netfilter: ctnetlink: allow to specify the expectation flags

With this patch, you can specify the expectation flags for user-space
created expectations.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 1afd18c855ec99d9cf8cb4b9570b06b6e28b74d2..fdc50cae861fa1547100dd63bd1ea7d3f45c2ac1 100644 (file)
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -100,6 +100,10 @@ enum ip_conntrack_expect_events {
        IPEXP_NEW,              /* new expectation */
 };
 
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT         0x1
+#define NF_CT_EXPECT_INACTIVE          0x2
+
 #ifdef __KERNEL__
 struct ip_conntrack_stat {
        unsigned int searched;

diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 9ed534c991b9312d84876c9162ed63e5ef2b5c66..455f0ce4f43041e5e4226764f71e48e7a8b6d4e1 100644 (file)
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -161,6 +161,7 @@ enum ctattr_expect {
        CTA_EXPECT_ID,
        CTA_EXPECT_HELP_NAME,
        CTA_EXPECT_ZONE,
+       CTA_EXPECT_FLAGS,
        __CTA_EXPECT_MAX
 };
 #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)

diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 11e815084fcf05cb1a680b3c61968a1eb66a1ac5..96bb42af5fae63e7823ff3359ed06a5c488ae6b1 100644 (file)
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -67,9 +67,6 @@ struct nf_conntrack_expect_policy {
 
 #define NF_CT_EXPECT_CLASS_DEFAULT     0
 
-#define NF_CT_EXPECT_PERMANENT 0x1
-#define NF_CT_EXPECT_INACTIVE  0x2
-
 int nf_conntrack_expect_init(struct net *net);
 void nf_conntrack_expect_fini(struct net *net);
 

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 37533a30413b0c9c14054fab300bdd75a57b0620..0804e0ef6500d37103c7d329b8d2d618060ddcb6 100644 (file)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1577,6 +1577,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,
 
        NLA_PUT_BE32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout));
        NLA_PUT_BE32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp));
+       NLA_PUT_BE32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags));
        helper = rcu_dereference(nfct_help(master)->helper);
        if (helper)
                NLA_PUT_STRING(skb, CTA_EXPECT_HELP_NAME, helper->name);
@@ -1734,6 +1735,7 @@ static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
        [CTA_EXPECT_ID]         = { .type = NLA_U32 },
        [CTA_EXPECT_HELP_NAME]  = { .type = NLA_NUL_STRING },
        [CTA_EXPECT_ZONE]       = { .type = NLA_U16 },
+       [CTA_EXPECT_FLAGS]      = { .type = NLA_U32 },
 };
 
 static int
@@ -1933,9 +1935,13 @@ ctnetlink_create_expect(struct net *net, u16 zone,
                goto out;
        }
 
+       if (cda[CTA_EXPECT_FLAGS])
+               exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
+       else
+               exp->flags = 0;
+
        exp->class = 0;
        exp->expectfn = NULL;
-       exp->flags = 0;
        exp->master = ct;
        exp->helper = NULL;
        memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple));