[PATCH 4/7] Add ctnetlink_change_protoinfo

[PATCH 4/7] Add ctnetlink_change_protoinfo

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 88 bytes --]

Implement a function to change the private protocol information stored 
in a conntrack.

[-- Attachment #2: 04change-protoinfo.patch --]
[-- Type: text/x-patch, Size: 1598 bytes --]

Index: netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_netlink.c
===================================================================
--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_conntrack_netlink.c	2005-08-01 18:21:06.000000000 +0200
+++ netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_netlink.c	2005-08-01 18:21:13.000000000 +0200
@@ -948,6 +948,36 @@
 	return 0;
 }
 
+static inline int
+ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[])
+{
+	struct nfattr *tb[CTA_PROTOINFO_MAX], *attr = cda[CTA_PROTOINFO-1];
+	struct ip_conntrack_protocol *proto;
+	u_int16_t npt = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
+	int err;
+
+	if (nfattr_parse_nested(tb, CTA_PROTOINFO_MAX, attr) < 0)
+		goto nfattr_failure;
+
+	proto = ip_conntrack_proto_find_get(npt);
+	if (!proto)
+		return -EINVAL;
+
+	if (proto->from_nfattr) {
+		err = proto->from_nfattr(tb, ct);
+		if (err < 0) {
+			ip_conntrack_proto_put(proto);
+			return -EINVAL;
+		}
+	}
+	ip_conntrack_proto_put(proto);
+
+	return 0;
+
+nfattr_failure:
+	return -1;
+}
+
 static int
 ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[])
 {
@@ -973,6 +1003,12 @@
 			return err;
 	}
 
+	if (cda[CTA_PROTOINFO-1]) {
+		err = ctnetlink_change_protoinfo(ct, cda);
+		if (err < 0)
+			return err;
+	}
+
 	DEBUGP("all done\n");
 	return 0;
 }
@@ -1002,6 +1038,12 @@
 	if (err < 0)
 		goto err;
 
+	if (cda[CTA_PROTOINFO-1]) {
+		err = ctnetlink_change_protoinfo(ct, cda);
+		if (err < 0)
+			return err;
+	}
+
 	ct->helper = ip_conntrack_helper_find_get(rtuple);
 
 	add_timer(&ct->timeout);

Re: [PATCH 4/7] Add ctnetlink_change_protoinfo

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 792 bytes --]

On Mon, Aug 01, 2005 at 07:05:12PM +0200, Pablo Neira wrote:
> Implement a function to change the private protocol information stored in a 
> conntrack.

I removed this from the patch intentionally for now.  I really don't
like the idea of userspace messing with the protocol specific state.

For now (this can change in the future) my policy is:  Userspace can
only change 'safe' things in the conntrack table.
-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 4/7] Add ctnetlink_change_protoinfo

[Pablo Neira]

Hi Harald,

Ok, I'll try to be more verbose, these surely will help to understand 
what I'm trying to do with the patches.

Harald Welte wrote:
> On Mon, Aug 01, 2005 at 07:05:12PM +0200, Pablo Neira wrote:
> 
>>Implement a function to change the private protocol information stored in a 
>>conntrack.
> 
> I removed this from the patch intentionally for now.  I really don't
> like the idea of userspace messing with the protocol specific state.
> 
> For now (this can change in the future) my policy is:  Userspace can
> only change 'safe' things in the conntrack table.

Why? Currently if I create a TCP conntrack, the user won't be able to 
set the state, so the state will be set to NONE.

Besides, I think that libnfnetlink_conntrack must provide as many 
features to manipulate the connection tracking as possible. For example, 
think that someone whats to use libctnetlink to implement some kind of 
conntrack replication. If the user mess with it, it's his fault.

--
Pablo