libnetfilter_queue: Implement API to set per-queue flags

Message ID	20120606105900.32466.56533.sendpatchset@localhost.localdomain
State	Accepted
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> Gateway: Authorized Use Only! Violators will be prosecuted for <netfilter-devel@vger.kernel.org> from <krkumar2@in.ibm.com>; Wed, 6 Jun 2012 10:51:39 +1000 Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 6 Jun 2012 10:51:07 +1000 From: Krishna Kumar <krkumar2@in.ibm.com> To: fw@strlen.de, kaber@trash.net, pablo@netfilter.org Cc: vivk@us.ibm.com, svajipay@in.ibm.com, netfilter-devel@vger.kernel.org, Krishna Kumar <krkumar2@in.ibm.com>, sri@us.ibm.com Date: Wed, 06 Jun 2012 16:29:00 +0530 Message-Id: <20120606105900.32466.56533.sendpatchset@localhost.localdomain> Subject: [PATCH] libnetfilter_queue: Implement API to set per-queue flags Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

20120606105900.32466.56533.sendpatchset@localhost.localdomain

State

Accepted

Headers

From: Krishna Kumar <krkumar2@in.ibm.com>
To: fw@strlen.de, kaber@trash.net, pablo@netfilter.org
Cc: vivk@us.ibm.com, svajipay@in.ibm.com, netfilter-devel@vger.kernel.org,
	Krishna Kumar <krkumar2@in.ibm.com>, sri@us.ibm.com
Date: Wed, 06 Jun 2012 16:29:00 +0530
Message-Id: <20120606105900.32466.56533.sendpatchset@localhost.localdomain>
Subject: [PATCH] libnetfilter_queue: Implement API to set per-queue flags
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Krishna Kumar June 6, 2012, 10:59 a.m. UTC

Implement API to set per-queue flags. This is initially used
to implement fail-open support in NFQUEUE.

Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
---
 include/libnetfilter_queue/libnetfilter_queue.h    |    3 
 include/libnetfilter_queue/linux_nfnetlink_queue.h |    5 +
 src/libnetfilter_queue.c                           |   42 +++++++++++
 3 files changed, 50 insertions(+)


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Pablo Neira Ayuso July 14, 2012, 2:01 p.m. UTC | #1

On Wed, Jun 06, 2012 at 04:29:00PM +0530, Krishna Kumar wrote:
> Implement API to set per-queue flags. This is initially used
> to implement fail-open support in NFQUEUE.

Applied with minor spots (see below), thanks.

> Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
> ---
>  include/libnetfilter_queue/libnetfilter_queue.h    |    3 
>  include/libnetfilter_queue/linux_nfnetlink_queue.h |    5 +
>  src/libnetfilter_queue.c                           |   42 +++++++++++
>  3 files changed, 50 insertions(+)
> 
> diff -ruNp org/include/libnetfilter_queue/libnetfilter_queue.h new/include/libnetfilter_queue/libnetfilter_queue.h
> --- org/include/libnetfilter_queue/libnetfilter_queue.h	2012-06-06 10:07:21.863540677 +0530
> +++ new/include/libnetfilter_queue/libnetfilter_queue.h	2012-06-06 10:08:17.629962800 +0530
> @@ -56,6 +56,9 @@ extern int nfq_set_mode(struct nfq_q_han
>  int nfq_set_queue_maxlen(struct nfq_q_handle *qh,
>  			u_int32_t queuelen);
>  
> +extern int nfq_set_queue_flags(struct nfq_q_handle *qh,
> +			       uint32_t mask, uint32_t flags);
> +
>  extern int nfq_set_verdict(struct nfq_q_handle *qh,
>  			     u_int32_t id,
>  			     u_int32_t verdict,
> diff -ruNp org/include/libnetfilter_queue/linux_nfnetlink_queue.h new/include/libnetfilter_queue/linux_nfnetlink_queue.h
> --- org/include/libnetfilter_queue/linux_nfnetlink_queue.h	2012-06-06 10:07:21.874538295 +0530
> +++ new/include/libnetfilter_queue/linux_nfnetlink_queue.h	2012-06-06 15:41:51.912636134 +0530
> @@ -87,8 +87,13 @@ enum nfqnl_attr_config {
>  	NFQA_CFG_CMD,			/* nfqnl_msg_config_cmd */
>  	NFQA_CFG_PARAMS,		/* nfqnl_msg_config_params */
>  	NFQA_CFG_QUEUE_MAXLEN,		/* u_int32_t */
> +	NFQA_CFG_MASK,			/* identify which flags to change */
> +	NFQA_CFG_FLAGS,			/* value of these flags (__u32) */
>  	__NFQA_CFG_MAX
>  };
>  #define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
>  
> +/* Flags/options for NFQA_CFG_FLAGS */
> +#define NFQA_CFG_F_FAIL_OPEN		(1 << 0)

added NFQA_CFG_F_CONNTRACK and _MAX.

I've also bumped LIBVERSION.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff -ruNp org/include/libnetfilter_queue/libnetfilter_queue.h new/include/libnetfilter_queue/libnetfilter_queue.h
--- org/include/libnetfilter_queue/libnetfilter_queue.h	2012-06-06 10:07:21.863540677 +0530
+++ new/include/libnetfilter_queue/libnetfilter_queue.h	2012-06-06 10:08:17.629962800 +0530
@@ -56,6 +56,9 @@  extern int nfq_set_mode(struct nfq_q_han
 int nfq_set_queue_maxlen(struct nfq_q_handle *qh,
 			u_int32_t queuelen);
 
+extern int nfq_set_queue_flags(struct nfq_q_handle *qh,
+			       uint32_t mask, uint32_t flags);
+
 extern int nfq_set_verdict(struct nfq_q_handle *qh,
 			     u_int32_t id,
 			     u_int32_t verdict,
diff -ruNp org/include/libnetfilter_queue/linux_nfnetlink_queue.h new/include/libnetfilter_queue/linux_nfnetlink_queue.h
--- org/include/libnetfilter_queue/linux_nfnetlink_queue.h	2012-06-06 10:07:21.874538295 +0530
+++ new/include/libnetfilter_queue/linux_nfnetlink_queue.h	2012-06-06 15:41:51.912636134 +0530
@@ -87,8 +87,13 @@  enum nfqnl_attr_config {
 	NFQA_CFG_CMD,			/* nfqnl_msg_config_cmd */
 	NFQA_CFG_PARAMS,		/* nfqnl_msg_config_params */
 	NFQA_CFG_QUEUE_MAXLEN,		/* u_int32_t */
+	NFQA_CFG_MASK,			/* identify which flags to change */
+	NFQA_CFG_FLAGS,			/* value of these flags (__u32) */
 	__NFQA_CFG_MAX
 };
 #define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
 
+/* Flags/options for NFQA_CFG_FLAGS */
+#define NFQA_CFG_F_FAIL_OPEN		(1 << 0)
+
 #endif /* _NFNETLINK_QUEUE_H */
diff -ruNp org/src/libnetfilter_queue.c new/src/libnetfilter_queue.c
--- org/src/libnetfilter_queue.c	2012-06-06 10:07:21.844663683 +0530
+++ new/src/libnetfilter_queue.c	2012-06-06 15:51:58.823725859 +0530
@@ -602,6 +602,48 @@  int nfq_set_mode(struct nfq_q_handle *qh
 }
 
 /**
+ * nfq_set_queue_flags - set flags (options) for the kernel queue
+ * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
+ * \param mask specifies which flag bits to modify
+ * \param flag bitmask of flags
+ *
+ * Here's a little code snippet to show how to use this API:
+ * \verbatim
+	uint32_t flags = NFQA_CFG_F_FAIL_OPEN;
+	uint32_t mask = NFQA_CFG_F_FAIL_OPEN;
+
+	printf("Enabling fail-open on this q\n");
+	err = nfq_set_queue_flags(qh, mask, flags);
+
+	printf("Disabling fail-open on this q\n");
+	flags &= ~NFQA_CFG_F_FAIL_OPEN;
+	err = nfq_set_queue_flags(qh, mask, flags);
+\endverbatim
+ * \return -1 on error with errno set appropriately; =0 otherwise.
+ */
+int nfq_set_queue_flags(struct nfq_q_handle *qh,
+			uint32_t mask, uint32_t flags)
+{
+	union {
+		char buf[NFNL_HEADER_LEN
+			+NFA_LENGTH(sizeof(mask)
+			+NFA_LENGTH(sizeof(flags)))];
+		struct nlmsghdr nmh;
+	} u;
+
+	mask = htonl(mask);
+	flags = htonl(flags);
+
+	nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,
+		      NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);
+
+	nfnl_addattr32(&u.nmh, sizeof(u), NFQA_CFG_FLAGS, flags);
+	nfnl_addattr32(&u.nmh, sizeof(u), NFQA_CFG_MASK, mask);
+
+	return nfnl_query(qh->h->nfnlh, &u.nmh);
+}
+
+/**
  * nfq_set_queue_maxlen - Set kernel queue maximum length parameter
  * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
  * \param queuelen the length of the queue

libnetfilter_queue: Implement API to set per-queue flags

Commit Message

Comments

Patch