Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 2010-09-23 20:52, Eric Paris wrote:

>On Thu, Sep 23, 2010 at 2:49 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote:
>> On Thursday 2010-09-23 20:39, Eric Paris wrote:
>>>>>
>>>>> ÂOtherwise I'm
>>>>>going to hard code those to 0 or 1 and export the label in a new
>>>>>field....
>>>>
>>>> The allocated secmark nlattr value should not be reused;
>>>> it's easy to use a new nla id for the secname and omit
>>>> transmission of secmark in nl chatter.
>>>>
>>>> For ye olde /proc/net/nf_conntrack, we can just remove secmark
>>>> altogether because userspace does not depend on it.
>>>
>>>How does one use the secmark netlink socket? ÂHow do I test my code?
>>>I'm sure this is an obvious question for most of you, but not for me
>>>:)
>>
>> There exists a CTA_SECMARK in nfnetlink_conntrack.h. You leave that
>> as-is, and add a new CTA_SECNAME. Subsequently, in
>> nf_conntrack_netlink.c, you replace NLA_PUT_BE32(skb, CTA_SECMARK, ...)
>> with the appropriate NLA_PUT_STRING(skb, CTA_SECNAME, ...) or whatever
>> the nla_put routine was called. Adjust the preallocation size too:
>> - Â Â Â+ nla_total_size(sizeof(u_int32_t)) /* CTA_SECMARK */
>> + Â Â Â+ nla_total_size(??) /* CTA_SECNAME */
>>
>> and that should do it for the kernel side. Simiarly on the userspace
>> side.
>
>No, the question was more basic.  What is the userspace tool?

git://git.netfilter.org/libnetfilter_conntrack is the library where 
CTA_SECMARK is parsed (when receiving from kernel) - parse.c - and built 
(when sending to the kernel) - build.c, and

git://git.netfilter.org/conntrack-utils makes use of that library and 
provides the actual conntrack(8) binary that people run.

`./conntrack -L` is then what you use to test the changes.

Hope that helps,
Jan
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux