Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

netfilter: ctnetlink: deliver labels to userspace

Introduce CTA_LABELS attribute to send a bit-vector of currently active labels
to userspace.

Future patch will permit userspace to also set/delete active labels.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal 12 years ago
parent
c539f01717
commit
0ceabd8387
4 changed files with 44 additions and 1 deletions
Split View Show Diff Stats
  1. 1 0
      include/uapi/linux/netfilter/nf_conntrack_common.h
  2. 1 0
      include/uapi/linux/netfilter/nfnetlink_conntrack.h
  3. 1 1
      net/netfilter/nf_conntrack_labels.c
  4. 41 0
      net/netfilter/nf_conntrack_netlink.c

+ 1 - 0
include/uapi/linux/netfilter/nf_conntrack_common.h
View File 

@@ -101,6 +101,7 @@ enum ip_conntrack_events {
 
 	IPCT_MARK,		/* new mark has been set */
 
 	IPCT_NATSEQADJ,		/* NAT is doing sequence adjustment */
 
 	IPCT_SECMARK,		/* new security mark has been set */
 
+	IPCT_LABEL,		/* new connlabel has been set */
 
 };
 
 
 enum ip_conntrack_expect_events {

+ 1 - 0
include/uapi/linux/netfilter/nfnetlink_conntrack.h
View File 

@@ -49,6 +49,7 @@ enum ctattr_type {
 
 	CTA_SECCTX,
 
 	CTA_TIMESTAMP,
 
 	CTA_MARK_MASK,
 
+	CTA_LABELS,
 
 	__CTA_MAX
 
 };
 
 #define CTA_MAX (__CTA_MAX - 1)

+ 1 - 1
net/netfilter/nf_conntrack_labels.c
View File 

@@ -46,7 +46,7 @@ int nf_connlabel_set(struct nf_conn *ct, u16 bit)
 
 		return 0;
 
 
 	if (test_and_set_bit(bit, labels->bits))
 
-		return 0;
 
+		nf_conntrack_event_cache(IPCT_LABEL, ct);
 
 
 	return 0;
 
 }

+ 41 - 0
net/netfilter/nf_conntrack_netlink.c
View File 

@@ -324,6 +324,40 @@ nla_put_failure:
 
 #define ctnetlink_dump_secctx(a, b) (0)
 
 #endif
 
 
+#ifdef CONFIG_NF_CONNTRACK_LABELS
 
+static int ctnetlink_label_size(const struct nf_conn *ct)
 
+{
 
+	struct nf_conn_labels *labels = nf_ct_labels_find(ct);
 
+
 
+	if (!labels)
 
+		return 0;
 
+	return nla_total_size(labels->words * sizeof(long));
 
+}
 
+
 
+static int
 
+ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
 
+{
 
+	struct nf_conn_labels *labels = nf_ct_labels_find(ct);
 
+	unsigned int len, i;
 
+
 
+	if (!labels)
 
+		return 0;
 
+
 
+	len = labels->words * sizeof(long);
 
+	i = 0;
 
+	do {
 
+		if (labels->bits[i] != 0)
 
+			return nla_put(skb, CTA_LABELS, len, labels->bits);
 
+		i++;
 
+	} while (i < labels->words);
 
+
 
+	return 0;
 
+}
 
+#else
 
+#define ctnetlink_dump_labels(a, b) (0)
 
+#define ctnetlink_label_size(a)	(0)
 
+#endif
 
+
 
 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
 
 
 static inline int
 
@@ -464,6 +498,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
 
 	    ctnetlink_dump_helpinfo(skb, ct) < 0 ||
 
 	    ctnetlink_dump_mark(skb, ct) < 0 ||
 
 	    ctnetlink_dump_secctx(skb, ct) < 0 ||
 
+	    ctnetlink_dump_labels(skb, ct) < 0 ||
 
 	    ctnetlink_dump_id(skb, ct) < 0 ||
 
 	    ctnetlink_dump_use(skb, ct) < 0 ||
 
 	    ctnetlink_dump_master(skb, ct) < 0 ||
 
@@ -562,6 +597,7 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct)
 
 	       + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
 
 #endif
 
 	       + ctnetlink_proto_size(ct)
 
+	       + ctnetlink_label_size(ct)
 
 	       ;
 
 }
 
 
@@ -663,6 +699,9 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
 
 		    && ctnetlink_dump_secctx(skb, ct) < 0)
 
 			goto nla_put_failure;
 
 #endif
 
+		if (events & (1 << IPCT_LABEL) &&
 
+		     ctnetlink_dump_labels(skb, ct) < 0)
 
+			goto nla_put_failure;
 
 
 		if (events & (1 << IPCT_RELATED) &&
 
 		    ctnetlink_dump_master(skb, ct) < 0)
 
@@ -1986,6 +2025,8 @@ ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct)
 
 	if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
 
 		goto nla_put_failure;
 
 #endif
 
+	if (ctnetlink_dump_labels(skb, ct) < 0)
 
+		goto nla_put_failure;
 
 	rcu_read_unlock();
 
 	return 0;