diff options
-rw-r--r-- | include/internal/object.h | 9 | ||||
-rw-r--r-- | include/libnetfilter_conntrack/libnetfilter_conntrack.h | 6 | ||||
-rw-r--r-- | src/conntrack/copy.c | 4 | ||||
-rw-r--r-- | src/conntrack/parse.c | 4 | ||||
-rw-r--r-- | src/conntrack/setter.c | 4 | ||||
-rw-r--r-- | src/expect/build.c | 9 | ||||
-rw-r--r-- | src/expect/getter.c | 6 | ||||
-rw-r--r-- | src/expect/parse.c | 5 | ||||
-rw-r--r-- | src/expect/setter.c | 7 | ||||
-rw-r--r-- | src/expect/snprintf_default.c | 39 | ||||
-rw-r--r-- | utils/expect_get.c | 4 |
11 files changed, 67 insertions, 30 deletions
diff --git a/include/internal/object.h b/include/internal/object.h index 5dce9d0..880f7c1 100644 --- a/include/internal/object.h +++ b/include/internal/object.h @@ -6,6 +6,8 @@ #ifndef _NFCT_OBJECT_H_ #define _NFCT_OBJECT_H_ +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> + /* * nfct callback handler object */ @@ -161,11 +163,7 @@ struct nf_conntrack { u_int32_t id; u_int16_t zone; -/* xt_helper uses a length size of 30 bytes, however, no helper name in - * the tree has exceeded 16 bytes length. Since 2.6.29, the maximum - * length accepted is 16 bytes, this limit is enforced during module load. */ -#define __NFCT_HELPER_NAMELEN 16 - char helper_name[__NFCT_HELPER_NAMELEN]; + char helper_name[NFCT_HELPER_NAME_MAX]; /* According to Eric Paris <eparis@redhat.com> this field can be up to 4096 * bytes long. For that reason, we allocate this dynamically. */ char *secctx; @@ -269,6 +267,7 @@ struct nf_expect { u_int32_t id; u_int16_t zone; u_int32_t flags; + char helper_name[NFCT_HELPER_NAME_MAX]; u_int32_t set[1]; }; diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 94e34be..f5add1a 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -507,6 +507,7 @@ enum nf_expect_attr { ATTR_EXP_TIMEOUT, /* u32 bits */ ATTR_EXP_ZONE, /* u16 bits */ ATTR_EXP_FLAGS, /* u32 bits */ + ATTR_EXP_HELPER_NAME, /* string (16 bytes max) */ ATTR_EXP_MAX }; @@ -715,6 +716,11 @@ enum ip_conntrack_status { #define NFCT_DIR_REPLY 1 #define NFCT_DIR_MAX NFCT_DIR_REPLY+1 +/* xt_helper uses a length size of 30 bytes, however, no helper name in + * the tree has exceeded 16 bytes length. Since 2.6.29, the maximum + * length accepted is 16 bytes, this limit is enforced during module load. */ +#define NFCT_HELPER_NAME_MAX 16 + #ifdef __cplusplus } #endif diff --git a/src/conntrack/copy.c b/src/conntrack/copy.c index c3a4fcc..cdce0de 100644 --- a/src/conntrack/copy.c +++ b/src/conntrack/copy.c @@ -405,8 +405,8 @@ static void copy_attr_repl_off_aft(struct nf_conntrack *dest, static void copy_attr_helper_name(struct nf_conntrack *dest, const struct nf_conntrack *orig) { - strncpy(dest->helper_name, orig->helper_name, __NFCT_HELPER_NAMELEN); - dest->helper_name[__NFCT_HELPER_NAMELEN-1] = '\0'; + strncpy(dest->helper_name, orig->helper_name, NFCT_HELPER_NAME_MAX); + dest->helper_name[NFCT_HELPER_NAME_MAX-1] = '\0'; } static void copy_attr_zone(struct nf_conntrack *dest, diff --git a/src/conntrack/parse.c b/src/conntrack/parse.c index 8f8a01c..ee3074d 100644 --- a/src/conntrack/parse.c +++ b/src/conntrack/parse.c @@ -417,8 +417,8 @@ __parse_helper(const struct nfattr *attr, struct nf_conntrack *ct) strncpy(ct->helper_name, NFA_DATA(tb[CTA_HELP_NAME-1]), - __NFCT_HELPER_NAMELEN); - ct->helper_name[__NFCT_HELPER_NAMELEN-1] = '\0'; + NFCT_HELPER_NAME_MAX); + ct->helper_name[NFCT_HELPER_NAME_MAX-1] = '\0'; set_bit(ATTR_HELPER_NAME, ct->set); } diff --git a/src/conntrack/setter.c b/src/conntrack/setter.c index 3282035..df06b04 100644 --- a/src/conntrack/setter.c +++ b/src/conntrack/setter.c @@ -310,8 +310,8 @@ static void set_attr_repl_off_aft(struct nf_conntrack *ct, const void *value) static void set_attr_helper_name(struct nf_conntrack *ct, const void *value) { - strncpy(ct->helper_name, value, __NFCT_HELPER_NAMELEN); - ct->helper_name[__NFCT_HELPER_NAMELEN-1] = '\0'; + strncpy(ct->helper_name, value, NFCT_HELPER_NAME_MAX); + ct->helper_name[NFCT_HELPER_NAME_MAX-1] = '\0'; } static void set_attr_dccp_state(struct nf_conntrack *ct, const void *value) diff --git a/src/expect/build.c b/src/expect/build.c index c1a5a1d..82aa852 100644 --- a/src/expect/build.c +++ b/src/expect/build.c @@ -26,6 +26,13 @@ static void __build_flags(struct nfnlhdr *req, nfnl_addattr32(&req->nlh, size, CTA_EXPECT_FLAGS,htonl(exp->flags)); } +static void __build_helper_name(struct nfnlhdr *req, size_t size, + const struct nf_expect *exp) +{ + nfnl_addattr_l(&req->nlh, size, CTA_EXPECT_HELP_NAME, + exp->helper_name, strlen(exp->helper_name)); +} + int __build_expect(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, @@ -73,6 +80,8 @@ int __build_expect(struct nfnl_subsys_handle *ssh, __build_flags(req, size, exp); if (test_bit(ATTR_EXP_ZONE, exp->set)) __build_zone(req, size, exp); + if (test_bit(ATTR_EXP_HELPER_NAME, exp->set)) + __build_helper_name(req, size, exp); return 0; } diff --git a/src/expect/getter.c b/src/expect/getter.c index 9cb6ede..69453c5 100644 --- a/src/expect/getter.c +++ b/src/expect/getter.c @@ -37,6 +37,11 @@ static const void *get_exp_attr_flags(const struct nf_expect *exp) return &exp->flags; } +static const void *get_exp_attr_helper_name(const struct nf_expect *exp) +{ + return exp->helper_name; +} + const get_exp_attr get_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_MASTER] = get_exp_attr_master, [ATTR_EXP_EXPECTED] = get_exp_attr_expected, @@ -44,4 +49,5 @@ const get_exp_attr get_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_TIMEOUT] = get_exp_attr_timeout, [ATTR_EXP_ZONE] = get_exp_attr_zone, [ATTR_EXP_FLAGS] = get_exp_attr_flags, + [ATTR_EXP_HELPER_NAME] = get_exp_attr_helper_name, }; diff --git a/src/expect/parse.c b/src/expect/parse.c index 0581aca..4d9852d 100644 --- a/src/expect/parse.c +++ b/src/expect/parse.c @@ -77,4 +77,9 @@ void __parse_expect(const struct nlmsghdr *nlh, ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_FLAGS-1])); set_bit(ATTR_EXP_FLAGS, exp->set); } + if (cda[CTA_EXPECT_HELP_NAME-1]) { + strncpy(exp->helper_name, NFA_DATA(cda[CTA_EXPECT_HELP_NAME-1]), + NFA_PAYLOAD(cda[CTA_EXPECT_HELP_NAME-1])); + set_bit(ATTR_EXP_HELPER_NAME, exp->set); + } } diff --git a/src/expect/setter.c b/src/expect/setter.c index 040b958..08b3547 100644 --- a/src/expect/setter.c +++ b/src/expect/setter.c @@ -37,6 +37,12 @@ static void set_exp_attr_flags(struct nf_expect *exp, const void *value) exp->flags = *((u_int32_t *) value); } +static void set_exp_attr_helper_name(struct nf_expect *exp, const void *value) +{ + strncpy(exp->helper_name, value, NFCT_HELPER_NAME_MAX); + exp->helper_name[NFCT_HELPER_NAME_MAX-1] = '\0'; +} + const set_exp_attr set_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_MASTER] = set_exp_attr_master, [ATTR_EXP_EXPECTED] = set_exp_attr_expected, @@ -44,4 +50,5 @@ const set_exp_attr set_exp_attr_array[ATTR_EXP_MAX] = { [ATTR_EXP_TIMEOUT] = set_exp_attr_timeout, [ATTR_EXP_ZONE] = set_exp_attr_zone, [ATTR_EXP_FLAGS] = set_exp_attr_flags, + [ATTR_EXP_HELPER_NAME] = set_exp_attr_helper_name, }; diff --git a/src/expect/snprintf_default.c b/src/expect/snprintf_default.c index c4a19fa..6958552 100644 --- a/src/expect/snprintf_default.c +++ b/src/expect/snprintf_default.c @@ -64,6 +64,24 @@ int __snprintf_expect_default(char *buf, ret = __snprintf_proto(buf+offset, len, &exp->expected.tuple[__DIR_ORIG]); BUFFER_SIZE(ret, size, len, offset); + ret = __snprintf_address(buf+offset, len, + &exp->mask.tuple[__DIR_ORIG], + "mask-src", "mask-dst"); + BUFFER_SIZE(ret, size, len, offset); + + ret = __snprintf_proto(buf+offset, len, + &exp->mask.tuple[__DIR_ORIG]); + BUFFER_SIZE(ret, size, len, offset); + + ret = __snprintf_address(buf+offset, len, + &exp->master.tuple[__DIR_ORIG], + "master-src", "master-dst"); + BUFFER_SIZE(ret, size, len, offset); + + ret = __snprintf_proto(buf+offset, len, + &exp->master.tuple[__DIR_ORIG]); + BUFFER_SIZE(ret, size, len, offset); + if (test_bit(ATTR_EXP_ZONE, exp->set)) { ret = snprintf(buf+offset, len, "zone=%u ", exp->zone); BUFFER_SIZE(ret, size, len, offset); @@ -84,23 +102,10 @@ int __snprintf_expect_default(char *buf, BUFFER_SIZE(ret, size, len, offset); } - ret = __snprintf_address(buf+offset, len, - &exp->mask.tuple[__DIR_ORIG], - "mask-src", "mask-dst"); - BUFFER_SIZE(ret, size, len, offset); - - ret = __snprintf_proto(buf+offset, len, - &exp->mask.tuple[__DIR_ORIG]); - BUFFER_SIZE(ret, size, len, offset); - - ret = __snprintf_address(buf+offset, len, - &exp->master.tuple[__DIR_ORIG], - "master-src", "master-dst"); - BUFFER_SIZE(ret, size, len, offset); - - ret = __snprintf_proto(buf+offset, len, - &exp->master.tuple[__DIR_ORIG]); - BUFFER_SIZE(ret, size, len, offset); + if (test_bit(ATTR_EXP_HELPER_NAME, exp->set)) { + ret = snprintf(buf+offset, len, "helper=%s", exp->helper_name); + BUFFER_SIZE(ret, size, len, offset); + } /* Delete the last blank space if needed */ if (len > 0 && buf[size-1] == ' ') diff --git a/utils/expect_get.c b/utils/expect_get.c index e42c845..c426cf3 100644 --- a/utils/expect_get.c +++ b/utils/expect_get.c @@ -32,8 +32,8 @@ int main(void) } nfct_set_attr_u8(master, ATTR_L3PROTO, AF_INET); - nfct_set_attr_u32(master, ATTR_IPV4_SRC, inet_addr("4.4.4.4")); - nfct_set_attr_u32(master, ATTR_IPV4_DST, inet_addr("5.5.5.5")); + nfct_set_attr_u32(master, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); + nfct_set_attr_u32(master, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(master, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(master, ATTR_PORT_SRC, htons(10240)); |