Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 33923153 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by David S. Miller
Browse files

[NETFILTER] ctnetlink: allow userspace to change TCP state 



This patch adds the ability of changing the state a TCP connection. I know
that this must be used with care but it's required to provide a complete
conntrack creation via conntrack_netlink. So I'll document this aspect on
the upcoming docs.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a051a8f7

include/linux/netfilter_ipv4/ip_conntrack_protocol.h

+3 −0
Original line number Diff line number Diff line
@@ -52,6 +52,9 @@ struct ip_conntrack_protocol 
	int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa,

			 const struct ip_conntrack *ct);



	/* convert nfnetlink attributes to protoinfo */

	int (*from_nfattr)(struct nfattr *tb[], struct ip_conntrack *ct);



	int (*tuple_to_nfattr)(struct sk_buff *skb,

			       const struct ip_conntrack_tuple *t);

	int (*nfattr_to_tuple)(struct nfattr *tb[],

net/ipv4/netfilter/ip_conntrack_proto_tcp.c

+23 −0
Original line number Diff line number Diff line
@@ -356,6 +356,28 @@ static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa, 
	read_unlock_bh(&tcp_lock);

	return -1;

}



static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)

{

	struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1];

	struct nfattr *tb[CTA_PROTOINFO_TCP_MAX];



        if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0)

                goto nfattr_failure;



	if (!tb[CTA_PROTOINFO_TCP_STATE-1])

		return -EINVAL;



	write_lock_bh(&tcp_lock);

	ct->proto.tcp.state = 

		*(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]);

	write_unlock_bh(&tcp_lock);



	return 0;



nfattr_failure:

	return -1;

}

#endif



static unsigned int get_conntrack_index(const struct tcphdr *tcph)
@@ -1127,6 +1149,7 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp = 
#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \

    defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)

	.to_nfattr		= tcp_to_nfattr,

	.from_nfattr		= nfattr_to_tcp,

	.tuple_to_nfattr	= ip_ct_port_tuple_to_nfattr,

	.nfattr_to_tuple	= ip_ct_port_nfattr_to_tuple,

#endif