diff options
author | Daniel Borkmann <daniel@iogearbox.net> | 2015-08-25 14:22:41 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-09-29 20:39:26 +0200 |
commit | d3d2bee2d9ebd565e006f213c76cfa316b5e5ab1 (patch) | |
tree | ba853d38ef24d856cc24a1fd8365cc41749126c4 /src/conntrack/build_mnl.c | |
parent | ca8fa0b9f03968d5077af162010d670631089b6a (diff) |
conntrack: add zone attribute to tuple
This patch adds the front-end to the recent ctnetlink interface
changes that add the zone attribute into the tuple.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/conntrack/build_mnl.c')
-rw-r--r-- | src/conntrack/build_mnl.c | 51 |
1 files changed, 46 insertions, 5 deletions
diff --git a/src/conntrack/build_mnl.c b/src/conntrack/build_mnl.c index a37bd73..8ed0690 100644 --- a/src/conntrack/build_mnl.c +++ b/src/conntrack/build_mnl.c @@ -81,6 +81,17 @@ nfct_build_tuple_proto(struct nlmsghdr *nlh, const struct __nfct_tuple *t) } int +nfct_build_tuple_raw(struct nlmsghdr *nlh, const struct __nfct_tuple *t) +{ + if (nfct_build_tuple_ip(nlh, t) < 0) + return -1; + if (nfct_build_tuple_proto(nlh, t) < 0) + return -1; + + return 0; +} + +int nfct_build_tuple(struct nlmsghdr *nlh, const struct __nfct_tuple *t, int type) { struct nlattr *nest; @@ -89,9 +100,7 @@ nfct_build_tuple(struct nlmsghdr *nlh, const struct __nfct_tuple *t, int type) if (nest == NULL) return -1; - if (nfct_build_tuple_ip(nlh, t) < 0) - goto err; - if (nfct_build_tuple_proto(nlh, t) < 0) + if (nfct_build_tuple_raw(nlh, t) < 0) goto err; mnl_attr_nest_end(nlh, nest); @@ -410,10 +419,26 @@ nfct_nlmsg_build(struct nlmsghdr *nlh, const struct nf_conntrack *ct) test_bit(ATTR_ORIG_PORT_DST, ct->head.set) || test_bit(ATTR_ORIG_L3PROTO, ct->head.set) || test_bit(ATTR_ORIG_L4PROTO, ct->head.set) || + test_bit(ATTR_ORIG_ZONE, ct->head.set) || test_bit(ATTR_ICMP_TYPE, ct->head.set) || test_bit(ATTR_ICMP_CODE, ct->head.set) || test_bit(ATTR_ICMP_ID, ct->head.set)) { - nfct_build_tuple(nlh, &ct->head.orig, CTA_TUPLE_ORIG); + const struct __nfct_tuple *t = &ct->head.orig; + struct nlattr *nest; + + nest = mnl_attr_nest_start(nlh, CTA_TUPLE_ORIG); + if (nest == NULL) + return -1; + + if (nfct_build_tuple_raw(nlh, t) < 0) { + mnl_attr_nest_cancel(nlh, nest); + return -1; + } + + if (test_bit(ATTR_ORIG_ZONE, ct->head.set)) + mnl_attr_put_u16(nlh, CTA_TUPLE_ZONE, htons(t->zone)); + + mnl_attr_nest_end(nlh, nest); } if (test_bit(ATTR_REPL_IPV4_SRC, ct->head.set) || @@ -424,10 +449,26 @@ nfct_nlmsg_build(struct nlmsghdr *nlh, const struct nf_conntrack *ct) test_bit(ATTR_REPL_PORT_DST, ct->head.set) || test_bit(ATTR_REPL_L3PROTO, ct->head.set) || test_bit(ATTR_REPL_L4PROTO, ct->head.set) || + test_bit(ATTR_REPL_ZONE, ct->head.set) || test_bit(ATTR_ICMP_TYPE, ct->head.set) || test_bit(ATTR_ICMP_CODE, ct->head.set) || test_bit(ATTR_ICMP_ID, ct->head.set)) { - nfct_build_tuple(nlh, &ct->repl, CTA_TUPLE_REPLY); + const struct __nfct_tuple *t = &ct->repl; + struct nlattr *nest; + + nest = mnl_attr_nest_start(nlh, CTA_TUPLE_REPLY); + if (nest == NULL) + return -1; + + if (nfct_build_tuple_raw(nlh, t) < 0) { + mnl_attr_nest_cancel(nlh, nest); + return -1; + } + + if (test_bit(ATTR_REPL_ZONE, ct->head.set)) + mnl_attr_put_u16(nlh, CTA_TUPLE_ZONE, htons(t->zone)); + + mnl_attr_nest_end(nlh, nest); } if (test_bit(ATTR_MASTER_IPV4_SRC, ct->head.set) || |