From: Pablo Neira Ayuso The expectfn callback determines how nf_nat_setup_info() is invoked for this expectation. This patch restricts expectfn to the master conntrack helper, there is nf_nat_follow_master() that is used by most expectations to deal with nat. However, sip and h.323 helpers still offer their own variants for different purpose. Add a new helper field to struct nf_ct_helper_expectfn to restrict the expectfn to its helper. If NULL, then this can be used by any expectation, which is the case nf_nat_follow_master(). Signed-off-by: Pablo Neira Ayuso Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_helper.h | 3 ++- net/ipv4/netfilter/nf_nat_h323.c | 2 ++ net/netfilter/nf_conntrack_helper.c | 5 +++-- net/netfilter/nf_conntrack_netlink.c | 2 +- net/netfilter/nf_nat_sip.c | 1 + 5 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index de2f956abf34..dc566921cc73 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -145,6 +145,7 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb, struct nf_conn *ct, struct nf_ct_helper_expectfn { struct list_head head; + const char *helper; const char *name; void (*expectfn)(struct nf_conn *ct, struct nf_conntrack_expect *exp); }; @@ -156,7 +157,7 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct, void nf_ct_helper_expectfn_register(struct nf_ct_helper_expectfn *n); void nf_ct_helper_expectfn_unregister(struct nf_ct_helper_expectfn *n); struct nf_ct_helper_expectfn * -nf_ct_helper_expectfn_find_by_name(const char *name); +nf_ct_helper_expectfn_find_by_name(const char *helper, const char *name); struct nf_ct_helper_expectfn * nf_ct_helper_expectfn_find_by_symbol(const void *symbol); diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c index faee20af4856..21353623130c 100644 --- a/net/ipv4/netfilter/nf_nat_h323.c +++ b/net/ipv4/netfilter/nf_nat_h323.c @@ -518,11 +518,13 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct, } static struct nf_ct_helper_expectfn q931_nat = { + .helper = "RAS", .name = "Q.931", .expectfn = ip_nat_q931_expect, }; static struct nf_ct_helper_expectfn callforwarding_nat = { + .helper = "Q.931", .name = "callforwarding", .expectfn = ip_nat_callforwarding_expect, }; diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index a715304a53d8..5e6d2687a558 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -285,13 +285,14 @@ EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_unregister); /* Caller should hold the rcu lock */ struct nf_ct_helper_expectfn * -nf_ct_helper_expectfn_find_by_name(const char *name) +nf_ct_helper_expectfn_find_by_name(const char *helper, const char *name) { struct nf_ct_helper_expectfn *cur; bool found = false; list_for_each_entry_rcu(cur, &nf_ct_helper_expectfn_list, head) { - if (!strcmp(cur->name, name)) { + if ((cur->helper && !strcmp(cur->helper, helper)) || + !strcmp(cur->name, name)) { found = true; break; } diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index eda5fe4a75c8..7744f67a0fbe 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -3552,7 +3552,7 @@ ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct, const char *name = nla_data(cda[CTA_EXPECT_FN]); struct nf_ct_helper_expectfn *expfn; - expfn = nf_ct_helper_expectfn_find_by_name(name); + expfn = nf_ct_helper_expectfn_find_by_name(helper->name, name); if (expfn == NULL) { err = -EINVAL; goto err_out; diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c index cf4aeb299bde..047733012963 100644 --- a/net/netfilter/nf_nat_sip.c +++ b/net/netfilter/nf_nat_sip.c @@ -641,6 +641,7 @@ static unsigned int nf_nat_sdp_media(struct sk_buff *skb, unsigned int protoff, } static struct nf_ct_helper_expectfn sip_nat = { + .helper = "sip", .name = "sip", .expectfn = nf_nat_sip_expected, }; -- 2.52.0