[conntrack-tools] src: synproxy support

Message ID	20180314141448.3023-1-pablo@netfilter.org
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id 17D0941A3F20 for <netfilter-devel@vger.kernel.org>; Wed, 14 Mar 2018 15:14:47 +0100 (CET) From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Subject: [PATCH conntrack-tools] src: synproxy support Date: Wed, 14 Mar 2018 15:14:48 +0100 Message-Id: <20180314141448.3023-1-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	[conntrack-tools] src: synproxy support \| expand [conntrack-tools] src: synproxy support

Message ID

20180314141448.3023-1-pablo@netfilter.org

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH conntrack-tools] src: synproxy support
Date: Wed, 14 Mar 2018 15:14:48 +0100
Message-Id: <20180314141448.3023-1-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

[conntrack-tools] src: synproxy support | expand

Commit Message

Pablo Neira Ayuso March 14, 2018, 2:14 p.m. UTC

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/network.h |  7 +++++++
 src/build.c       | 16 ++++++++++++++++
 src/parse.c       | 14 ++++++++++++++
 3 files changed, 37 insertions(+)

diff --git a/include/network.h b/include/network.h
index ec9fadf8dc6f..95aad8232bc8 100644
--- a/include/network.h
+++ b/include/network.h
@@ -231,6 +231,7 @@  enum nta_attr {
 	NTA_LABELS,		/* array of uint32_t (variable length) */
 	NTA_SNAT_IPV6,		/* uint32_t * 4 */
 	NTA_DNAT_IPV6,		/* uint32_t * 4 */
+	NTA_SYNPROXY,		/* struct nft_attr_synproxy */
 	NTA_MAX
 };
 
@@ -246,6 +247,12 @@  struct nta_attr_natseqadj {
 	uint32_t repl_seq_offset_after;
 };
 
+struct nta_attr_synproxy {
+	uint32_t its;
+	uint32_t isn;
+	uint32_t tsoff;
+};
+
 void ct2msg(const struct nf_conntrack *ct, struct nethdr *n);
 int msg2ct(struct nf_conntrack *ct, struct nethdr *n, size_t remain);
 
diff --git a/src/build.c b/src/build.c
index 540330030de4..99ff230ff58d 100644
--- a/src/build.c
+++ b/src/build.c
@@ -107,6 +107,17 @@  ct_build_natseqadj(const struct nf_conntrack *ct, struct nethdr *n)
 	addattr(n, NTA_NAT_SEQ_ADJ, &data, sizeof(struct nta_attr_natseqadj));
 }
 
+static inline void
+ct_build_synproxy(const struct nf_conntrack *ct, struct nethdr *n)
+{
+	struct nta_attr_synproxy data = {
+		.isn	= htonl(nfct_get_attr_u32(ct, ATTR_SYNPROXY_ISN)),
+		.its	= htonl(nfct_get_attr_u32(ct, ATTR_SYNPROXY_ITS)),
+		.tsoff	= htonl(nfct_get_attr_u32(ct, ATTR_SYNPROXY_TSOFF)),
+	};
+	addattr(n, NTA_SYNPROXY, &data, sizeof(struct nta_attr_synproxy));
+}
+
 static enum nf_conntrack_attr nat_type[] =
 	{ ATTR_ORIG_NAT_SEQ_CORRECTION_POS, ATTR_ORIG_NAT_SEQ_OFFSET_BEFORE,
 	  ATTR_ORIG_NAT_SEQ_OFFSET_AFTER, ATTR_REPL_NAT_SEQ_CORRECTION_POS,
@@ -299,6 +310,11 @@  void ct2msg(const struct nf_conntrack *ct, struct nethdr *n)
 
 	if (nfct_attr_is_set(ct, ATTR_CONNLABELS))
 		ct_build_clabel(ct, n);
+
+	if (nfct_attr_is_set(ct, ATTR_SYNPROXY_ISN) &&
+	    nfct_attr_is_set(ct, ATTR_SYNPROXY_ITS) &&
+	    nfct_attr_is_set(ct, ATTR_SYNPROXY_TSOFF))
+		ct_build_synproxy(ct, n);
 }
 
 static void
diff --git a/src/parse.c b/src/parse.c
index d5d9b59cb653..7e524eda314f 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -34,6 +34,7 @@  static void ct_parse_str(struct nf_conntrack *ct,
 			 const struct netattr *, void *data);
 static void ct_parse_group(struct nf_conntrack *ct, int attr, void *data);
 static void ct_parse_nat_seq_adj(struct nf_conntrack *ct, int attr, void *data);
+static void ct_parse_synproxy(struct nf_conntrack *ct, int attr, void *data);
 static void ct_parse_clabel(struct nf_conntrack *ct,
 			    const struct netattr *, void *data);
 
@@ -200,6 +201,10 @@  static struct ct_parser h[NTA_MAX] = {
 		.attr	= ATTR_DNAT_IPV6,
 		.size	= NTA_SIZE(sizeof(uint32_t) * 4),
 	},
+	[NTA_SYNPROXY] = {
+		.parse	= ct_parse_synproxy,
+		.size	= NTA_SIZE(sizeof(struct nta_attr_synproxy)),
+	},
 };
 
 static void
@@ -297,6 +302,15 @@  ct_parse_nat_seq_adj(struct nf_conntrack *ct, int attr, void *data)
 			  ntohl(this->repl_seq_offset_after));
 }
 
+static void ct_parse_synproxy(struct nf_conntrack *ct, int attr, void *data)
+{
+	struct nta_attr_synproxy *this = data;
+
+	nfct_set_attr_u32(ct, ATTR_SYNPROXY_ISN, ntohl(this->isn));
+	nfct_set_attr_u32(ct, ATTR_SYNPROXY_ITS, ntohl(this->its));
+	nfct_set_attr_u32(ct, ATTR_SYNPROXY_TSOFF, ntohl(this->tsoff));
+}
+
 int msg2ct(struct nf_conntrack *ct, struct nethdr *net, size_t remain)
 {
 	int len;

[conntrack-tools] src: synproxy support

Commit Message

Patch