[NETFILTER] ctnetlink: allow userspace to change TCP state

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch adds the ability of changing the state a TCP connection. I know
that this must be used with care but it's required to provide a complete
conntrack creation via conntrack_netlink. So I'll document this aspect on
the upcoming docs.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Pablo Neira Ayuso and committed by

David S. Miller 20 years ago 33923153 a051a8f7

+26

2 changed files

expand all

include

linux

netfilter_ipv4

ip_conntrack_protocol.h

net

ipv4

netfilter

ip_conntrack_proto_tcp.c

include/linux/netfilter_ipv4/ip_conntrack_protocol.h

··· 52 52 int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa, 53 53 const struct ip_conntrack *ct); 54 54 55 + /* convert nfnetlink attributes to protoinfo */ 56 + int (*from_nfattr)(struct nfattr *tb[], struct ip_conntrack *ct); 57 + 55 58 int (*tuple_to_nfattr)(struct sk_buff *skb, 56 59 const struct ip_conntrack_tuple *t); 57 60 int (*nfattr_to_tuple)(struct nfattr *tb[],

+23

net/ipv4/netfilter/ip_conntrack_proto_tcp.c

··· 356 356 read_unlock_bh(&tcp_lock); 357 357 return -1; 358 358 } 359 + 360 + static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct) 361 + { 362 + struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1]; 363 + struct nfattr *tb[CTA_PROTOINFO_TCP_MAX]; 364 + 365 + if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0) 366 + goto nfattr_failure; 367 + 368 + if (!tb[CTA_PROTOINFO_TCP_STATE-1]) 369 + return -EINVAL; 370 + 371 + write_lock_bh(&tcp_lock); 372 + ct->proto.tcp.state = 373 + *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); 374 + write_unlock_bh(&tcp_lock); 375 + 376 + return 0; 377 + 378 + nfattr_failure: 379 + return -1; 380 + } 359 381 #endif 360 382 361 383 static unsigned int get_conntrack_index(const struct tcphdr *tcph) ··· 1149 1127 #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ 1150 1128 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) 1151 1129 .to_nfattr = tcp_to_nfattr, 1130 + .from_nfattr = nfattr_to_tcp, 1152 1131 .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, 1153 1132 .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, 1154 1133 #endif