[netfilter-cvslog] [conntrack-tools] add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket buffers
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Tue May 20 16:05:51 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=da8717a4bfa8884a411ae2445b9f1654b0550a64
commit da8717a4bfa8884a411ae2445b9f1654b0550a64
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue May 20 15:52:06 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue May 20 15:52:06 2008 +0200
add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket buffers
commit db91cafe5b72f9f591dd8c168427005503186c01
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun May 18 21:16:05 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun May 18 21:16:05 2008 +0200
improve network message sanity checkings
via da8717a4bfa8884a411ae2445b9f1654b0550a64 (commit)
via db91cafe5b72f9f591dd8c168427005503186c01 (commit)
from be2450f37f2ce56eadc78793efc4a54ced4315c6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit da8717a4bfa8884a411ae2445b9f1654b0550a64
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue May 20 15:52:06 2008 +0200
add Mcast[Snd|Rcv]SocketBuffer clauses to tune multicast socket buffers
commit db91cafe5b72f9f591dd8c168427005503186c01
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun May 18 21:16:05 2008 +0200
improve network message sanity checkings
-----------------------------------------------------------------------
ChangeLog | 2 +
doc/sync/alarm/node1/conntrackd.conf | 22 ++++++++++++++++
doc/sync/alarm/node2/conntrackd.conf | 22 ++++++++++++++++
doc/sync/ftfw/node1/conntrackd.conf | 22 ++++++++++++++++
doc/sync/ftfw/node2/conntrackd.conf | 22 ++++++++++++++++
include/mcast.h | 2 +
include/network.h | 3 +-
include/sync.h | 1 +
src/mcast.c | 31 ++++++++++++++++++++++
src/network.c | 24 -----------------
src/parse.c | 30 +++++++++++++++++++--
src/read_config_lex.l | 2 +
src/read_config_yy.y | 12 ++++++++-
src/sync-mode.c | 47 ++++++++++++++++++++++++++--------
14 files changed, 201 insertions(+), 41 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index d67ad30..4458830 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -29,6 +29,7 @@ o minor fix of the manpage (Max Wilhelm)
o remove (misleading) counters and use information from the statistics mode
o use generic nfct_copy() from libnetfilter_conntrack to update objects
o use generic nfct_cmp() to compare objects
+o improve network message sanity checkings
version 0.9.6 (2008/03/08)
------------------------------
diff --git a/include/network.h b/include/network.h
index 0fa7b71..baa1eba 100644
--- a/include/network.h
+++ b/include/network.h
@@ -54,7 +54,6 @@ struct mcast_sock;
void build_netmsg(struct nf_conntrack *ct, int query, struct nethdr *net);
size_t prepare_send_netmsg(struct mcast_sock *m, void *data);
int mcast_send_netmsg(struct mcast_sock *m, void *data);
-int handle_netmsg(struct nethdr *net);
enum {
SEQ_UNKNOWN,
@@ -175,6 +174,6 @@ struct netattr {
void build_netpld(struct nf_conntrack *ct, struct netpld *pld, int query);
-void parse_netpld(struct nf_conntrack *ct, struct netpld *pld, int *query);
+int parse_netpld(struct nf_conntrack *ct, struct nethdr *net, int *query, size_t remain);
#endif
diff --git a/include/sync.h b/include/sync.h
index 39e0f46..fc06c93 100644
--- a/include/sync.h
+++ b/include/sync.h
@@ -20,5 +20,6 @@ struct sync_mode {
extern struct sync_mode sync_alarm;
extern struct sync_mode sync_ftfw;
+extern struct sync_mode sync_notrack;
#endif
diff --git a/src/network.c b/src/network.c
index d7ab415..fb6ea90 100644
--- a/src/network.c
+++ b/src/network.c
@@ -171,30 +171,6 @@ void build_netmsg(struct nf_conntrack *ct, int query, struct nethdr *net)
build_netpld(ct, pld, query);
}
-int handle_netmsg(struct nethdr *net)
-{
- struct netpld *pld = NETHDR_DATA(net);
-
- /* message too small: no room for the header */
- if (ntohs(net->len) < NETHDR_ACK_SIZ)
- return -1;
-
- HDR_NETWORK2HOST(net);
-
- if (IS_CTL(net))
- return 0;
-
- /* information received is too small */
- if (net->len < sizeof(struct netpld))
- return -1;
-
- /* size mismatch! */
- if (net->len < ntohs(pld->len) + NETHDR_SIZ)
- return -1;
-
- return 0;
-}
-
static int local_seq_set = 0;
/* this function only tracks, it does not update the last sequence received */
diff --git a/src/parse.c b/src/parse.c
index 8ef2e8d..645420d 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -20,6 +20,10 @@
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#ifndef ssizeof
+#define ssizeof(x) (int)sizeof(x)
+#endif
+
static void parse_u8(struct nf_conntrack *ct, int attr, void *data)
{
uint8_t *value = (uint8_t *) data;
@@ -77,20 +81,40 @@ static parse h[ATTR_MAX] = {
[ATTR_REPL_NAT_SEQ_OFFSET_AFTER] = parse_u32,
};
-void parse_netpld(struct nf_conntrack *ct, struct netpld *pld, int *query)
+int
+parse_netpld(struct nf_conntrack *ct,
+ struct nethdr *net,
+ int *query,
+ size_t remain)
{
int len;
struct netattr *attr;
+ struct netpld *pld;
+
+ if (remain < NETHDR_SIZ + sizeof(struct netpld))
+ return -1;
+
+ pld = NETHDR_DATA(net);
+
+ if (remain < NETHDR_SIZ + sizeof(struct netpld) + ntohs(pld->len))
+ return -1;
+
+ if (net->len < NETHDR_SIZ + sizeof(struct netpld) + ntohs(pld->len))
+ return -1;
PLD_NETWORK2HOST(pld);
len = pld->len;
attr = PLD_DATA(pld);
- while (len > 0) {
+ while (len > ssizeof(struct netattr)) {
ATTR_NETWORK2HOST(attr);
- h[attr->nta_attr](ct, attr->nta_attr, NTA_DATA(attr));
+ if (attr->nta_len > len)
+ return -1;
+ if (h[attr->nta_attr])
+ h[attr->nta_attr](ct, attr->nta_attr, NTA_DATA(attr));
attr = NTA_NEXT(attr, len);
}
*query = pld->query;
+ return 0;
}
diff --git a/src/sync-mode.c b/src/sync-mode.c
index a952a5b..7d73e2f 100644
--- a/src/sync-mode.c
+++ b/src/sync-mode.c
@@ -34,10 +34,9 @@
#include <string.h>
#include <stdlib.h>
-static void do_mcast_handler_step(struct nethdr *net)
+static void do_mcast_handler_step(struct nethdr *net, size_t remain)
{
int query;
- struct netpld *pld = NETHDR_DATA(net);
char __ct[nfct_maxsize()];
struct nf_conntrack *ct = (struct nf_conntrack *)(void*) __ct;
struct us_conntrack *u;
@@ -57,8 +56,11 @@ static void do_mcast_handler_step(struct nethdr *net)
memset(ct, 0, sizeof(__ct));
- /* XXX: check for malformed */
- parse_netpld(ct, pld, &query);
+ if (parse_netpld(ct, net, &query, remain) == -1) {
+ STATE(malformed)++;
+ dlog(LOG_ERR, "parsing failed: malformed message");
+ return;
+ }
switch(query) {
case NFCT_Q_CREATE:
@@ -91,6 +93,7 @@ retry:
debug_ct(ct, "can't destroy");
break;
default:
+ STATE(malformed)++;
dlog(LOG_ERR, "mcast unknown query %d\n", query);
break;
}
@@ -113,24 +116,40 @@ static void mcast_handler(void)
if (remain < NETHDR_SIZ) {
STATE(malformed)++;
+ dlog(LOG_WARNING, "no room for header");
break;
}
if (ntohs(net->len) > remain) {
- dlog(LOG_ERR, "fragmented messages");
+ STATE(malformed)++;
+ dlog(LOG_WARNING, "fragmented message");
break;
}
+ if (IS_CTL(net)) {
+ if (remain < NETHDR_ACK_SIZ) {
+ STATE(malformed)++;
+ dlog(LOG_WARNING, "no room for ctl message");
+ }
+
+ if (ntohs(net->len) < NETHDR_ACK_SIZ) {
+ STATE(malformed)++;
+ dlog(LOG_WARNING, "ctl header too small");
+ }
+ } else {
+ if (ntohs(net->len) < NETHDR_SIZ) {
+ STATE(malformed)++;
+ dlog(LOG_WARNING, "header too small");
+ }
+ }
+
debug("recv sq: %u fl:%u len:%u (rem:%d)\n",
ntohl(net->seq), ntohs(net->flags),
ntohs(net->len), remain);
- /* sanity check and convert nethdr to host byte order */
- if (handle_netmsg(net) == -1) {
- STATE(malformed)++;
- return;
- }
- do_mcast_handler_step(net);
+ HDR_NETWORK2HOST(net);
+
+ do_mcast_handler_step(net, remain);
ptr += net->len;
remain -= net->len;
}
More information about the netfilter-cvslog
mailing list