[PATCH next] libnetfilter_conntrack: don't ignore ATTR_CONNLABELS

[PATCH next] libnetfilter_conntrack: don't ignore ATTR_CONNLABELS

[Afschin Hormozdiary]

The libnfnetlink based backend 'build.c' currently ignores
ATTR_CONNLABELS and ATTR_CONNLABELS_MASK.

The libmnl based backend 'build_mnl.c' instead handles
both attributes correct.

Add function to set CTA_LABELS and CTA_LABELS_MASK
if required.

Signed-off-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com>
---
 src/conntrack/build.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/src/conntrack/build.c b/src/conntrack/build.c
index 2900027..4852536 100644
--- a/src/conntrack/build.c
+++ b/src/conntrack/build.c
@@ -398,6 +398,30 @@ static void __build_zone(struct nfnlhdr *req,
 	nfnl_addattr16(&req->nlh, size, CTA_ZONE, htons(ct->zone));
 }
 
+static void __build_labels(struct nfnlhdr *req,
+			   size_t size,
+			   const struct nf_conntrack *ct)
+{
+	struct nfct_bitmask *b = ct->connlabels;
+	unsigned int b_size = b->words * sizeof(b->bits[0]);
+
+	nfnl_addattr_l(&req->nlh,
+		       size,
+		       CTA_LABELS,
+		       b->bits,
+		       b_size);
+
+	if (test_bit(ATTR_CONNLABELS_MASK, ct->head.set)) {
+		b = ct->connlabels_mask;
+		if (b_size == (b->words * sizeof(b->bits[0])))
+			nfnl_addattr_l(&req->nlh,
+				       size,
+				       CTA_LABELS_MASK,
+				       b->bits,
+				       b_size);
+	}
+}
+
 int __build_conntrack(struct nfnl_subsys_handle *ssh,
 		      struct nfnlhdr *req,
 		      size_t size,
@@ -500,5 +524,8 @@ int __build_conntrack(struct nfnl_subsys_handle *ssh,
 	if (test_bit(ATTR_ZONE, ct->head.set))
 		__build_zone(req, size, ct);
 
+	if (test_bit(ATTR_CONNLABELS, ct->head.set))
+		__build_labels(req, size, ct);
+
 	return 0;
 }
-- 
1.8.2.2

Re: [PATCH next] libnetfilter_conntrack: don't ignore ATTR_CONNLABELS

[Pablo Neira Ayuso]

On Thu, May 16, 2013 at 11:30:43AM +0200, Afschin Hormozdiary wrote:
> The libnfnetlink based backend 'build.c' currently ignores
> ATTR_CONNLABELS and ATTR_CONNLABELS_MASK.
> 
> The libmnl based backend 'build_mnl.c' instead handles
> both attributes correct.
> 
> Add function to set CTA_LABELS and CTA_LABELS_MASK
> if required.

I'm fine with this change, but you also need to modify the parsing
function not to leave connlabel support for the libnfnetlink-based API
incomplete.

Re: [PATCH next] libnetfilter_conntrack: don't ignore ATTR_CONNLABELS

[Afschin Hormozdiary]

On 05/16/2013 12:47 PM, Pablo Neira Ayuso wrote:
 > On Thu, May 16, 2013 at 11:30:43AM +0200, Afschin Hormozdiary wrote:
 >> The libnfnetlink based backend 'build.c' currently ignores
 >> ATTR_CONNLABELS and ATTR_CONNLABELS_MASK.
 >>
 >> The libmnl based backend 'build_mnl.c' instead handles
 >> both attributes correct.
 >>
 >> Add function to set CTA_LABELS and CTA_LABELS_MASK
 >> if required.
 >
 > I'm fine with this change, but you also need to modify the parsing
 > function not to leave connlabel support for the libnfnetlink-based API
 > incomplete.

Good point, i will resend a patch that also includes the parsing function.