summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2010-10-07 17:43:50 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2010-10-07 17:43:50 +0200
commit92e66d4e07d20e73606e2110144199b81663dc35 (patch)
tree7e0ef1425480c079e9de53745830bd9d2cdf62e3
parentb24f4ac006dcc3f2c6a904af2f3eb02bd4d16ea2 (diff)
expect: add support for CTA_EXPECT_FLAGS
This patch allows to set the expectation flags from user-space. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--include/internal/object.h1
-rw-r--r--include/libnetfilter_conntrack/libnetfilter_conntrack.h6
-rw-r--r--include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h1
-rw-r--r--src/expect/build.c9
-rw-r--r--src/expect/getter.c6
-rw-r--r--src/expect/parse.c5
-rw-r--r--src/expect/setter.c6
-rw-r--r--src/expect/snprintf_default.c21
8 files changed, 52 insertions, 3 deletions
diff --git a/include/internal/object.h b/include/internal/object.h
index a0c2b4e..4263ef0 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -258,6 +258,7 @@ struct nf_expect {
u_int32_t timeout;
u_int32_t id;
u_int16_t zone;
+ u_int32_t flags;
u_int32_t set[1];
};
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index 710362c..029eebd 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -496,6 +496,7 @@ enum nf_expect_attr {
ATTR_EXP_MASK, /* pointer to conntrack object */
ATTR_EXP_TIMEOUT, /* u32 bits */
ATTR_EXP_ZONE, /* u16 bits */
+ ATTR_EXP_FLAGS, /* u32 bits */
ATTR_EXP_MAX
};
@@ -643,6 +644,11 @@ enum ip_conntrack_status {
IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
};
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT 0x1
+#define NF_CT_EXPECT_INACTIVE 0x2
+#define NF_CT_EXPECT_USERSPACE 0x4
+
/*
* TCP flags
*/
diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
index e17e0c5..1278dda 100644
--- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
+++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
@@ -165,6 +165,7 @@ enum ctattr_expect {
CTA_EXPECT_ID,
CTA_EXPECT_HELP_NAME,
CTA_EXPECT_ZONE,
+ CTA_EXPECT_FLAGS,
__CTA_EXPECT_MAX
};
#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
diff --git a/src/expect/build.c b/src/expect/build.c
index e7f547f..c1a5a1d 100644
--- a/src/expect/build.c
+++ b/src/expect/build.c
@@ -20,6 +20,12 @@ static void __build_zone(struct nfnlhdr *req, size_t size,
nfnl_addattr16(&req->nlh, size, CTA_EXPECT_ZONE, htons(exp->zone));
}
+static void __build_flags(struct nfnlhdr *req,
+ size_t size, const struct nf_expect *exp)
+{
+ nfnl_addattr32(&req->nlh, size, CTA_EXPECT_FLAGS,htonl(exp->flags));
+}
+
int __build_expect(struct nfnl_subsys_handle *ssh,
struct nfnlhdr *req,
size_t size,
@@ -63,7 +69,8 @@ int __build_expect(struct nfnl_subsys_handle *ssh,
if (test_bit(ATTR_EXP_TIMEOUT, exp->set))
__build_timeout(req, size, exp);
-
+ if (test_bit(ATTR_EXP_FLAGS, exp->set))
+ __build_flags(req, size, exp);
if (test_bit(ATTR_EXP_ZONE, exp->set))
__build_zone(req, size, exp);
diff --git a/src/expect/getter.c b/src/expect/getter.c
index d655c92..f2022d9 100644
--- a/src/expect/getter.c
+++ b/src/expect/getter.c
@@ -32,10 +32,16 @@ static const void *get_exp_attr_zone(const struct nf_expect *exp)
return &exp->zone;
}
+static const void *get_exp_attr_flags(const struct nf_expect *exp)
+{
+ return &exp->flags;
+}
+
get_exp_attr get_exp_attr_array[ATTR_EXP_MAX] = {
[ATTR_EXP_MASTER] = get_exp_attr_master,
[ATTR_EXP_EXPECTED] = get_exp_attr_expected,
[ATTR_EXP_MASK] = get_exp_attr_mask,
[ATTR_EXP_TIMEOUT] = get_exp_attr_timeout,
[ATTR_EXP_ZONE] = get_exp_attr_zone,
+ [ATTR_EXP_FLAGS] = get_exp_attr_flags,
};
diff --git a/src/expect/parse.c b/src/expect/parse.c
index f274497..d09abcf 100644
--- a/src/expect/parse.c
+++ b/src/expect/parse.c
@@ -60,4 +60,9 @@ void __parse_expect(const struct nlmsghdr *nlh,
ntohs(*(u_int16_t *)NFA_DATA(cda[CTA_EXPECT_ZONE-1]));
set_bit(ATTR_EXP_ZONE, exp->set);
}
+ if (cda[CTA_EXPECT_FLAGS-1]) {
+ exp->flags =
+ ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_FLAGS-1]));
+ set_bit(ATTR_EXP_FLAGS, exp->set);
+ }
}
diff --git a/src/expect/setter.c b/src/expect/setter.c
index dbdad0b..1270860 100644
--- a/src/expect/setter.c
+++ b/src/expect/setter.c
@@ -32,10 +32,16 @@ static void set_exp_attr_zone(struct nf_expect *exp, const void *value)
exp->zone = *((u_int16_t *) value);
}
+static void set_exp_attr_flags(struct nf_expect *exp, const void *value)
+{
+ exp->flags = *((u_int32_t *) value);
+}
+
set_exp_attr set_exp_attr_array[ATTR_EXP_MAX] = {
[ATTR_EXP_MASTER] = set_exp_attr_master,
[ATTR_EXP_EXPECTED] = set_exp_attr_expected,
[ATTR_EXP_MASK] = set_exp_attr_mask,
[ATTR_EXP_TIMEOUT] = set_exp_attr_timeout,
[ATTR_EXP_ZONE] = set_exp_attr_zone,
+ [ATTR_EXP_FLAGS] = set_exp_attr_flags,
};
diff --git a/src/expect/snprintf_default.c b/src/expect/snprintf_default.c
index e780bf1..7b088e7 100644
--- a/src/expect/snprintf_default.c
+++ b/src/expect/snprintf_default.c
@@ -23,6 +23,7 @@ int __snprintf_expect_default(char *buf,
unsigned int flags)
{
int ret = 0, size = 0, offset = 0;
+ char *delim = "";
switch(msg_type) {
case NFCT_T_NEW:
@@ -48,8 +49,24 @@ int __snprintf_expect_default(char *buf,
BUFFER_SIZE(ret, size, len, offset);
}
- /* Delete the last blank space */
- size--;
+ if (exp->flags & NF_CT_EXPECT_PERMANENT) {
+ ret = snprintf(buf+offset, len, "PERMANENT");
+ BUFFER_SIZE(ret, size, len, offset);
+ delim = ",";
+ }
+ if (exp->flags & NF_CT_EXPECT_INACTIVE) {
+ ret = snprintf(buf+offset, len, "%sINACTIVE", delim);
+ BUFFER_SIZE(ret, size, len, offset);
+ delim = ",";
+ }
+ if (exp->flags & NF_CT_EXPECT_USERSPACE) {
+ ret = snprintf(buf+offset, len, "%sUSERSPACE", delim);
+ BUFFER_SIZE(ret, size, len, offset);
+ }
+
+ /* Delete the last blank space if needed */
+ if (len > 0 && buf[size-1] == ' ')
+ size--;
return size;
}