diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2005-10-11 00:23:28 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2005-10-11 00:23:28 -0400 |
| commit | 339231537506846cb232a2f0cc4a2c662b2d5b07 (patch) | |
| tree | 76846aa4c8b94b2bc9caaaa9650c46658fad4fe9 | |
| parent | a051a8f7306476af0a74370ad56e793cb6c43bf7 (diff) | |
[NETFILTER] ctnetlink: allow userspace to change TCP state
This patch adds the ability of changing the state a TCP connection. I know
that this must be used with care but it's required to provide a complete
conntrack creation via conntrack_netlink. So I'll document this aspect on
the upcoming docs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/linux/netfilter_ipv4/ip_conntrack_protocol.h | 3 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 23 |
2 files changed, 26 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h index b6b99be8632a..2c76b879e3dc 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h | |||
| @@ -52,6 +52,9 @@ struct ip_conntrack_protocol | |||
| 52 | int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa, | 52 | int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa, |
| 53 | const struct ip_conntrack *ct); | 53 | const struct ip_conntrack *ct); |
| 54 | 54 | ||
| 55 | /* convert nfnetlink attributes to protoinfo */ | ||
| 56 | int (*from_nfattr)(struct nfattr *tb[], struct ip_conntrack *ct); | ||
| 57 | |||
| 55 | int (*tuple_to_nfattr)(struct sk_buff *skb, | 58 | int (*tuple_to_nfattr)(struct sk_buff *skb, |
| 56 | const struct ip_conntrack_tuple *t); | 59 | const struct ip_conntrack_tuple *t); |
| 57 | int (*nfattr_to_tuple)(struct nfattr *tb[], | 60 | int (*nfattr_to_tuple)(struct nfattr *tb[], |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c index 75e27e65c28f..d6701cafbcc2 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c | |||
| @@ -356,6 +356,28 @@ nfattr_failure: | |||
| 356 | read_unlock_bh(&tcp_lock); | 356 | read_unlock_bh(&tcp_lock); |
| 357 | return -1; | 357 | return -1; |
| 358 | } | 358 | } |
| 359 | |||
| 360 | static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct) | ||
| 361 | { | ||
| 362 | struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1]; | ||
| 363 | struct nfattr *tb[CTA_PROTOINFO_TCP_MAX]; | ||
| 364 | |||
| 365 | if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0) | ||
| 366 | goto nfattr_failure; | ||
| 367 | |||
| 368 | if (!tb[CTA_PROTOINFO_TCP_STATE-1]) | ||
| 369 | return -EINVAL; | ||
| 370 | |||
| 371 | write_lock_bh(&tcp_lock); | ||
| 372 | ct->proto.tcp.state = | ||
| 373 | *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); | ||
| 374 | write_unlock_bh(&tcp_lock); | ||
| 375 | |||
| 376 | return 0; | ||
| 377 | |||
| 378 | nfattr_failure: | ||
| 379 | return -1; | ||
| 380 | } | ||
| 359 | #endif | 381 | #endif |
| 360 | 382 | ||
| 361 | static unsigned int get_conntrack_index(const struct tcphdr *tcph) | 383 | static unsigned int get_conntrack_index(const struct tcphdr *tcph) |
| @@ -1127,6 +1149,7 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp = | |||
| 1127 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | 1149 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ |
| 1128 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | 1150 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) |
| 1129 | .to_nfattr = tcp_to_nfattr, | 1151 | .to_nfattr = tcp_to_nfattr, |
| 1152 | .from_nfattr = nfattr_to_tcp, | ||
| 1130 | .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, | 1153 | .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, |
| 1131 | .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, | 1154 | .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, |
| 1132 | #endif | 1155 | #endif |