Commit 33923153 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by David S. Miller

[NETFILTER] ctnetlink: allow userspace to change TCP state

This patch adds the ability of changing the state a TCP connection. I know
that this must be used with care but it's required to provide a complete
conntrack creation via conntrack_netlink. So I'll document this aspect on
the upcoming docs.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a051a8f7
...@@ -52,6 +52,9 @@ struct ip_conntrack_protocol ...@@ -52,6 +52,9 @@ struct ip_conntrack_protocol
int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa, int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa,
const struct ip_conntrack *ct); const struct ip_conntrack *ct);
/* convert nfnetlink attributes to protoinfo */
int (*from_nfattr)(struct nfattr *tb[], struct ip_conntrack *ct);
int (*tuple_to_nfattr)(struct sk_buff *skb, int (*tuple_to_nfattr)(struct sk_buff *skb,
const struct ip_conntrack_tuple *t); const struct ip_conntrack_tuple *t);
int (*nfattr_to_tuple)(struct nfattr *tb[], int (*nfattr_to_tuple)(struct nfattr *tb[],
......
...@@ -356,6 +356,28 @@ nfattr_failure: ...@@ -356,6 +356,28 @@ nfattr_failure:
read_unlock_bh(&tcp_lock); read_unlock_bh(&tcp_lock);
return -1; return -1;
} }
static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
{
struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1];
struct nfattr *tb[CTA_PROTOINFO_TCP_MAX];
if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0)
goto nfattr_failure;
if (!tb[CTA_PROTOINFO_TCP_STATE-1])
return -EINVAL;
write_lock_bh(&tcp_lock);
ct->proto.tcp.state =
*(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]);
write_unlock_bh(&tcp_lock);
return 0;
nfattr_failure:
return -1;
}
#endif #endif
static unsigned int get_conntrack_index(const struct tcphdr *tcph) static unsigned int get_conntrack_index(const struct tcphdr *tcph)
...@@ -1127,6 +1149,7 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp = ...@@ -1127,6 +1149,7 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp =
#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
.to_nfattr = tcp_to_nfattr, .to_nfattr = tcp_to_nfattr,
.from_nfattr = nfattr_to_tcp,
.tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr,
.nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple,
#endif #endif
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment