diff options
| author | Florian Westphal | 2013-01-11 07:30:44 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso | 2013-01-18 00:28:15 +0100 |
| commit | c539f01717c239cfa0921dd43927afc976f1eedc (patch) | |
| tree | e0e4881913acb233f6ea83d93eb69da446084101 /include/net/netfilter/nf_conntrack_labels.h | |
| parent | netfilter: nf_ct_sip: support Cisco 7941/7945 IP phones (diff) | |
| download | kernel-qcow2-linux-c539f01717c239cfa0921dd43927afc976f1eedc.tar.gz kernel-qcow2-linux-c539f01717c239cfa0921dd43927afc976f1eedc.tar.xz kernel-qcow2-linux-c539f01717c239cfa0921dd43927afc976f1eedc.zip | |
netfilter: add connlabel conntrack extension
similar to connmarks, except labels are bit-based; i.e.
all labels may be attached to a flow at the same time.
Up to 128 labels are supported. Supporting more labels
is possible, but requires increasing the ct offset delta
from u8 to u16 type due to increased extension sizes.
Mapping of bit-identifier to label name is done in userspace.
The extension is enabled at run-time once "-m connlabel" netfilter
rules are added.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net/netfilter/nf_conntrack_labels.h')
| -rw-r--r-- | include/net/netfilter/nf_conntrack_labels.h | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter/nf_conntrack_labels.h new file mode 100644 index 000000000000..b94fe31c7b39 --- /dev/null +++ b/include/net/netfilter/nf_conntrack_labels.h @@ -0,0 +1,55 @@ +#include <linux/types.h> +#include <net/net_namespace.h> +#include <linux/netfilter/nf_conntrack_common.h> +#include <linux/netfilter/nf_conntrack_tuple_common.h> +#include <net/netfilter/nf_conntrack.h> +#include <net/netfilter/nf_conntrack_extend.h> + +#include <uapi/linux/netfilter/xt_connlabel.h> + +struct nf_conn_labels { + u8 words; + unsigned long bits[]; +}; + +static inline struct nf_conn_labels *nf_ct_labels_find(const struct nf_conn *ct) +{ +#ifdef CONFIG_NF_CONNTRACK_LABELS + return nf_ct_ext_find(ct, NF_CT_EXT_LABELS); +#else + return NULL; +#endif +} + +static inline struct nf_conn_labels *nf_ct_labels_ext_add(struct nf_conn *ct) +{ +#ifdef CONFIG_NF_CONNTRACK_LABELS + struct nf_conn_labels *cl_ext; + struct net *net = nf_ct_net(ct); + u8 words; + + words = ACCESS_ONCE(net->ct.label_words); + if (words == 0 || WARN_ON_ONCE(words > 8)) + return NULL; + + cl_ext = nf_ct_ext_add_length(ct, NF_CT_EXT_LABELS, + words * sizeof(long), GFP_ATOMIC); + if (cl_ext != NULL) + cl_ext->words = words; + + return cl_ext; +#else + return NULL; +#endif +} + +bool nf_connlabel_match(const struct nf_conn *ct, u16 bit); +int nf_connlabel_set(struct nf_conn *ct, u16 bit); + +#ifdef CONFIG_NF_CONNTRACK_LABELS +int nf_conntrack_labels_init(struct net *net); +void nf_conntrack_labels_fini(struct net *net); +#else +static inline int nf_conntrack_labels_init(struct net *n) { return 0; } +static inline void nf_conntrack_labels_fini(struct net *net) {} +#endif |