• Pablo Neira Ayuso's avatar
    filter: add SKF_AD_NLATTR_NEST to look for nested attributes · d214c753
    Pablo Neira Ayuso authored
    SKF_AD_NLATTR allows us to find the first matching attribute in a
    stream of netlink attributes from one offset to the end of the
    netlink message. This is not suitable to look for a specific
    matching inside a set of nested attributes.
    
    For example, in ctnetlink messages, if we look for the CTA_V6_SRC
    attribute in a message that talks about an IPv4 connection,
    SKF_AD_NLATTR returns the offset of CTA_STATUS which has the same
    value of CTA_V6_SRC but outside the nest. To differenciate
    CTA_STATUS and CTA_V6_SRC, we would have to make assumptions on the
    size of the attribute and the usual offset, resulting in horrible
    BSF code.
    
    This patch adds SKF_AD_NLATTR_NEST, which is a variant of
    SKF_AD_NLATTR, that looks for an attribute inside the limits of
    a nested attributes, but not further.
    
    This patch validates that we have enough room to look for the
    nested attributes - based on a suggestion from Patrick McHardy.
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    Acked-by: default avatarPatrick McHardy <kaber@trash.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    d214c753
filter.h 4.02 KB