* [PATCH] updates for libnfnetlink_conntrack
@ 2005-08-05 0:39 Pablo Neira
2005-08-05 12:50 ` Harald Welte
2005-08-05 13:04 ` Harald Welte
0 siblings, 2 replies; 3+ messages in thread
From: Pablo Neira @ 2005-08-05 0:39 UTC (permalink / raw)
To: Netfilter Development Mailinglist; +Cc: Harald Welte, Patrick McHardy
[-- Attachment #1: Type: text/plain, Size: 489 bytes --]
@Harald: BTW, I can reach SVN to commit changes to conntrack (timeout
error).
This patch includes the following updates for the userspace
libnfnetlink_conntrack library:
a) change ctnl_open prototype: Now the subsystem is passed as parameter
to select if we work working with given subsystem, say
NFNL_CTNETLINK_CONNTRACK[_EXP].
b) added functions ctnl_[new|get|del]_expect
c) minor change in ctnl_build_tuple that let us create tuples based on
CTA_* and CTA_EXPECT_* attributes.
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 6174 bytes --]
Index: include/libnfnetlink_conntrack/libnfnetlink_conntrack.h
===================================================================
--- include/libnfnetlink_conntrack/libnfnetlink_conntrack.h (revision 4208)
+++ include/libnfnetlink_conntrack/libnfnetlink_conntrack.h (working copy)
@@ -99,7 +99,7 @@
struct ctnl_msg_handler *handler[IPCTNL_MSG_MAX];
};
-extern int ctnl_open(struct ctnl_handle *, unsigned);
+extern int ctnl_open(struct ctnl_handle *, u_int8_t, unsigned);
extern int ctnl_close(struct ctnl_handle *);
extern int ctnl_unregister_handler(struct ctnl_handle *, int);
extern int ctnl_register_handler(struct ctnl_handle *,
@@ -113,6 +113,11 @@
extern int ctnl_event_conntrack(struct ctnl_handle *, int);
extern int ctnl_flush_conntrack(struct ctnl_handle *);
+extern int ctnl_new_expect(struct ctnl_handle *, struct ctnl_tuple *,
+ struct ctnl_tuple *, struct ctnl_tuple *,
+ unsigned long);
+extern int ctnl_del_expect(struct ctnl_handle *,struct ctnl_tuple *);
+extern int ctnl_get_expect(struct ctnl_handle *, struct ctnl_tuple *);
extern int ctnl_list_expect(struct ctnl_handle *, int);
extern int ctnl_event_expect(struct ctnl_handle *, int);
extern int ctnl_flush_expect(struct ctnl_handle *);
Index: src/libnfnetlink_conntrack.c
===================================================================
--- src/libnfnetlink_conntrack.c (revision 4208)
+++ src/libnfnetlink_conntrack.c (working copy)
@@ -60,7 +60,8 @@
struct ctnl_msg_handler *hdlr = cth->handler[type];
int ret;
- if (NFNL_SUBSYS_ID(n->nlmsg_type) != NFNL_SUBSYS_CTNETLINK) {
+ if (NFNL_SUBSYS_ID(n->nlmsg_type) != NFNL_SUBSYS_CTNETLINK &&
+ NFNL_SUBSYS_ID(n->nlmsg_type) != NFNL_SUBSYS_CTNETLINK_EXP) {
ctnl_error("received message for wrong subsys, skipping\n");
nfnl_dump_packet(n, n->nlmsg_len, "list_conntrack_handler");
return 0;
@@ -91,13 +92,14 @@
* cth: pointer to already allocated library handle
* subscriptions: netlink groups we are interested in
*/
-int ctnl_open(struct ctnl_handle *cth, unsigned subscriptions)
+int ctnl_open(struct ctnl_handle *cth, u_int8_t subsys_id,
+ unsigned subscriptions)
{
int err;
memset(cth, 0, sizeof(*cth));
- err = nfnl_open(&cth->nfnlh, NFNL_SUBSYS_CTNETLINK, subscriptions);
+ err = nfnl_open(&cth->nfnlh, subsys_id, subscriptions);
if (err < 0) {
return err;
}
@@ -249,9 +251,8 @@
}
static void ctnl_build_tuple(struct nfnlhdr *req, int size,
- struct ctnl_tuple *t, int dir)
+ struct ctnl_tuple *t, int type)
{
- enum ctattr_type type = dir ? CTA_TUPLE_REPLY : CTA_TUPLE_ORIG;
struct nfattr *nest;
nest = nfnl_nest(&req->nlh, size, type);
@@ -329,9 +330,9 @@
struct ctnl_conntrack *ct)
{
ctnl_build_tuple(req, size, &ct->tuple[CTNL_DIR_ORIGINAL],
- CTNL_DIR_ORIGINAL);
+ CTA_TUPLE_ORIG);
ctnl_build_tuple(req, size, &ct->tuple[CTNL_DIR_REPLY],
- CTNL_DIR_REPLY);
+ CTA_TUPLE_REPLY);
nfnl_addattr_l(&req->nlh, size, CTA_STATUS, &ct->status,
sizeof(unsigned int));
@@ -382,6 +383,7 @@
{
struct nfnlhdr *req;
char buf[CTNL_BUFFSIZE];
+ int type = dir ? CTA_TUPLE_REPLY : CTA_TUPLE_ORIG;
memset(&buf, 0, sizeof(buf));
req = (void *) &buf;
@@ -390,7 +392,7 @@
0, AF_INET, 0, IPCTNL_MSG_CT_DELETE,
NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST|NLM_F_ACK);
- ctnl_build_tuple(req, sizeof(buf), tuple, dir);
+ ctnl_build_tuple(req, sizeof(buf), tuple, type);
if (nfnl_send(&cth->nfnlh, (struct nlmsghdr *)&buf) < 0)
return -1;
@@ -470,3 +472,96 @@
return nfnl_listen(&cth->nfnlh, &list_conntrack_handler, cth);
}
+
+/**
+ * ctnl_new_expect - create a new expectation
+ *
+ * cth: libctnetlink handle
+ * master_tuple: tuple of the master original direction
+ * t: direction, original or reply.
+ * exp_tuple: tuple of to-be-created expectation
+ * mask: mask of to-be-created expectation
+ * timeout: timeout of new expectation
+ */
+int ctnl_new_expect(struct ctnl_handle *cth,
+ struct ctnl_tuple *master,
+ struct ctnl_tuple *tuple,
+ struct ctnl_tuple *mask,
+ unsigned long timeout)
+{
+ struct nfnlhdr *req;
+ char buf[CTNL_BUFFSIZE];
+
+ memset(&buf, 0, sizeof(buf));
+ req = (void *) &buf;
+
+ nfnl_fill_hdr(&cth->nfnlh, (struct nlmsghdr *) &buf,
+ 0, AF_INET, 0, IPCTNL_MSG_EXP_NEW,
+ NLM_F_REQUEST|NLM_F_CREATE|NLM_F_ACK);
+
+ ctnl_build_tuple(req, sizeof(buf), master, CTA_EXPECT_MASTER);
+ ctnl_build_tuple(req, sizeof(buf), tuple, CTA_EXPECT_TUPLE);
+ ctnl_build_tuple(req, sizeof(buf), mask, CTA_EXPECT_MASK);
+
+ if (nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_EXPECT_TIMEOUT, &timeout,
+ sizeof(timeout)) < 0)
+ return -1;
+
+ if (nfnl_send(&cth->nfnlh, (struct nlmsghdr *)&buf) < 0 ) {
+ ctnl_error("error while nfnl_send\n");
+ return -1;
+ }
+
+ return nfnl_listen(&cth->nfnlh, &list_conntrack_handler, cth);
+}
+
+/**
+ * ctnl_del_expect - delete an expectation from conntrack subsystem
+ *
+ * cth: libctnetlink handle
+ * t: tuple of to-be-deleted expectation
+ */
+int ctnl_del_expect(struct ctnl_handle *cth,
+ struct ctnl_tuple *tuple)
+{
+ struct nfnlhdr *req;
+ char buf[CTNL_BUFFSIZE];
+
+ memset(&buf, 0, sizeof(buf));
+ req = (void *) &buf;
+
+ nfnl_fill_hdr(&cth->nfnlh, (struct nlmsghdr *) &buf,
+ 0, AF_INET, 0, IPCTNL_MSG_EXP_DELETE,
+ NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST|NLM_F_ACK);
+
+ ctnl_build_tuple(req, sizeof(buf), tuple, CTA_EXPECT_MASTER);
+
+ if (nfnl_send(&cth->nfnlh, (struct nlmsghdr *)&buf) < 0)
+ return -1;
+
+ return nfnl_listen(&cth->nfnlh, &list_conntrack_handler, cth);
+}
+
+int ctnl_get_expect(struct ctnl_handle *cth,
+ struct ctnl_tuple *tuple)
+{
+ struct nfnlhdr *req;
+ char buf[CTNL_BUFFSIZE];
+
+ memset(&buf, 0, sizeof(buf));
+ req = (void *) &buf;
+
+ nfnl_fill_hdr(&cth->nfnlh, (struct nlmsghdr *) &buf,
+ 0, AF_INET, 0, IPCTNL_MSG_EXP_GET,
+ NLM_F_REQUEST|NLM_F_ACK);
+
+ ctnl_build_tuple(req, sizeof(buf), tuple, CTA_EXPECT_MASTER);
+
+ if (nfnl_send(&cth->nfnlh, (struct nlmsghdr *)&buf) < 0 ) {
+ ctnl_error("error while nfnl_send\n");
+ return -1;
+ }
+
+ return nfnl_listen(&cth->nfnlh, &list_conntrack_handler, cth);
+}
+
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] updates for libnfnetlink_conntrack
2005-08-05 0:39 [PATCH] updates for libnfnetlink_conntrack Pablo Neira
@ 2005-08-05 12:50 ` Harald Welte
2005-08-05 13:04 ` Harald Welte
1 sibling, 0 replies; 3+ messages in thread
From: Harald Welte @ 2005-08-05 12:50 UTC (permalink / raw)
To: Pablo Neira; +Cc: Netfilter Development Mailinglist, Patrick McHardy
[-- Attachment #1: Type: text/plain, Size: 688 bytes --]
On Fri, Aug 05, 2005 at 02:39:45AM +0200, Pablo Neira wrote:
> @Harald: BTW, I can reach SVN to commit changes to conntrack (timeout error).
you can or you cannot?
> This patch includes the following updates for the userspace
> libnfnetlink_conntrack library:
ok, looks fine. I'll apply it right now.
--
- Harald Welte <laforge@netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] updates for libnfnetlink_conntrack
2005-08-05 0:39 [PATCH] updates for libnfnetlink_conntrack Pablo Neira
2005-08-05 12:50 ` Harald Welte
@ 2005-08-05 13:04 ` Harald Welte
1 sibling, 0 replies; 3+ messages in thread
From: Harald Welte @ 2005-08-05 13:04 UTC (permalink / raw)
To: Pablo Neira; +Cc: Netfilter Development Mailinglist, Patrick McHardy
[-- Attachment #1: Type: text/plain, Size: 653 bytes --]
On Fri, Aug 05, 2005 at 02:39:45AM +0200, Pablo Neira wrote:
> @Harald: BTW, I can reach SVN to commit changes to conntrack (timeout error).
the firewall (which was recently rebooted during an upgrade) was missing
a required rule to allow svn commit access. It's fixed now.
--
- Harald Welte <laforge@netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-08-05 13:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-05 0:39 [PATCH] updates for libnfnetlink_conntrack Pablo Neira
2005-08-05 12:50 ` Harald Welte
2005-08-05 13:04 ` Harald Welte
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.