From 8c38d35c3d90d493fdead6d4ead0517ec09fee96 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 7 Aug 2013 19:41:30 +0200
Subject: conntrackd: cthelper: allow to attach expectations via nfqueue

This requires the Linux kernel 3.12.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter/nfnetlink_queue.h | 13 +++++++++++++
 include/myct.h                            |  1 +
 src/cthelper.c                            | 11 +++++++++++
 3 files changed, 25 insertions(+)

diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index e0d8fd8..0132bad 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -44,6 +44,9 @@ enum nfqnl_attr_type {
 	NFQA_PAYLOAD,			/* opaque data payload */
 	NFQA_CT,			/* nf_conntrack_netlink.h */
 	NFQA_CT_INFO,			/* enum ip_conntrack_info */
+	NFQA_CAP_LEN,			/* __u32 length of captured packet */
+	NFQA_SKB_INFO,			/* __u32 skb meta information */
+	NFQA_EXP,			/* nf_conntrack_netlink.h */
 
 	__NFQA_MAX
 };
@@ -95,5 +98,15 @@ enum nfqnl_attr_config {
 /* Flags for NFQA_CFG_FLAGS */
 #define NFQA_CFG_F_FAIL_OPEN			(1 << 0)
 #define NFQA_CFG_F_CONNTRACK			(1 << 1)
+#define NFQA_CFG_F_GSO				(1 << 2)
+#define NFQA_CFG_F_MAX				(1 << 3)
+
+/* flags for NFQA_SKB_INFO */
+/* packet appears to have wrong checksums, but they are ok */
+#define NFQA_SKB_CSUMNOTREADY (1 << 0)
+/* packet is GSO (i.e., exceeds device mtu) */
+#define NFQA_SKB_GSO (1 << 1)
+/* csum not validated (incoming device doesn't support hw checksum, etc.) */
+#define NFQA_SKB_CSUM_NOTVERIFIED (1 << 2)
 
 #endif /* _NFNETLINK_QUEUE_H */
diff --git a/include/myct.h b/include/myct.h
index 45d9f29..02d695c 100644
--- a/include/myct.h
+++ b/include/myct.h
@@ -37,6 +37,7 @@ struct myct_tuple {
 
 struct myct {
 	struct nf_conntrack *ct;
+	struct nf_expect *exp;
 	void *priv_data;
 };
 
diff --git a/src/cthelper.c b/src/cthelper.c
index 5a8a92a..fec40fb 100644
--- a/src/cthelper.c
+++ b/src/cthelper.c
@@ -182,6 +182,15 @@ pkt_verdict_issue(struct ctd_helper_instance *cur, struct myct *myct,
 	nfct_nlmsg_build(nlh, myct->ct);
 	mnl_attr_nest_end(nlh, nest);
 
+	if (myct->exp) {
+		nest = mnl_attr_nest_start(nlh, NFQA_EXP);
+		if (nest == NULL)
+			return -1;
+
+		nfexp_nlmsg_build(nlh, myct->exp);
+		mnl_attr_nest_end(nlh, nest);
+	}
+
 	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
 		dlog(LOG_ERR, "failed to send verdict: %s", strerror(errno));
 		return -1;
@@ -317,6 +326,8 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
 
 	if (ct != NULL)
 		nfct_destroy(ct);
+	if (myct->exp != NULL)
+		nfexp_destroy(myct->exp);
 	if (myct && myct->priv_data != NULL)
 		free(myct->priv_data);
 	if (myct != NULL)
-- 
cgit v1.2.3