summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2012-02-05 01:30:22 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2012-02-06 23:44:01 +0100
commitc9983354fa65c835643f85567f57cc8e9992cd29 (patch)
treebf99dc393ab9749903422385c727756a418e2683
parent815805101cbc0e513cf909a77b5dfcd8d39684fd (diff)
expect: add NAT support
This patch adds ATTR_EXP_NAT_TUPLE and ATTR_EXP_NAT_DIR attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--include/internal/object.h2
-rw-r--r--include/libnetfilter_conntrack/libnetfilter_conntrack.h2
-rw-r--r--include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h9
-rw-r--r--src/expect/build.c11
-rw-r--r--src/expect/getter.c12
-rw-r--r--src/expect/parse.c20
-rw-r--r--src/expect/setter.c12
7 files changed, 68 insertions, 0 deletions
diff --git a/include/internal/object.h b/include/internal/object.h
index 41203c7..2bba5f7 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -268,6 +268,7 @@ struct nf_expect {
struct nfct_tuple_head master;
struct nfct_tuple_head expected;
struct nfct_tuple_head mask;
+ struct nfct_tuple_head nat;
u_int32_t timeout;
u_int32_t id;
@@ -275,6 +276,7 @@ struct nf_expect {
u_int32_t flags;
u_int32_t class;
char helper_name[NFCT_HELPER_NAME_MAX];
+ u_int32_t nat_dir;
u_int32_t set[1];
};
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index cb12a2d..28656ec 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -511,6 +511,8 @@ enum nf_expect_attr {
ATTR_EXP_FLAGS, /* u32 bits */
ATTR_EXP_HELPER_NAME, /* string (16 bytes max) */
ATTR_EXP_CLASS, /* u32 bits */
+ ATTR_EXP_NAT_TUPLE, /* pointer to conntrack object */
+ ATTR_EXP_NAT_DIR, /* u8 bits */
ATTR_EXP_MAX
};
diff --git a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
index 2278f56..3faf04f 100644
--- a/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
+++ b/include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
@@ -177,10 +177,19 @@ enum ctattr_expect {
CTA_EXPECT_ZONE,
CTA_EXPECT_FLAGS,
CTA_EXPECT_CLASS,
+ CTA_EXPECT_NAT,
__CTA_EXPECT_MAX
};
#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
+enum ctattr_expect_nat {
+ CTA_EXPECT_NAT_UNSPEC,
+ CTA_EXPECT_NAT_DIR,
+ CTA_EXPECT_NAT_TUPLE,
+ __CTA_EXPECT_NAT_MAX
+};
+#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1)
+
enum ctattr_help {
CTA_HELP_UNSPEC,
CTA_HELP_NAME,
diff --git a/src/expect/build.c b/src/expect/build.c
index ffc7b84..8cf2edd 100644
--- a/src/expect/build.c
+++ b/src/expect/build.c
@@ -74,6 +74,17 @@ int __build_expect(struct nfnl_subsys_handle *ssh,
__build_tuple(req, size, &exp->mask.orig, CTA_EXPECT_MASK);
}
+ if (test_bit(ATTR_EXP_NAT_TUPLE, exp->set) &&
+ test_bit(ATTR_EXP_NAT_DIR, exp->set)) {
+ struct nfattr *nest;
+
+ nest = nfnl_nest(&req->nlh, size, CTA_EXPECT_NAT);
+ __build_tuple(req, size, &exp->nat.orig, CTA_EXPECT_NAT_TUPLE);
+ nfnl_addattr32(&req->nlh, size, CTA_EXPECT_NAT_DIR,
+ htonl(exp->nat_dir));
+ nfnl_nest_end(&req->nlh, nest);
+ }
+
if (test_bit(ATTR_EXP_TIMEOUT, exp->set))
__build_timeout(req, size, exp);
if (test_bit(ATTR_EXP_FLAGS, exp->set))
diff --git a/src/expect/getter.c b/src/expect/getter.c
index 06c3bca..937e793 100644
--- a/src/expect/getter.c
+++ b/src/expect/getter.c
@@ -49,6 +49,16 @@ static const void *get_exp_attr_helper_name(const struct nf_expect *exp)
return exp->helper_name;
}
+static const void *get_exp_attr_nat_dir(const struct nf_expect *exp)
+{
+ return &exp->nat_dir;
+}
+
+static const void *get_exp_attr_nat_tuple(const struct nf_expect *exp)
+{
+ return &exp->nat;
+}
+
const get_exp_attr get_exp_attr_array[ATTR_EXP_MAX] = {
[ATTR_EXP_MASTER] = get_exp_attr_master,
[ATTR_EXP_EXPECTED] = get_exp_attr_expected,
@@ -58,4 +68,6 @@ const get_exp_attr get_exp_attr_array[ATTR_EXP_MAX] = {
[ATTR_EXP_FLAGS] = get_exp_attr_flags,
[ATTR_EXP_HELPER_NAME] = get_exp_attr_helper_name,
[ATTR_EXP_CLASS] = get_exp_attr_class,
+ [ATTR_EXP_NAT_TUPLE] = get_exp_attr_nat_tuple,
+ [ATTR_EXP_NAT_DIR] = get_exp_attr_nat_dir,
};
diff --git a/src/expect/parse.c b/src/expect/parse.c
index 8b6dd5f..5796072 100644
--- a/src/expect/parse.c
+++ b/src/expect/parse.c
@@ -89,4 +89,24 @@ void __parse_expect(const struct nlmsghdr *nlh,
ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_CLASS-1]));
set_bit(ATTR_EXP_CLASS, exp->set);
}
+ if (cda[CTA_EXPECT_NAT-1]) {
+ struct nfattr *tb[CTA_EXPECT_NAT_MAX];
+
+ nfnl_parse_nested(tb, CTA_EXPECT_NAT_MAX,
+ cda[CTA_EXPECT_NAT-1]);
+
+ if (tb[CTA_EXPECT_NAT_TUPLE-1]) {
+ __parse_tuple(tb[CTA_EXPECT_NAT_TUPLE-1],
+ &exp->nat.orig,
+ __DIR_ORIG,
+ exp->nat.set);
+ set_bit(ATTR_EXP_NAT_TUPLE, exp->set);
+ }
+ if (tb[CTA_EXPECT_NAT_DIR-1]) {
+ exp->nat_dir =
+ ntohl(*((u_int32_t *)
+ NFA_DATA(tb[CTA_EXPECT_NAT_DIR-1])));
+ set_bit(ATTR_EXP_NAT_DIR, exp->set);
+ }
+ }
}
diff --git a/src/expect/setter.c b/src/expect/setter.c
index b78f4f6..47843f8 100644
--- a/src/expect/setter.c
+++ b/src/expect/setter.c
@@ -50,6 +50,16 @@ static void set_exp_attr_helper_name(struct nf_expect *exp, const void *value)
exp->helper_name[NFCT_HELPER_NAME_MAX-1] = '\0';
}
+static void set_exp_attr_nat_dir(struct nf_expect *exp, const void *value)
+{
+ exp->nat_dir = *((u_int32_t *) value);
+}
+
+static void set_exp_attr_nat_tuple(struct nf_expect *exp, const void *value)
+{
+ exp->nat = *((struct nfct_tuple_head *) value);
+}
+
const set_exp_attr set_exp_attr_array[ATTR_EXP_MAX] = {
[ATTR_EXP_MASTER] = set_exp_attr_master,
[ATTR_EXP_EXPECTED] = set_exp_attr_expected,
@@ -59,4 +69,6 @@ const set_exp_attr set_exp_attr_array[ATTR_EXP_MAX] = {
[ATTR_EXP_FLAGS] = set_exp_attr_flags,
[ATTR_EXP_HELPER_NAME] = set_exp_attr_helper_name,
[ATTR_EXP_CLASS] = set_exp_attr_class,
+ [ATTR_EXP_NAT_TUPLE] = set_exp_attr_nat_tuple,
+ [ATTR_EXP_NAT_DIR] = set_exp_attr_nat_dir,
};