netfilter: nf_ct_expect: partially implement ctnetlink_change_expect

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This refreshes the "timeout" attribute in existing expectations if one is
given.

The use case for this would be for userspace helpers to extend the lifetime
of the expectation when requested, as this is not possible right now
without deleting/recreating the expectation.

I use this specifically for forwarding DCERPC traffic through:

DCERPC has a port mapper daemon that chooses a (seemingly) random port for
future traffic to go to. We expect this traffic (with a reasonable
timeout), but sometimes the port mapper will tell the client to continue
using the same port. This allows us to extend the expectation accordingly.

Signed-off-by: Kelvie Wong <kelvie@ieee.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Kelvie Wong and committed by

Pablo Neira Ayuso 14 years ago 9768e1ac 6d8ebc8a

+9 -1

1 changed file

expand all

net

netfilter

nf_conntrack_netlink.c

+9 -1

net/netfilter/nf_conntrack_netlink.c

··· 2080 2080 ctnetlink_change_expect(struct nf_conntrack_expect *x, 2081 2081 const struct nlattr * const cda[]) 2082 2082 { 2083 - return -EOPNOTSUPP; 2083 + if (cda[CTA_EXPECT_TIMEOUT]) { 2084 + if (!del_timer(&x->timeout)) 2085 + return -ETIME; 2086 + 2087 + x->timeout.expires = jiffies + 2088 + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 2089 + add_timer(&x->timeout); 2090 + } 2091 + return 0; 2084 2092 } 2085 2093 2086 2094 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {