On Wed, 2 Feb 2011, Patrick McHardy wrote:
> On 01.02.2011 22:28, Jozsef Kadlecsik wrote:
> > On Tue, 1 Feb 2011, Jozsef Kadlecsik wrote:
> >
> >>>> I guess you're relying on that the original message is appended to a
> >>>> nlmsgerr message. That doesn't seem right though, if you want to return
> >>>> something to userspace, you should construct a new message.
> >>>
> >>> The message we are processing here carried multiple commands (each having
> >>> an attribute with the line number of the given command) and one failed
> >>> from some reason. We have to notify the userspace which command, at what
> >>> line failed. For this reason the multi-command messages have got an
> >>> attribute, which can be filled out with the line number - that happens
> >>> here. The attribute is already there, the message is not enlarged, just
> >>> the empty value is overwritten with the proper value.
> >>>
> >>> The line number reporting works this way, tested in the testsuite too.
> >>>
> >>> If I had to construct a completely new message and sent it, that'd be more
> >>> or less the duplication of netlink_ack. Additionally I had to suppress
> >>> netlink from sending an errmsg/ack too.
> >>
> >> Hm, if I lie -EINTR to netlink, then I can construct and send the error
> >> message manually and keep NLM_F_ACK at the same time. What do you think?
> >> Please have a look at the attached patch.
> >
> > Oops, mistypeing fixed, here follow the hopefully good version.
>
> This looks fine to me. A comment about why it returns -EINTR would
> probably be a good idea though.
Attached is the patch with a comment line added why -EINTR is returned.
Please apply.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
From 080fb7363513df1308b13ecc658bbc5e5ca5df37 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Date: Wed, 2 Feb 2011 20:29:44 +0100
Subject: [PATCH] netfilter: ipset: send error message manually
When a message carries multiple commands and one of them triggers
an error, we have to report to the userspace which one was that.
The line number of the command plays this role and there's an attribute
reserved in the header part of the message to be filled out with the error
line number. In order not to modify the original message received from
the userspace, we construct a new, complete netlink error message and
modifies the attribute there, then send it.
Netlink is notified not to send its ACK/error message.
Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx
---
net/netfilter/ipset/ip_set_core.c | 33 ++++++++++++++++++++++++++-------
1 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index ae0f8b5..8b1a54c 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1098,7 +1098,7 @@ static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
};
static int
-call_ad(struct sk_buff *skb, struct ip_set *set,
+call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
struct nlattr *tb[], enum ipset_adt adt,
u32 flags, bool use_lineno)
{
@@ -1118,12 +1118,25 @@ call_ad(struct sk_buff *skb, struct ip_set *set,
return 0;
if (lineno && use_lineno) {
/* Error in restore/batch mode: send back lineno */
- struct nlmsghdr *nlh = nlmsg_hdr(skb);
+ struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
+ struct sk_buff *skb2;
+ struct nlmsgerr *errmsg;
+ size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
- struct nlattr *cmdattr = (void *)nlh + min_len;
+ struct nlattr *cmdattr;
u32 *errline;
+ skb2 = nlmsg_new(payload, GFP_KERNEL);
+ if (skb2 == NULL)
+ return -ENOMEM;
+ rep = __nlmsg_put(skb2, NETLINK_CB(skb).pid,
+ nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
+ errmsg = nlmsg_data(rep);
+ errmsg->error = ret;
+ memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
+ cmdattr = (void *)&errmsg->msg + min_len;
+
nla_parse(cda, IPSET_ATTR_CMD_MAX,
cmdattr, nlh->nlmsg_len - min_len,
ip_set_adt_policy);
@@ -1131,6 +1144,10 @@ call_ad(struct sk_buff *skb, struct ip_set *set,
errline = nla_data(cda[IPSET_ATTR_LINENO]);
*errline = lineno;
+
+ netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
+ /* Signal netlink not to send its ACK/errmsg. */
+ return -EINTR;
}
return ret;
@@ -1169,7 +1186,8 @@ ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
attr[IPSET_ATTR_DATA],
set->type->adt_policy))
return -IPSET_ERR_PROTOCOL;
- ret = call_ad(skb, set, tb, IPSET_ADD, flags, use_lineno);
+ ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags,
+ use_lineno);
} else {
int nla_rem;
@@ -1180,7 +1198,7 @@ ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
set->type->adt_policy))
return -IPSET_ERR_PROTOCOL;
- ret = call_ad(skb, set, tb, IPSET_ADD,
+ ret = call_ad(ctnl, skb, set, tb, IPSET_ADD,
flags, use_lineno);
if (ret < 0)
return ret;
@@ -1222,7 +1240,8 @@ ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
attr[IPSET_ATTR_DATA],
set->type->adt_policy))
return -IPSET_ERR_PROTOCOL;
- ret = call_ad(skb, set, tb, IPSET_DEL, flags, use_lineno);
+ ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags,
+ use_lineno);
} else {
int nla_rem;
@@ -1233,7 +1252,7 @@ ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
set->type->adt_policy))
return -IPSET_ERR_PROTOCOL;
- ret = call_ad(skb, set, tb, IPSET_DEL,
+ ret = call_ad(ctnl, skb, set, tb, IPSET_DEL,
flags, use_lineno);
if (ret < 0)
return ret;
--
1.7.0.4