Message ID | a17383ac-860c-4a6f-baf1-a382ce895a5c@DE-WIE-EXCH3A.green.sophos |
---|---|
State | RFC |
Headers | show |
On Thu, May 16, 2013 at 11:30:43AM +0200, Afschin Hormozdiary wrote: > The libnfnetlink based backend 'build.c' currently ignores > ATTR_CONNLABELS and ATTR_CONNLABELS_MASK. > > The libmnl based backend 'build_mnl.c' instead handles > both attributes correct. > > Add function to set CTA_LABELS and CTA_LABELS_MASK > if required. I'm fine with this change, but you also need to modify the parsing function not to leave connlabel support for the libnfnetlink-based API incomplete. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 05/16/2013 12:47 PM, Pablo Neira Ayuso wrote: > On Thu, May 16, 2013 at 11:30:43AM +0200, Afschin Hormozdiary wrote: >> The libnfnetlink based backend 'build.c' currently ignores >> ATTR_CONNLABELS and ATTR_CONNLABELS_MASK. >> >> The libmnl based backend 'build_mnl.c' instead handles >> both attributes correct. >> >> Add function to set CTA_LABELS and CTA_LABELS_MASK >> if required. > > I'm fine with this change, but you also need to modify the parsing > function not to leave connlabel support for the libnfnetlink-based API > incomplete. Good point, i will resend a patch that also includes the parsing function. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/conntrack/build.c b/src/conntrack/build.c index 2900027..4852536 100644 --- a/src/conntrack/build.c +++ b/src/conntrack/build.c @@ -398,6 +398,30 @@ static void __build_zone(struct nfnlhdr *req, nfnl_addattr16(&req->nlh, size, CTA_ZONE, htons(ct->zone)); } +static void __build_labels(struct nfnlhdr *req, + size_t size, + const struct nf_conntrack *ct) +{ + struct nfct_bitmask *b = ct->connlabels; + unsigned int b_size = b->words * sizeof(b->bits[0]); + + nfnl_addattr_l(&req->nlh, + size, + CTA_LABELS, + b->bits, + b_size); + + if (test_bit(ATTR_CONNLABELS_MASK, ct->head.set)) { + b = ct->connlabels_mask; + if (b_size == (b->words * sizeof(b->bits[0]))) + nfnl_addattr_l(&req->nlh, + size, + CTA_LABELS_MASK, + b->bits, + b_size); + } +} + int __build_conntrack(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_t size, @@ -500,5 +524,8 @@ int __build_conntrack(struct nfnl_subsys_handle *ssh, if (test_bit(ATTR_ZONE, ct->head.set)) __build_zone(req, size, ct); + if (test_bit(ATTR_CONNLABELS, ct->head.set)) + __build_labels(req, size, ct); + return 0; }
The libnfnetlink based backend 'build.c' currently ignores ATTR_CONNLABELS and ATTR_CONNLABELS_MASK. The libmnl based backend 'build_mnl.c' instead handles both attributes correct. Add function to set CTA_LABELS and CTA_LABELS_MASK if required. Signed-off-by: Afschin Hormozdiary <Afschin.Hormozdiary@sophos.com> --- src/conntrack/build.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)