From 92e66d4e07d20e73606e2110144199b81663dc35 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 7 Oct 2010 17:43:50 +0200 Subject: expect: add support for CTA_EXPECT_FLAGS This patch allows to set the expectation flags from user-space. Signed-off-by: Pablo Neira Ayuso --- include/internal/object.h | 1 + .../libnetfilter_conntrack/libnetfilter_conntrack.h | 6 ++++++ .../linux_nfnetlink_conntrack.h | 1 + src/expect/build.c | 9 ++++++++- src/expect/getter.c | 6 ++++++ src/expect/parse.c | 5 +++++ src/expect/setter.c | 6 ++++++ src/expect/snprintf_default.c | 21 +++++++++++++++++++-- 8 files changed, 52 insertions(+), 3 deletions(-) diff --git a/include/internal/object.h b/include/internal/object.h index a0c2b4e..4263ef0 100644 --- a/include/internal/object.h +++ b/include/internal/object.h @@ -258,6 +258,7 @@ struct nf_expect { u_int32_t timeout; u_int32_t id; u_int16_t zone; + u_int32_t flags; u_int32_t set[1]; }; diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 710362c..029eebd 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -496,6 +496,7 @@ enum nf_expect_attr { ATTR_EXP_MASK, /* pointer to conntrack object */ ATTR_EXP_TIMEOUT, /* u32 bits */ ATTR_EXP_ZONE, /* u16 bits */ + ATTR_EXP_FLAGS, /* u32 bits */ ATTR_EXP_MAX }; @@ -643,6 +644,11 @@ enum ip_conntrack_status { IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), }; +/* expectation flags */ +#define NF_CT_EXPECT_PERMANENT 0x1 +#define NF_CT_EXPECT_INACTIVE 0x2 +#define NF_CT_EXPECT_USERSPACE 0x4 + /* * TCP flags */ diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h index e17e0c5..1278dda 100644 --- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h +++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h @@ -165,6 +165,7 @@ enum ctattr_expect { CTA_EXPECT_ID, CTA_EXPECT_HELP_NAME, CTA_EXPECT_ZONE, + CTA_EXPECT_FLAGS, __CTA_EXPECT_MAX }; #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1) diff --git a/src/expect/build.c b/src/expect/build.c index e7f547f..c1a5a1d 100644 --- a/src/expect/build.c +++ b/src/expect/build.c @@ -20,6 +20,12 @@ static void __build_zone(struct nfnlhdr *req, size_t size, nfnl_addattr16(&req->nlh, size, CTA_EXPECT_ZONE, htons(exp->zone)); } +static void __build_flags(struct nfnlhdr *req, + size_t size, const struct nf_expect *exp) +{ + nfnl_addattr32(&req->nlh, size, CTA_EXPECT_FLAGS,htonl(exp->flags)); +} + int __build_expect(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, @@ -63,7 +69,8 @@ int __build_expect(struct nfnl_subsys_handle *ssh, if (test_bit(ATTR_EXP_TIMEOUT, exp->set)) __build_timeout(req, size, exp); - + if (test_bit(ATTR_EXP_FLAGS, exp->set)) + __build_flags(req, size, exp); if (test_bit(ATTR_EXP_ZONE, exp->set)) __build_zone(req, size, exp); diff --git a/src/expect/getter.c b/src/expect/getter.c index d655c92..f2022d9 100644 --- a/src/expect/getter.c +++ b/src/expect/getter.c @@ -32,10 +32,16 @@ static const void *get_exp_attr_zone(const struct nf_expect *exp) return &exp->zone; } +static const void *get_exp_attr_flags(const struct nf_expect *exp) +{ + return &exp->flags; +} + get_exp_attr get_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_MASTER] = get_exp_attr_master, [ATTR_EXP_EXPECTED] = get_exp_attr_expected, [ATTR_EXP_MASK] = get_exp_attr_mask, [ATTR_EXP_TIMEOUT] = get_exp_attr_timeout, [ATTR_EXP_ZONE] = get_exp_attr_zone, + [ATTR_EXP_FLAGS] = get_exp_attr_flags, }; diff --git a/src/expect/parse.c b/src/expect/parse.c index f274497..d09abcf 100644 --- a/src/expect/parse.c +++ b/src/expect/parse.c @@ -60,4 +60,9 @@ void __parse_expect(const struct nlmsghdr *nlh, ntohs(*(u_int16_t *)NFA_DATA(cda[CTA_EXPECT_ZONE-1])); set_bit(ATTR_EXP_ZONE, exp->set); } + if (cda[CTA_EXPECT_FLAGS-1]) { + exp->flags = + ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_FLAGS-1])); + set_bit(ATTR_EXP_FLAGS, exp->set); + } } diff --git a/src/expect/setter.c b/src/expect/setter.c index dbdad0b..1270860 100644 --- a/src/expect/setter.c +++ b/src/expect/setter.c @@ -32,10 +32,16 @@ static void set_exp_attr_zone(struct nf_expect *exp, const void *value) exp->zone = *((u_int16_t *) value); } +static void set_exp_attr_flags(struct nf_expect *exp, const void *value) +{ + exp->flags = *((u_int32_t *) value); +} + set_exp_attr set_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_MASTER] = set_exp_attr_master, [ATTR_EXP_EXPECTED] = set_exp_attr_expected, [ATTR_EXP_MASK] = set_exp_attr_mask, [ATTR_EXP_TIMEOUT] = set_exp_attr_timeout, [ATTR_EXP_ZONE] = set_exp_attr_zone, + [ATTR_EXP_FLAGS] = set_exp_attr_flags, }; diff --git a/src/expect/snprintf_default.c b/src/expect/snprintf_default.c index e780bf1..7b088e7 100644 --- a/src/expect/snprintf_default.c +++ b/src/expect/snprintf_default.c @@ -23,6 +23,7 @@ int __snprintf_expect_default(char *buf, unsigned int flags) { int ret = 0, size = 0, offset = 0; + char *delim = ""; switch(msg_type) { case NFCT_T_NEW: @@ -48,8 +49,24 @@ int __snprintf_expect_default(char *buf, BUFFER_SIZE(ret, size, len, offset); } - /* Delete the last blank space */ - size--; + if (exp->flags & NF_CT_EXPECT_PERMANENT) { + ret = snprintf(buf+offset, len, "PERMANENT"); + BUFFER_SIZE(ret, size, len, offset); + delim = ","; + } + if (exp->flags & NF_CT_EXPECT_INACTIVE) { + ret = snprintf(buf+offset, len, "%sINACTIVE", delim); + BUFFER_SIZE(ret, size, len, offset); + delim = ","; + } + if (exp->flags & NF_CT_EXPECT_USERSPACE) { + ret = snprintf(buf+offset, len, "%sUSERSPACE", delim); + BUFFER_SIZE(ret, size, len, offset); + } + + /* Delete the last blank space if needed */ + if (len > 0 && buf[size-1] == ' ') + size--; return size; } -- cgit v1.2.3