[libnetfilter_conntrack] helper: explicit helper assignation support

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Mon Oct 13 13:31:03 CEST 2008 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=6dd45b13115d77860a8e3b37caa1560cbcfd265c
commit 6dd45b13115d77860a8e3b37caa1560cbcfd265c
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Oct 13 13:30:44 2008 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Oct 13 13:30:44 2008 +0200

    helper: explicit helper assignation support
    
    This patch adds support for explicit helper assignation. This support
    will not be of any help without the appropriate kernel support that will
    go into the Linux kernel 2.6.29 -sic-.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  6dd45b13115d77860a8e3b37caa1560cbcfd265c (commit)
      from  fb92f85dcc664ad94c1d2919b729086eee774893 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6dd45b13115d77860a8e3b37caa1560cbcfd265c
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Oct 13 13:30:44 2008 +0200

    helper: explicit helper assignation support
    
    This patch adds support for explicit helper assignation. This support
    will not be of any help without the appropriate kernel support that will
    go into the Linux kernel 2.6.29 -sic-.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 include/internal/object.h                          |    3 +++
 .../libnetfilter_conntrack.h                       |    1 +
 src/conntrack/build.c                              |   18 ++++++++++++++++++
 src/conntrack/getter.c                             |    6 ++++++
 src/conntrack/parse.c                              |   19 +++++++++++++++++++
 src/conntrack/setter.c                             |    7 +++++++
 utils/conntrack_create.c                           |    1 +
 7 files changed, 55 insertions(+), 0 deletions(-)
This patch adds support for explicit helper assignation. This support
will not be of any help without the appropriate kernel support that will
go into the Linux kernel 2.6.29 -sic-.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/include/internal/object.h b/include/internal/object.h
index e39a576..f68d340 100644
--- a/include/internal/object.h
+++ b/include/internal/object.h
@@ -138,6 +138,9 @@ struct nf_conntrack {
 	u_int32_t	use;
 	u_int32_t	id;
 
+#define __NFCT_HELPER_NAMELEN		30	/* same length in xt_helper */
+	char 		helper_name[__NFCT_HELPER_NAMELEN];
+
 	union __nfct_protoinfo 	protoinfo;
 	struct __nfct_counters 	counters[__DIR_MAX];
 	struct __nfct_nat 	snat;
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index 46eed0a..e66f0f8 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -120,6 +120,7 @@ enum nf_conntrack_attr {
 	ATTR_SCTP_STATE = 52,			/* u8 bits */
 	ATTR_SCTP_VTAG_ORIG,			/* u32 bits */
 	ATTR_SCTP_VTAG_REPL,			/* u32 bits */
+	ATTR_HELPER_NAME,			/* string (30 bytes max) */
 	ATTR_MAX
 };
 
diff --git a/src/conntrack/build.c b/src/conntrack/build.c
index 1bc87f9..f9d6f8e 100644
--- a/src/conntrack/build.c
+++ b/src/conntrack/build.c
@@ -308,6 +308,21 @@ void __build_secmark(struct nfnlhdr *req,
 	nfnl_addattr32(&req->nlh, size, CTA_SECMARK, htonl(ct->secmark));
 }
 
+void __build_helper_name(struct nfnlhdr *req,
+			 size_t size,
+			 const struct nf_conntrack *ct)
+{
+	struct nfattr *nest;
+
+	nest = nfnl_nest(&req->nlh, size, CTA_HELP);
+	nfnl_addattr_l(&req->nlh,
+		       size, 
+		       CTA_HELP_NAME,
+		       ct->helper_name,
+		       strlen(ct->helper_name));
+	nfnl_nest_end(&req->nlh, nest);
+}
+
 int __build_conntrack(struct nfnl_subsys_handle *ssh,
 		      struct nfnlhdr *req,
 		      size_t size,
@@ -417,5 +432,8 @@ int __build_conntrack(struct nfnl_subsys_handle *ssh,
 	    test_bit(ATTR_REPL_NAT_SEQ_OFFSET_AFTER, ct->set))
 	    	__build_nat_seq_adj(req, size, ct, __DIR_REPL);
 
+	if (test_bit(ATTR_HELPER_NAME, ct->set))
+		__build_helper_name(req, size, ct);
+
 	return 0;
 }
diff --git a/src/conntrack/getter.c b/src/conntrack/getter.c
index 20a2a35..658d010 100644
--- a/src/conntrack/getter.c
+++ b/src/conntrack/getter.c
@@ -282,6 +282,11 @@ static const void *get_attr_repl_off_aft(const struct nf_conntrack *ct)
 	return &ct->tuple[__DIR_REPL].natseq.offset_after;
 }
 
+static const void *get_attr_helper_name(const struct nf_conntrack *ct)
+{
+	return ct->helper_name;
+}
+
 get_attr get_attr_array[] = {
 	[ATTR_ORIG_IPV4_SRC]		= get_attr_orig_ipv4_src,
 	[ATTR_ORIG_IPV4_DST] 		= get_attr_orig_ipv4_dst,
@@ -338,4 +343,5 @@ get_attr get_attr_array[] = {
 	[ATTR_SCTP_STATE]		= get_attr_sctp_state,
 	[ATTR_SCTP_VTAG_ORIG]		= get_attr_sctp_vtag_orig,
 	[ATTR_SCTP_VTAG_REPL]		= get_attr_sctp_vtag_repl,
+	[ATTR_HELPER_NAME]		= get_attr_helper_name,
 };
diff --git a/src/conntrack/parse.c b/src/conntrack/parse.c
index 11cf5ff..d453bc6 100644
--- a/src/conntrack/parse.c
+++ b/src/conntrack/parse.c
@@ -356,6 +356,22 @@ __parse_nat_seq(const struct nfattr *attr, struct nf_conntrack *ct, int dir)
 	}
 }
 
+static void 
+__parse_helper(const struct nfattr *attr, struct nf_conntrack *ct)
+{
+	struct nfattr *tb[CTA_HELP_MAX];
+
+	nfnl_parse_nested(tb, CTA_HELP_MAX, attr);
+	if (!tb[CTA_HELP_NAME-1])
+		return;
+
+	strncpy(ct->helper_name, 
+		NFA_DATA(tb[CTA_HELP_NAME-1]),
+		__NFCT_HELPER_NAMELEN);
+	ct->helper_name[__NFCT_HELPER_NAMELEN-1] = '\0';
+	set_bit(ATTR_HELPER_NAME, ct->set);
+}
+
 int __parse_message_type(const struct nlmsghdr *nlh)
 {
 	u_int16_t type = NFNL_MSG_TYPE(nlh->nlmsg_type);
@@ -447,4 +463,7 @@ void __parse_conntrack(const struct nlmsghdr *nlh,
 		ct->id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_ID-1]));
 		set_bit(ATTR_ID, ct->set);
 	}
+
+	if (cda[CTA_HELP-1])
+		__parse_helper(cda[CTA_HELP-1], ct);
 }
diff --git a/src/conntrack/setter.c b/src/conntrack/setter.c
index 6759652..3291bd1 100644
--- a/src/conntrack/setter.c
+++ b/src/conntrack/setter.c
@@ -308,6 +308,12 @@ static void set_attr_repl_off_aft(struct nf_conntrack *ct, const void *value)
 	ct->tuple[__DIR_REPL].natseq.offset_after = *((u_int32_t *) value);
 }
 
+static void set_attr_helper_name(struct nf_conntrack *ct, const void *value)
+{
+	strncpy(ct->helper_name, value, __NFCT_HELPER_NAMELEN);
+	ct->helper_name[__NFCT_HELPER_NAMELEN-1] = '\0';
+}
+
 static void set_attr_do_nothing(struct nf_conntrack *ct, const void *value) {}
 
 set_attr set_attr_array[] = {
@@ -366,4 +372,5 @@ set_attr set_attr_array[] = {
 	[ATTR_SCTP_STATE]	= set_attr_sctp_state,
 	[ATTR_SCTP_VTAG_ORIG]	= set_attr_sctp_vtag_orig,
 	[ATTR_SCTP_VTAG_REPL]	= set_attr_sctp_vtag_repl,
+	[ATTR_HELPER_NAME]	= set_attr_helper_name,
 };
diff --git a/utils/conntrack_create.c b/utils/conntrack_create.c
index bc591b5..34efa57 100644
--- a/utils/conntrack_create.c
+++ b/utils/conntrack_create.c
@@ -29,6 +29,7 @@ int main()
 
 	nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_LISTEN);
 	nfct_set_attr_u32(ct, ATTR_TIMEOUT, 100);
+	nfct_set_attr(ct, ATTR_HELPER_NAME, "ftp");
 
 	h = nfct_open(CONNTRACK, 0);
 	if (!h) {

More information about the netfilter-cvslog mailing list