On Thursday 2010-09-23 20:52, Eric Paris wrote: >On Thu, Sep 23, 2010 at 2:49 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: >> On Thursday 2010-09-23 20:39, Eric Paris wrote: >>>>> >>>>> ÂOtherwise I'm >>>>>going to hard code those to 0 or 1 and export the label in a new >>>>>field.... >>>> >>>> The allocated secmark nlattr value should not be reused; >>>> it's easy to use a new nla id for the secname and omit >>>> transmission of secmark in nl chatter. >>>> >>>> For ye olde /proc/net/nf_conntrack, we can just remove secmark >>>> altogether because userspace does not depend on it. >>> >>>How does one use the secmark netlink socket? ÂHow do I test my code? >>>I'm sure this is an obvious question for most of you, but not for me >>>:) >> >> There exists a CTA_SECMARK in nfnetlink_conntrack.h. You leave that >> as-is, and add a new CTA_SECNAME. Subsequently, in >> nf_conntrack_netlink.c, you replace NLA_PUT_BE32(skb, CTA_SECMARK, ...) >> with the appropriate NLA_PUT_STRING(skb, CTA_SECNAME, ...) or whatever >> the nla_put routine was called. Adjust the preallocation size too: >> - Â Â Â+ nla_total_size(sizeof(u_int32_t)) /* CTA_SECMARK */ >> + Â Â Â+ nla_total_size(??) /* CTA_SECNAME */ >> >> and that should do it for the kernel side. Simiarly on the userspace >> side. > >No, the question was more basic. What is the userspace tool? git://git.netfilter.org/libnetfilter_conntrack is the library where CTA_SECMARK is parsed (when receiving from kernel) - parse.c - and built (when sending to the kernel) - build.c, and git://git.netfilter.org/conntrack-utils makes use of that library and provides the actual conntrack(8) binary that people run. `./conntrack -L` is then what you use to test the changes. Hope that helps, Jan -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html