[2/8] conntrack: fix icmp entry creation

Message ID	20200925124919.9389-3-mikhail.sennikovskii@cloud.ionos.com
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com> To: netfilter-devel@vger.kernel.org Cc: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com> Subject: [PATCH 2/8] conntrack: fix icmp entry creation Date: Fri, 25 Sep 2020 14:49:13 +0200 Message-Id: <20200925124919.9389-3-mikhail.sennikovskii@cloud.ionos.com> In-Reply-To: <20200925124919.9389-1-mikhail.sennikovskii@cloud.ionos.com> References: <20200925124919.9389-1-mikhail.sennikovskii@cloud.ionos.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Fast bulk transfers of large sets of ct entries \| expand [0/8] Fast bulk transfers of large sets of ct entries [1/8] tests: icmp entry create/delete [2/8] conntrack: fix icmp entry creation [3/8] conntrack: accept parameters from stdin [4/8] conntrack.8: man update for stdin params support [5/8] tests: conntrack parameters from stdin [6/8] conntrack: implement options output format [7/8] conntrack.8: man update for opts format support [8/8] tests: dumping ct entries in opts format

Message ID

20200925124919.9389-3-mikhail.sennikovskii@cloud.ionos.com

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
To: netfilter-devel@vger.kernel.org
Cc: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Subject: [PATCH 2/8] conntrack: fix icmp entry creation
Date: Fri, 25 Sep 2020 14:49:13 +0200
Message-Id: <20200925124919.9389-3-mikhail.sennikovskii@cloud.ionos.com>
In-Reply-To: <20200925124919.9389-1-mikhail.sennikovskii@cloud.ionos.com>
References: <20200925124919.9389-1-mikhail.sennikovskii@cloud.ionos.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Fast bulk transfers of large sets of ct entries | expand

Commit Message

Mikhail Sennikovsky Sept. 25, 2020, 12:49 p.m. UTC

Creating icmp ct entry with command like

conntrack -I -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 \
   -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226

results in nfct_query( NFCT_Q_CREATE ) request would fail
because reply L4 proto is not set while having reply data specified

Set reply L4 proto when reply data is given for the icmp ct entry

Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
---
 extensions/libct_proto_icmp.c   | 18 ++++++++++++++++++
 extensions/libct_proto_icmpv6.c | 18 ++++++++++++++++++
 2 files changed, 36 insertions(+)

Comments

Pablo Neira Ayuso Oct. 13, 2020, 6:29 p.m. UTC | #1

On Fri, Sep 25, 2020 at 02:49:13PM +0200, Mikhail Sennikovsky wrote:
> Creating icmp ct entry with command like
> 
> conntrack -I -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 \
>    -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226
> 
> results in nfct_query( NFCT_Q_CREATE ) request would fail
> because reply L4 proto is not set while having reply data specified
> 
> Set reply L4 proto when reply data is given for the icmp ct entry

Also applied, thanks.

diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c
index 2ce1c65..16c2e2e 100644
--- a/extensions/libct_proto_icmp.c
+++ b/extensions/libct_proto_icmp.c
@@ -78,18 +78,36 @@  static int parse(char c,
 			tmp = atoi(optarg);
 			nfct_set_attr_u8(ct, ATTR_ICMP_TYPE, tmp);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP);
+			/*
+			 * need to set the reply proto, otherwise the
+			 * NFCT_Q_CREATE call would fail
+			 */
+			if (nfct_attr_is_set(ct, ATTR_REPL_L3PROTO))
+				nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_ICMP);
 			*flags |= CT_ICMP_TYPE;
 			break;
 		case '2':
 			tmp = atoi(optarg);
 			nfct_set_attr_u8(ct, ATTR_ICMP_CODE, tmp);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP);
+			/*
+			 * need to set the reply proto, otherwise the
+			 * NFCT_Q_CREATE call would fail
+			 */
+			if (nfct_attr_is_set(ct, ATTR_REPL_L3PROTO))
+				nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_ICMP);
 			*flags |= CT_ICMP_CODE;
 			break;
 		case '3':
 			id = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_ICMP_ID, id);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP);
+			/*
+			 * need to set the reply proto, otherwise the
+			 * NFCT_Q_CREATE call would fail
+			 */
+			if (nfct_attr_is_set(ct, ATTR_REPL_L3PROTO))
+				nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_ICMP);
 			*flags |= CT_ICMP_ID;
 			break;
 	}
diff --git a/extensions/libct_proto_icmpv6.c b/extensions/libct_proto_icmpv6.c
index 18dd3e5..7f5e637 100644
--- a/extensions/libct_proto_icmpv6.c
+++ b/extensions/libct_proto_icmpv6.c
@@ -81,18 +81,36 @@  static int parse(char c,
 			tmp = atoi(optarg);
 			nfct_set_attr_u8(ct, ATTR_ICMP_TYPE, tmp);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6);
+			/*
+			 * need to set the reply proto, otherwise the
+			 * NFCT_Q_CREATE call would fail
+			 */
+			if (nfct_attr_is_set(ct, ATTR_REPL_L3PROTO))
+				nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_ICMPV6);
 			*flags |= CT_ICMP_TYPE;
 			break;
 		case '2':
 			tmp = atoi(optarg);
 			nfct_set_attr_u8(ct, ATTR_ICMP_CODE, tmp);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6);
+			/*
+			 * need to set the reply proto, otherwise the
+			 * NFCT_Q_CREATE call would fail
+			 */
+			if (nfct_attr_is_set(ct, ATTR_REPL_L3PROTO))
+				nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_ICMPV6);
 			*flags |= CT_ICMP_CODE;
 			break;
 		case '3':
 			id = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_ICMP_ID, id);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6);
+			/*
+			 * need to set the reply proto, otherwise the
+			 * NFCT_Q_CREATE call would fail
+			 */
+			if (nfct_attr_is_set(ct, ATTR_REPL_L3PROTO))
+				nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_ICMPV6);
 			*flags |= CT_ICMP_ID;
 			break;
 	}

[2/8] conntrack: fix icmp entry creation

Commit Message

Comments

Patch