From patchwork Fri Apr  6 14:57:33 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
X-Patchwork-Id: 151189
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 86A1EB6FEF
	for <incoming@patchwork.ozlabs.org>;
	Sat,  7 Apr 2012 00:57:47 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754817Ab2DFO5n (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Fri, 6 Apr 2012 10:57:43 -0400
Received: from smtp-in.kfki.hu ([148.6.0.25]:52204 "EHLO smtp0.kfki.hu"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754296Ab2DFO5m (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Fri, 6 Apr 2012 10:57:42 -0400
Received: from localhost (localhost [127.0.0.1])
	by smtp0.kfki.hu (Postfix) with ESMTP id 399B74D4031;
	Fri,  6 Apr 2012 16:57:41 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at smtp0.kfki.hu
Received: from smtp0.kfki.hu ([127.0.0.1])
	by localhost (smtp0.kfki.hu [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id kibbOD5PVX6R; Fri,  6 Apr 2012 16:57:41 +0200 (CEST)
Received: from blackhole.kfki.hu (blackhole.kfki.hu [148.6.0.114])
	by smtp0.kfki.hu (Postfix) with ESMTP id F3F2D4D4004;
	Fri,  6 Apr 2012 16:57:40 +0200 (CEST)
Received: by blackhole.kfki.hu (Postfix, from userid 1000)
	id AABDD208116; Fri,  6 Apr 2012 16:57:40 +0200 (CEST)
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: netfilter-devel@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Subject: [PATCH 2/2] net: netfilter: handle invalid packets consistently in
	conntrack
Date: Fri,  6 Apr 2012 16:57:33 +0200
Message-Id: <1333724253-32261-3-git-send-email-kadlec@blackhole.kfki.hu>
X-Mailer: git-send-email 1.7.0.4
In-Reply-To: <1333724253-32261-1-git-send-email-kadlec@blackhole.kfki.hu>
References: <1333724253-32261-1-git-send-email-kadlec@blackhole.kfki.hu>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

IPv6 conntrack marked invalid packets as INVALID and let the user
drop those by an explicit rule, while IPv4 conntrack dropped such
packets itself.

IPv4 conntrack is changed so that it marks INVALID packets and lets
the user to drop them.

Invalid packet logging support added to catch why the packet is marked
as INVALID.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   26 ++++++++++++++++-------
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    8 +++++-
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index af7cdc7..97ad520 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -74,23 +74,33 @@ static int ipv4_get_l4proto(const struct net *net,
 	struct iphdr _iph;
 
 	iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
-	if (iph == NULL)
-		return -NF_DROP;
+	if (iph == NULL) {
+		if (LOG_INVALID(net, IPPROTO_RAW))
+			nf_log_packet(NFPROTO_IPV4, 0, skb, NULL, NULL, NULL,
+				"nf_conntrack_ipv4: can't get IP header\n");
+		return -NF_ACCEPT;
+	}
 
 	/* Conntrack defragments packets, we might still see fragments
 	 * inside ICMP packets though. */
-	if (iph->frag_off & htons(IP_OFFSET))
-		return -NF_DROP;
+	if (iph->frag_off & htons(IP_OFFSET)) {
+		if (LOG_INVALID(net, IPPROTO_RAW))
+			nf_log_packet(NFPROTO_IPV4, 0, skb, NULL, NULL, NULL,
+				"nf_conntrack_ipv4: can't handle fragment\n");
+		return -NF_ACCEPT;
+	}
 
 	*dataoff = nhoff + (iph->ihl << 2);
 	*protonum = iph->protocol;
 
 	/* Check bogus IP headers */
 	if (*dataoff > skb->len) {
-		pr_debug("nf_conntrack_ipv4: drop bogus IPv4 packet: "
-			 "nhoff %u, ihl %u, skblen %u\n",
-			 nhoff, iph->ihl << 2, skb->len);
-		return -NF_DROP;
+		if (LOG_INVALID(net, IPPROTO_RAW))
+			nf_log_packet(NFPROTO_IPV4, 0, skb, NULL, NULL, NULL,
+				"nf_conntrack_ipv4: bogus IPv4 packet: "
+				"nhoff %u, ihl %u, skblen %u\n",
+				nhoff, iph->ihl << 2, skb->len);
+		return -NF_ACCEPT;
 	}
 
 	return NF_ACCEPT;
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index c65c060..c106fab 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -126,7 +126,9 @@ static int ipv6_get_l4proto(const struct net *net,
 
 	if (skb_copy_bits(skb, nhoff + offsetof(struct ipv6hdr, nexthdr),
 			  &pnum, sizeof(pnum)) != 0) {
-		pr_debug("ip6_conntrack_core: can't get nexthdr\n");
+		if (LOG_INVALID(net, IPPROTO_RAW))
+			nf_log_packet(NFPROTO_IPV6, 0, skb, NULL, NULL, NULL,
+				"nf_conntrack_ipv6: can't get nexthdr\n");
 		return -NF_ACCEPT;
 	}
 	protoff = nf_ct_ipv6_skip_exthdr(skb, extoff, &pnum, skb->len - extoff);
@@ -135,7 +137,9 @@ static int ipv6_get_l4proto(const struct net *net,
 	 * except of IPv6 & ext headers. but it's tracked anyway. - YK
 	 */
 	if ((protoff < 0) || (protoff > skb->len)) {
-		pr_debug("ip6_conntrack_core: can't find proto in pkt\n");
+		if (LOG_INVALID(net, IPPROTO_RAW))
+			nf_log_packet(NFPROTO_IPV6, 0, skb, NULL, NULL, NULL,
+				"nf_conntrack_ipv6: can't find proto in pkt\n");
 		return -NF_ACCEPT;
 	}