From 003c2b107c185fb818f082c499c77b7188c7d5f7 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 21 Jun 2017 20:34:19 +0200
Subject: examples: set dummy connmark value to show use of NFQA_CT nested
 attribute

We can now get/set conntrack attributes via nfqueue, show a minimal
example that sets the connmark from userspace.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 examples/nf-queue.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'examples/nf-queue.c')

diff --git a/examples/nf-queue.c b/examples/nf-queue.c
index d6c4b63..c2bc6cc 100644
--- a/examples/nf-queue.c
+++ b/examples/nf-queue.c
@@ -15,6 +15,9 @@
 
 #include <libnetfilter_queue/libnetfilter_queue.h>
 
+/* only for NFQA_CT, not needed otherwise: */
+#include <linux/netfilter/nfnetlink_conntrack.h>
+
 static struct mnl_socket *nl;
 
 static struct nlmsghdr *
@@ -37,10 +40,21 @@ nfq_send_verdict(int queue_num, uint32_t id)
 {
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nlmsghdr *nlh;
+	struct nlattr *nest;
 
 	nlh = nfq_hdr_put(buf, NFQNL_MSG_VERDICT, queue_num);
 	nfq_nlmsg_verdict_put(nlh, id, NF_ACCEPT);
 
+	/* example to set the connmark. First, start NFQA_CT section: */
+	nest = mnl_attr_nest_start(nlh, NFQA_CT);
+
+	/* then, add the connmark attribute: */
+	mnl_attr_put_u32(nlh, CTA_MARK, htonl(42));
+	/* more conntrack attributes, e.g. CTA_LABEL, could be set here */
+
+	/* end conntrack section */
+	mnl_attr_nest_end(nlh, nest);
+
 	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 		perror("mnl_socket_send");
 		exit(EXIT_FAILURE);
-- 
cgit v1.2.3