diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-08-07 19:41:30 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-09-26 18:52:26 +0200 |
| commit | 8c38d35c3d90d493fdead6d4ead0517ec09fee96 (patch) | |
| tree | 67c91223a47f97e58ecbdfd8bf5ad3e77972720c | |
| parent | fee95ed0db0745b551dfb15c58800da5c1ca9e5f (diff) | |
conntrackd: cthelper: allow to attach expectations via nfqueue
This requires the Linux kernel 3.12.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | include/linux/netfilter/nfnetlink_queue.h | 13 | ||||
| -rw-r--r-- | include/myct.h | 1 | ||||
| -rw-r--r-- | src/cthelper.c | 11 |
3 files changed, 25 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h index e0d8fd8..0132bad 100644 --- a/include/linux/netfilter/nfnetlink_queue.h +++ b/include/linux/netfilter/nfnetlink_queue.h @@ -44,6 +44,9 @@ enum nfqnl_attr_type { NFQA_PAYLOAD, /* opaque data payload */ NFQA_CT, /* nf_conntrack_netlink.h */ NFQA_CT_INFO, /* enum ip_conntrack_info */ + NFQA_CAP_LEN, /* __u32 length of captured packet */ + NFQA_SKB_INFO, /* __u32 skb meta information */ + NFQA_EXP, /* nf_conntrack_netlink.h */ __NFQA_MAX }; @@ -95,5 +98,15 @@ enum nfqnl_attr_config { /* Flags for NFQA_CFG_FLAGS */ #define NFQA_CFG_F_FAIL_OPEN (1 << 0) #define NFQA_CFG_F_CONNTRACK (1 << 1) +#define NFQA_CFG_F_GSO (1 << 2) +#define NFQA_CFG_F_MAX (1 << 3) + +/* flags for NFQA_SKB_INFO */ +/* packet appears to have wrong checksums, but they are ok */ +#define NFQA_SKB_CSUMNOTREADY (1 << 0) +/* packet is GSO (i.e., exceeds device mtu) */ +#define NFQA_SKB_GSO (1 << 1) +/* csum not validated (incoming device doesn't support hw checksum, etc.) */ +#define NFQA_SKB_CSUM_NOTVERIFIED (1 << 2) #endif /* _NFNETLINK_QUEUE_H */ diff --git a/include/myct.h b/include/myct.h index 45d9f29..02d695c 100644 --- a/include/myct.h +++ b/include/myct.h @@ -37,6 +37,7 @@ struct myct_tuple { struct myct { struct nf_conntrack *ct; + struct nf_expect *exp; void *priv_data; }; diff --git a/src/cthelper.c b/src/cthelper.c index 5a8a92a..fec40fb 100644 --- a/src/cthelper.c +++ b/src/cthelper.c @@ -182,6 +182,15 @@ pkt_verdict_issue(struct ctd_helper_instance *cur, struct myct *myct, nfct_nlmsg_build(nlh, myct->ct); mnl_attr_nest_end(nlh, nest); + if (myct->exp) { + nest = mnl_attr_nest_start(nlh, NFQA_EXP); + if (nest == NULL) + return -1; + + nfexp_nlmsg_build(nlh, myct->exp); + mnl_attr_nest_end(nlh, nest); + } + if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) { dlog(LOG_ERR, "failed to send verdict: %s", strerror(errno)); return -1; @@ -317,6 +326,8 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data) if (ct != NULL) nfct_destroy(ct); + if (myct->exp != NULL) + nfexp_destroy(myct->exp); if (myct && myct->priv_data != NULL) free(myct->priv_data); if (myct != NULL) |