[NETFILTER] ctnetlink: allow userspace to change TCP state
Pablo Neira Ayuso [Tue, 11 Oct 2005 04:23:28 +0000 (21:23 -0700)]
This patch adds the ability of changing the state a TCP connection. I know
that this must be used with care but it's required to provide a complete
conntrack creation via conntrack_netlink. So I'll document this aspect on
the upcoming docs.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/linux/netfilter_ipv4/ip_conntrack_protocol.h
net/ipv4/netfilter/ip_conntrack_proto_tcp.c

index b6b99be..2c76b87 100644 (file)
@@ -52,6 +52,9 @@ struct ip_conntrack_protocol
        int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa,
                         const struct ip_conntrack *ct);
 
+       /* convert nfnetlink attributes to protoinfo */
+       int (*from_nfattr)(struct nfattr *tb[], struct ip_conntrack *ct);
+
        int (*tuple_to_nfattr)(struct sk_buff *skb,
                               const struct ip_conntrack_tuple *t);
        int (*nfattr_to_tuple)(struct nfattr *tb[],
index 75e27e6..d6701ca 100644 (file)
@@ -356,6 +356,28 @@ nfattr_failure:
        read_unlock_bh(&tcp_lock);
        return -1;
 }
+
+static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
+{
+       struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1];
+       struct nfattr *tb[CTA_PROTOINFO_TCP_MAX];
+
+        if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0)
+                goto nfattr_failure;
+
+       if (!tb[CTA_PROTOINFO_TCP_STATE-1])
+               return -EINVAL;
+
+       write_lock_bh(&tcp_lock);
+       ct->proto.tcp.state = 
+               *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]);
+       write_unlock_bh(&tcp_lock);
+
+       return 0;
+
+nfattr_failure:
+       return -1;
+}
 #endif
 
 static unsigned int get_conntrack_index(const struct tcphdr *tcph)
@@ -1127,6 +1149,7 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp =
 #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
     defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
        .to_nfattr              = tcp_to_nfattr,
+       .from_nfattr            = nfattr_to_tcp,
        .tuple_to_nfattr        = ip_ct_port_tuple_to_nfattr,
        .nfattr_to_tuple        = ip_ct_port_nfattr_to_tuple,
 #endif