From c9983354fa65c835643f85567f57cc8e9992cd29 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 5 Feb 2012 01:30:22 +0100 Subject: expect: add NAT support This patch adds ATTR_EXP_NAT_TUPLE and ATTR_EXP_NAT_DIR attributes. Signed-off-by: Pablo Neira Ayuso --- include/internal/object.h | 2 ++ .../libnetfilter_conntrack/libnetfilter_conntrack.h | 2 ++ .../linux_nfnetlink_conntrack.h | 9 +++++++++ src/expect/build.c | 11 +++++++++++ src/expect/getter.c | 12 ++++++++++++ src/expect/parse.c | 20 ++++++++++++++++++++ src/expect/setter.c | 12 ++++++++++++ 7 files changed, 68 insertions(+) diff --git a/include/internal/object.h b/include/internal/object.h index 41203c7..2bba5f7 100644 --- a/include/internal/object.h +++ b/include/internal/object.h @@ -268,6 +268,7 @@ struct nf_expect { struct nfct_tuple_head master; struct nfct_tuple_head expected; struct nfct_tuple_head mask; + struct nfct_tuple_head nat; u_int32_t timeout; u_int32_t id; @@ -275,6 +276,7 @@ struct nf_expect { u_int32_t flags; u_int32_t class; char helper_name[NFCT_HELPER_NAME_MAX]; + u_int32_t nat_dir; u_int32_t set[1]; }; diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index cb12a2d..28656ec 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -511,6 +511,8 @@ enum nf_expect_attr { ATTR_EXP_FLAGS, /* u32 bits */ ATTR_EXP_HELPER_NAME, /* string (16 bytes max) */ ATTR_EXP_CLASS, /* u32 bits */ + ATTR_EXP_NAT_TUPLE, /* pointer to conntrack object */ + ATTR_EXP_NAT_DIR, /* u8 bits */ ATTR_EXP_MAX }; diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h index 2278f56..3faf04f 100644 --- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h +++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h @@ -177,10 +177,19 @@ enum ctattr_expect { CTA_EXPECT_ZONE, CTA_EXPECT_FLAGS, CTA_EXPECT_CLASS, + CTA_EXPECT_NAT, __CTA_EXPECT_MAX }; #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1) +enum ctattr_expect_nat { + CTA_EXPECT_NAT_UNSPEC, + CTA_EXPECT_NAT_DIR, + CTA_EXPECT_NAT_TUPLE, + __CTA_EXPECT_NAT_MAX +}; +#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1) + enum ctattr_help { CTA_HELP_UNSPEC, CTA_HELP_NAME, diff --git a/src/expect/build.c b/src/expect/build.c index ffc7b84..8cf2edd 100644 --- a/src/expect/build.c +++ b/src/expect/build.c @@ -74,6 +74,17 @@ int __build_expect(struct nfnl_subsys_handle *ssh, __build_tuple(req, size, &exp->mask.orig, CTA_EXPECT_MASK); } + if (test_bit(ATTR_EXP_NAT_TUPLE, exp->set) && + test_bit(ATTR_EXP_NAT_DIR, exp->set)) { + struct nfattr *nest; + + nest = nfnl_nest(&req->nlh, size, CTA_EXPECT_NAT); + __build_tuple(req, size, &exp->nat.orig, CTA_EXPECT_NAT_TUPLE); + nfnl_addattr32(&req->nlh, size, CTA_EXPECT_NAT_DIR, + htonl(exp->nat_dir)); + nfnl_nest_end(&req->nlh, nest); + } + if (test_bit(ATTR_EXP_TIMEOUT, exp->set)) __build_timeout(req, size, exp); if (test_bit(ATTR_EXP_FLAGS, exp->set)) diff --git a/src/expect/getter.c b/src/expect/getter.c index 06c3bca..937e793 100644 --- a/src/expect/getter.c +++ b/src/expect/getter.c @@ -49,6 +49,16 @@ static const void *get_exp_attr_helper_name(const struct nf_expect *exp) return exp->helper_name; } +static const void *get_exp_attr_nat_dir(const struct nf_expect *exp) +{ + return &exp->nat_dir; +} + +static const void *get_exp_attr_nat_tuple(const struct nf_expect *exp) +{ + return &exp->nat; +} + const get_exp_attr get_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_MASTER] = get_exp_attr_master, [ATTR_EXP_EXPECTED] = get_exp_attr_expected, @@ -58,4 +68,6 @@ const get_exp_attr get_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_FLAGS] = get_exp_attr_flags, [ATTR_EXP_HELPER_NAME] = get_exp_attr_helper_name, [ATTR_EXP_CLASS] = get_exp_attr_class, + [ATTR_EXP_NAT_TUPLE] = get_exp_attr_nat_tuple, + [ATTR_EXP_NAT_DIR] = get_exp_attr_nat_dir, }; diff --git a/src/expect/parse.c b/src/expect/parse.c index 8b6dd5f..5796072 100644 --- a/src/expect/parse.c +++ b/src/expect/parse.c @@ -89,4 +89,24 @@ void __parse_expect(const struct nlmsghdr *nlh, ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_CLASS-1])); set_bit(ATTR_EXP_CLASS, exp->set); } + if (cda[CTA_EXPECT_NAT-1]) { + struct nfattr *tb[CTA_EXPECT_NAT_MAX]; + + nfnl_parse_nested(tb, CTA_EXPECT_NAT_MAX, + cda[CTA_EXPECT_NAT-1]); + + if (tb[CTA_EXPECT_NAT_TUPLE-1]) { + __parse_tuple(tb[CTA_EXPECT_NAT_TUPLE-1], + &exp->nat.orig, + __DIR_ORIG, + exp->nat.set); + set_bit(ATTR_EXP_NAT_TUPLE, exp->set); + } + if (tb[CTA_EXPECT_NAT_DIR-1]) { + exp->nat_dir = + ntohl(*((u_int32_t *) + NFA_DATA(tb[CTA_EXPECT_NAT_DIR-1]))); + set_bit(ATTR_EXP_NAT_DIR, exp->set); + } + } } diff --git a/src/expect/setter.c b/src/expect/setter.c index b78f4f6..47843f8 100644 --- a/src/expect/setter.c +++ b/src/expect/setter.c @@ -50,6 +50,16 @@ static void set_exp_attr_helper_name(struct nf_expect *exp, const void *value) exp->helper_name[NFCT_HELPER_NAME_MAX-1] = '\0'; } +static void set_exp_attr_nat_dir(struct nf_expect *exp, const void *value) +{ + exp->nat_dir = *((u_int32_t *) value); +} + +static void set_exp_attr_nat_tuple(struct nf_expect *exp, const void *value) +{ + exp->nat = *((struct nfct_tuple_head *) value); +} + const set_exp_attr set_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_MASTER] = set_exp_attr_master, [ATTR_EXP_EXPECTED] = set_exp_attr_expected, @@ -59,4 +69,6 @@ const set_exp_attr set_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_FLAGS] = set_exp_attr_flags, [ATTR_EXP_HELPER_NAME] = set_exp_attr_helper_name, [ATTR_EXP_CLASS] = set_exp_attr_class, + [ATTR_EXP_NAT_TUPLE] = set_exp_attr_nat_tuple, + [ATTR_EXP_NAT_DIR] = set_exp_attr_nat_dir, }; -- cgit v1.2.3