From 6510a98f4139f112a0c76c71ff889ef93eac41fb Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 6 Nov 2012 17:06:39 +0100 Subject: api: add connlabel api and attribute adds new labelmap api to create a name <-> bit mapping from a text file (default: /etc/xtables/connlabel.conf). nfct_labelmap_new(filename) is used to create the map, nfct_labelmap_destroy() releases the resources allocated for the map. Two functions are added to make map lookups: nfct_labelmap_get_name(map, bit) returns the name of a bit, nfct_labelmap_get_bit returns the bit associated with a name. The connlabel attribute is represented by a nfct_bitmask object, the nfct_bitmask api can be used to test/set/get individual bits ("labels"). The exisiting nfct_attr_get/set interfaces can be used to read or replace the existing labels associated with a conntrack with a new set. Signed-off-by: Florian Westphal --- include/internal/object.h | 4 ++++ include/internal/prototypes.h | 9 +++++++++ include/libnetfilter_conntrack/libnetfilter_conntrack.h | 9 +++++++++ include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h | 1 + 4 files changed, 23 insertions(+) (limited to 'include') diff --git a/include/internal/object.h b/include/internal/object.h index 609265d..bbb038a 100644 --- a/include/internal/object.h +++ b/include/internal/object.h @@ -189,6 +189,8 @@ struct nf_conntrack { void *helper_info; size_t helper_info_len; + + struct nfct_bitmask *connlabels; }; /* @@ -305,4 +307,6 @@ struct nfct_bitmask { uint32_t bits[]; }; +struct nfct_labelmap; + #endif diff --git a/include/internal/prototypes.h b/include/internal/prototypes.h index eeeea24..484deea 100644 --- a/include/internal/prototypes.h +++ b/include/internal/prototypes.h @@ -54,4 +54,13 @@ int __snprintf_expect(char *buf, unsigned int len, const struct nf_expect *exp, int __snprintf_expect_default(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int msg_type, unsigned int flags); int __snprintf_expect_xml(char *buf, unsigned int len, const struct nf_expect *exp, unsigned int msg_type, unsigned int flags); +/* + * connlabel internal prototypes + */ +struct nfct_labelmap *__labelmap_new(const char *); +void __labelmap_destroy(struct nfct_labelmap *); + +int __labelmap_get_bit(struct nfct_labelmap *map, const char *name); +const char *__labelmap_get_name(struct nfct_labelmap *map, unsigned int bit); + #endif diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 90290b8..c209184 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -133,6 +133,7 @@ enum nf_conntrack_attr { ATTR_TIMESTAMP_START, /* u64 bits, linux >= 2.6.38 */ ATTR_TIMESTAMP_STOP = 64, /* u64 bits, linux >= 2.6.38 */ ATTR_HELPER_INFO, /* variable length */ + ATTR_CONNLABELS, /* variable length */ ATTR_MAX }; @@ -285,6 +286,14 @@ int nfct_bitmask_test_bit(const struct nfct_bitmask *, unsigned int bit); void nfct_bitmask_unset_bit(struct nfct_bitmask *, unsigned int bit); void nfct_bitmask_destroy(struct nfct_bitmask *); +/* connlabel name <-> bit translation mapping */ +struct nfct_labelmap; + +struct nfct_labelmap *nfct_labelmap_new(const char *mapfile); +void nfct_labelmap_destroy(struct nfct_labelmap *map); +const char *nfct_labelmap_get_name(struct nfct_labelmap *m, unsigned int bit); +int nfct_labelmap_get_bit(struct nfct_labelmap *m, const char *name); + /* setter */ extern void nfct_set_attr(struct nf_conntrack *ct, const enum nf_conntrack_attr type, diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h index 39366c4..3c69ba9 100644 --- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h +++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h @@ -53,6 +53,7 @@ enum ctattr_type { CTA_SECCTX, CTA_TIMESTAMP, CTA_MARK_MASK, + CTA_LABELS, __CTA_MAX }; #define CTA_MAX (__CTA_MAX - 1) -- cgit v1.2.3