conntrack mark question

Stijn Souffriau stijn.souffriau at essensium.com
Fri Sep 23 08:25:00 EDT 2011 

Hi again,

I have an update on my problem. It turns out that the conntrack code 
only puts the tupple-attributes ( IP-addresses, protocol number, etc...) 
in the message payload.

I fixed my problem by hacking nfnl_ct_build_add_request:

int nfnl_ct_build_add_request(const struct nfnl_ct *ct, int flags,
                               struct nl_msg **result)
{
         int err = nfnl_ct_build_message(ct, IPCTNL_MSG_CT_NEW, flags, 
result);
         //// hack to add marks
         if ( err == NLE_SUCCESS && nfnl_ct_test_mark(ct))
                 NLA_PUT_U32( *result, CTA_MARK, 
htonl(nfnl_ct_get_mark(ct)) );
         return err;
         ////
nla_put_failure:
         return -NLE_NOMEM;
}

If I find the time I will try to submit a proper fix.


On 09/20/2011 04:17 PM, Stijn Souffriau wrote:
> On 09/20/2011 03:23 PM, Thomas Graf wrote:
>> On Mon, Sep 19, 2011 at 11:47:26PM +0200, Stijn Souffriau wrote:
>>> Hello all,
>>>
>>> I would like to change the conntrack mark of a connection using
>>> libnl. I have managed to query and delete connections using the
>>> *nfnl_ct_query *and *nfnl_ct_del *functions but I haven't succeeded
>>> yet in modifying a connection. I believe that *nfnl_ct_add *would
>>> allow me to do this but despide returning NLE_SUCCESS I see no
>>> change in the mark.
>>>
>>> Some of my code:
>>> ...
>>> nfnl_ct_set_family ( ct_object, AF_INET ); // IPv4
>>> nfnl_ct_set_proto ( ct_object, 6 ); // TCP
>>> nfnl_ct_set_src ( ct_object, 0, src_addr );
>>> nfnl_ct_set_dst ( ct_object, 0, dest_addr );
>>> nfnl_ct_set_src_port( ct_object, 0, src_port );
>>> nfnl_ct_set_dst_port( ct_object, 0, dst_port );
>>> nfnl_ct_set_mark( ct_object, mark );
>>> nfnl_ct_add(nfnl_conntrack_sock, ct_object, NLM_F_REQUEST|NLM_F_ACK);
>>> ...
>>>
>>> Note that if I use these attributes, except for the mark, in a query
>>> then I receive the connection whose mark I meant to change.
>> Can you run your program with NLCB=debug ./program and post the output?
> I've attached the debug output. Hopefully you understand it better then me.
> Two operations are done:
> 1)    nfnl_ct_add : to mark the connection
> 2)    nfnl_ct_query:  to get the connection object (this returns the
> UNmarked connection)
>

This message and any attachments herein are confidential, intended solely for the addressees and are SoftAtHome's ownership. Any unauthorized use or dissemination is prohibited. If you are not the intended addressee of this message, please cancel it immediately and inform the sender.

More information about the libnl mailing list