netlink: fix EILSEQ error messages due to process race condition

This patch fixes a race condition that triggers EILSEQ errors
(wrong sequence message). The problems is triggered when the child
process resets the timers at the same time that the parent process
requests a resync. Since both the child and the parent process use
the same descriptors, the sequence tracking code in libnfnetlink
gets confused as it considers that it is receiving out of sequence
netlink messages.

This patch introduces internal handlers to commit and reset timers
so that the parent and the child do not use the same descriptors
to operate with the kernel.

This patch changes the prototype of all nf_*_conntrack() functions.
Now, the nfct handler is passed as first parameter, this change is
required to fix this problem. The rest of the changes on the API
is done for consistency.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 16 insertions, 16 deletions

diff --git a/src/netlink.c b/src/netlink.c
index 9d155aa..29281f4 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -143,20 +143,20 @@ void nl_resize_socket_buffer(struct nfct_handle *h)
 			 CONFIG(netlink_buffer_size));
 }
 
-int nl_dump_conntrack_table(void)
+int nl_dump_conntrack_table(struct nfct_handle *h)
 {
-	return nfct_query(STATE(dump), NFCT_Q_DUMP, &CONFIG(family));
+	return nfct_query(h, NFCT_Q_DUMP, &CONFIG(family));
 }
 
-int nl_flush_conntrack_table(void)
+int nl_flush_conntrack_table(struct nfct_handle *h)
 {
-	return nfct_query(STATE(request), NFCT_Q_FLUSH, &CONFIG(family));
+	return nfct_query(h, NFCT_Q_FLUSH, &CONFIG(family));
 }
 
-int nl_overrun_request_resync(void)
+int nl_overrun_request_resync(struct nfct_handle *h)
 {
 	int family = CONFIG(family);
-	return nfct_send(STATE(overrun), NFCT_Q_DUMP, &family);
+	return nfct_send(h, NFCT_Q_DUMP, &family);
 }
 
 static int
@@ -178,18 +178,18 @@ __nl_get_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct)
 	return 1;
 }
 
-int nl_exist_conntrack(const struct nf_conntrack *ct)
+int nl_exist_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct)
 {
-	return __nl_get_conntrack(STATE(request), ct);
+	return __nl_get_conntrack(h, ct);
 }
 
 /* get the conntrack and update the cache */
-int nl_get_conntrack(const struct nf_conntrack *ct)
+int nl_get_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct)
 {
-	return __nl_get_conntrack(STATE(dump), ct);
+	return __nl_get_conntrack(h, ct);
 }
 
-int nl_create_conntrack(const struct nf_conntrack *orig)
+int nl_create_conntrack(struct nfct_handle *h, const struct nf_conntrack *orig)
 {
 	int ret;
 	uint8_t flags;
@@ -217,13 +217,13 @@ int nl_create_conntrack(const struct nf_conntrack *orig)
 	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
 	nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
 
-	ret = nfct_query(STATE(dump), NFCT_Q_CREATE, ct);
+	ret = nfct_query(h, NFCT_Q_CREATE, ct);
 	nfct_destroy(ct);
 
 	return ret;
 }
 
-int nl_update_conntrack(const struct nf_conntrack *orig)
+int nl_update_conntrack(struct nfct_handle *h, const struct nf_conntrack *orig)
 {
 	int ret;
 	uint8_t flags;
@@ -271,13 +271,13 @@ int nl_update_conntrack(const struct nf_conntrack *orig)
 	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
 	nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
 
-	ret = nfct_query(STATE(dump), NFCT_Q_UPDATE, ct);
+	ret = nfct_query(h, NFCT_Q_UPDATE, ct);
 	nfct_destroy(ct);
 
 	return ret;
 }
 
-int nl_destroy_conntrack(const struct nf_conntrack *ct)
+int nl_destroy_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct)
 {
-	return nfct_query(STATE(dump), NFCT_Q_DESTROY, ct);
+	return nfct_query(h, NFCT_Q_DESTROY, ct);
 }