On Mon, 25 May 2020 23:54:19 +0200 Pablo Neira Ayuso wrote:
> +/* This packet is coming from userspace via nf_queue, complete the packet
> + * processing after the helper invocation in nf_confirm().
> + */
> +static int nf_confirm_cthelper(struct sk_buff *skb, struct nf_conn *ct,
> + enum ip_conntrack_info ctinfo)
> +{
> + const struct nf_conntrack_helper *helper;
> + const struct nf_conn_help *help;
> + unsigned int protoff;
> +
> + help = nfct_help(ct);
> + if (!help)
> + return 0;
> +
> + helper = rcu_dereference(help->helper);
> + if (!(helper->flags & NF_CT_HELPER_F_USERSPACE))
> + return 0;
> +
> + switch (nf_ct_l3num(ct)) {
> + case NFPROTO_IPV4:
> + protoff = skb_network_offset(skb) + ip_hdrlen(skb);
> + break;
> +#if IS_ENABLED(CONFIG_IPV6)
> + case NFPROTO_IPV6: {
> + __be16 frag_off;
> + u8 pnum;
> +
> + pnum = ipv6_hdr(skb)->nexthdr;
> + protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &pnum,
> + &frag_off);
> + if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
> + return 0;
> + break;
> + }
net/netfilter/nf_conntrack_core.c: In function nf_confirm_cthelper:
net/netfilter/nf_conntrack_core.c:2117:15: warning: comparison of unsigned expression in < 0 is always false [-Wtype-limits]
2117 | if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
| ^
