summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-08-07 14:52:41 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-08-07 14:52:41 +0200
commita4f4647b4b7f32f2d1caab98544802c8cdd7b4d6 (patch)
treeb311464dece10f101291903bd420d813c9cb8252
parentba0b4bc3d49cebf3ef69c7bc5b6dfd8decb6c8ca (diff)
downloadconntrack-tools-a4f4647b4b7f32f2d1caab98544802c8cdd7b4d6.tar.gz
conntrack-tools-a4f4647b4b7f32f2d1caab98544802c8cdd7b4d6.zip
netlink: add getter and check existence functions
This patch adds nl_get_conntrack and it changes the behaviour of nl_exist_conntrack. Now, nl_get_conntrack requests the kernel for a conntrack and updates the cached entry. On the other hand, nl_exist_conntrack only inquiries for the existence of the entry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--include/conntrackd.h1
-rw-r--r--include/netlink.h4
-rw-r--r--src/netlink.c25
-rw-r--r--src/run.c8
4 files changed, 36 insertions, 2 deletions
diff --git a/include/conntrackd.h b/include/conntrackd.h
index 2f0d7e5..60bb2de 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -110,6 +110,7 @@ struct ct_general_state {
struct nfct_filter *filter; /* event filter */
struct nfct_handle *dump; /* dump handler */
+ struct nfct_handle *request; /* request handler */
struct nfct_handle *overrun; /* overrun handler */
struct alarm_block overrun_alarm;
diff --git a/include/netlink.h b/include/netlink.h
index a46fe11..a7b7dda 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -10,6 +10,8 @@ int nl_init_event_handler(void);
int nl_init_dump_handler(void);
+int nl_init_request_handler(void);
+
int nl_init_overrun_handler(void);
int nl_overrun_request_resync(void);
@@ -20,6 +22,8 @@ int nl_dump_conntrack_table(void);
int nl_exist_conntrack(struct nf_conntrack *ct);
+int nl_get_conntrack(struct nf_conntrack *ct);
+
int nl_create_conntrack(struct nf_conntrack *ct);
int nl_update_conntrack(struct nf_conntrack *ct);
diff --git a/src/netlink.c b/src/netlink.c
index a8a5503..0d9b7db 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -214,6 +214,16 @@ int nl_init_overrun_handler(void)
return 0;
}
+/* no callback, it does not do anything with the output */
+int nl_init_request_handler(void)
+{
+ STATE(request) = nfct_open(CONNTRACK, 0);
+ if (!STATE(request))
+ return -1;
+
+ return 0;
+}
+
static int warned = 0;
void nl_resize_socket_buffer(struct nfct_handle *h)
@@ -257,7 +267,7 @@ int nl_overrun_request_resync(void)
return nfct_send(STATE(overrun), NFCT_Q_DUMP, &family);
}
-int nl_exist_conntrack(struct nf_conntrack *ct)
+static int __nl_get_conntrack(struct nfct_handle *h, struct nf_conntrack *ct)
{
int ret;
char __tmp[nfct_maxsize()];
@@ -268,13 +278,24 @@ int nl_exist_conntrack(struct nf_conntrack *ct)
/* use the original tuple to check if it is there */
nfct_copy(tmp, ct, NFCT_CP_ORIG);
- ret = nfct_query(STATE(dump), NFCT_Q_GET, tmp);
+ ret = nfct_query(h, NFCT_Q_GET, tmp);
if (ret == -1)
return errno == ENOENT ? 0 : -1;
return 1;
}
+int nl_exist_conntrack(struct nf_conntrack *ct)
+{
+ return __nl_get_conntrack(STATE(request), ct);
+}
+
+/* get the conntrack and update the cache */
+int nl_get_conntrack(struct nf_conntrack *ct)
+{
+ return __nl_get_conntrack(STATE(dump), ct);
+}
+
/* This function modifies the conntrack passed as argument! */
int nl_create_conntrack(struct nf_conntrack *ct)
{
diff --git a/src/run.c b/src/run.c
index cf570d8..b7da18c 100644
--- a/src/run.c
+++ b/src/run.c
@@ -38,6 +38,7 @@ void killer(int foo)
sigprocmask(SIG_BLOCK, &STATE(block), NULL);
nfct_close(STATE(event));
+ nfct_close(STATE(request));
ct_filter_destroy(STATE(us_filter));
local_server_destroy(&STATE(local));
@@ -144,6 +145,13 @@ init(void)
return -1;
}
+ if (nl_init_request_handler() == -1) {
+ dlog(LOG_ERR, "can't open netlink handler: %s",
+ strerror(errno));
+ dlog(LOG_ERR, "no ctnetlink kernel support?");
+ return -1;
+ }
+
init_alarm(&STATE(overrun_alarm), NULL, do_overrun_alarm);
STATE(fds) = create_fds();