEN attribute is empty. > > But enforcing the user to specify the NFCTH_PRIV_DATA_LEN attr seems > unnecessary, so it's better to set the helper->data_len to zero if > the NFCTH_PRIV_DATA_LEN attribute is empty. > > Found by running example program from libnetfilter_cthelper: > # ./libnetfilter_cthelper/examples/nfct-helper-add test 1 > error: Invalid argument I suggest you fix this userspace example instead, we should always send NFCTH_PRIV_DATA_LEN. This is integral part of the helper description. NFCTH_ATTR_PRIV_DATA_LEN has been always set from the conntrack-tools, so most likely this example just got outdated at some point of the development and nobody noticed so far. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Pablo, 2017-03-21 18:18 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>: > On Sun, Mar 19, 2017 at 10:35:58PM +0800, Liping Zhang wrote: >> From: Liping Zhang <zlpnobody@gmail.com> >> >> Currently, when we create cthelper via nfnetlink, -EINVAL will be >> returned if the NFCTH_PRIV_DATA_LEN attribute is empty. >> >> But enforcing the user to specify the NFCTH_PRIV_DATA_LEN attr seems >> unnecessary, so it's better to set the helper->data_len to zero if >> the NFCTH_PRIV_DATA_LEN attribute is empty. >> >> Found by running example program from libnetfilter_cthelper: >> # ./libnetfilter_cthelper/examples/nfct-helper-add test 1 >> error: Invalid argument > > I suggest you fix this userspace example instead, we should always > send NFCTH_PRIV_DATA_LEN. This is integral part of the helper > description. > > NFCTH_ATTR_PRIV_DATA_LEN has been always set from the conntrack-tools, > so most likely this example just got outdated at some point of the > development and nobody noticed so far. OK, get it. I will send a patch to fix the example codes. > > Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c index 2defe73..9c24301 100644 --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -205,7 +205,7 @@ nfnl_cthelper_create(const struct nlattr * const tb[], struct nf_conntrack_helper *helper; int ret; - if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN]) + if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY]) return -EINVAL; helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL); @@ -217,7 +217,8 @@ nfnl_cthelper_create(const struct nlattr * const tb[], goto err1; strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN); - helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN])); + if (tb[NFCTH_PRIV_DATA_LEN]) + helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN])); helper->flags |= NF_CT_HELPER_F_USERSPACE; memcpy(&helper->tuple, tuple, sizeof(struct nf_conntrack_tuple));