summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-05-16 17:05:17 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-05-16 17:05:17 +0200
commitbe2450f37f2ce56eadc78793efc4a54ced4315c6 (patch)
tree0cca13c98a7a105246f9f0cf7b1afa5fdd8c163b
parentd97bb9c44030d1493cae82433825b77585768a75 (diff)
downloadconntrack-tools-be2450f37f2ce56eadc78793efc4a54ced4315c6.tar.gz
conntrack-tools-be2450f37f2ce56eadc78793efc4a54ced4315c6.zip
- remove (misleading) counters and use information from the statistics mode
- use generic nfct_copy() from libnetfilter_conntrack to update objects - use generic nfct_cmp() to compare objects
-rw-r--r--ChangeLog3
-rw-r--r--configure.in4
-rw-r--r--src/cache.c75
-rw-r--r--src/stats-mode.c5
4 files changed, 12 insertions, 75 deletions
diff --git a/ChangeLog b/ChangeLog
index 02ac75a..d67ad30 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,6 +26,9 @@ o improve netlink overrun handling
o add more verbose error notification when we fail to inject a conntrack
o rework of the FT-FW approach
o minor fix of the manpage (Max Wilhelm)
+o remove (misleading) counters and use information from the statistics mode
+o use generic nfct_copy() from libnetfilter_conntrack to update objects
+o use generic nfct_cmp() to compare objects
version 0.9.6 (2008/03/08)
------------------------------
diff --git a/configure.in b/configure.in
index 17101e9..f3b8785 100644
--- a/configure.in
+++ b/configure.in
@@ -17,8 +17,8 @@ case $target in
esac
dnl Dependencies
-LIBNFNETLINK_REQUIRED=0.0.32
-LIBNETFILTER_CONNTRACK_REQUIRED=0.0.92
+LIBNFNETLINK_REQUIRED=0.0.33
+LIBNETFILTER_CONNTRACK_REQUIRED=0.0.94
AC_CHECK_PROG(HAVE_PKG_CONFIG, pkg-config, yes)
if test "x$HAVE_PKG_CONFIG" = "x"
diff --git a/src/cache.c b/src/cache.c
index eac9a78..4162661 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -85,75 +85,12 @@ static uint32_t hash(const void *data, struct hashtable *table)
return ret;
}
-static int __compare(const struct nf_conntrack *ct1,
- const struct nf_conntrack *ct2)
-{
- return ((nfct_get_attr_u8(ct1, ATTR_ORIG_L4PROTO) ==
- nfct_get_attr_u8(ct2, ATTR_ORIG_L4PROTO)) &&
- (nfct_get_attr_u16(ct1, ATTR_ORIG_PORT_SRC) ==
- nfct_get_attr_u16(ct2, ATTR_ORIG_PORT_SRC)) &&
- (nfct_get_attr_u16(ct1, ATTR_ORIG_PORT_DST) ==
- nfct_get_attr_u16(ct2, ATTR_ORIG_PORT_DST)) &&
- (nfct_get_attr_u16(ct1, ATTR_REPL_PORT_SRC) ==
- nfct_get_attr_u16(ct2, ATTR_REPL_PORT_SRC)) &&
- (nfct_get_attr_u16(ct1, ATTR_REPL_PORT_DST) ==
- nfct_get_attr_u16(ct2, ATTR_REPL_PORT_DST)));
-}
-
-static int
-__compare4(const struct us_conntrack *u1, const struct us_conntrack *u2)
-{
- return ((nfct_get_attr_u32(u1->ct, ATTR_ORIG_IPV4_SRC) ==
- nfct_get_attr_u32(u2->ct, ATTR_ORIG_IPV4_SRC)) &&
- (nfct_get_attr_u32(u1->ct, ATTR_ORIG_IPV4_DST) ==
- nfct_get_attr_u32(u2->ct, ATTR_ORIG_IPV4_DST)) &&
- (nfct_get_attr_u32(u1->ct, ATTR_REPL_IPV4_SRC) ==
- nfct_get_attr_u32(u2->ct, ATTR_REPL_IPV4_SRC)) &&
- (nfct_get_attr_u32(u1->ct, ATTR_REPL_IPV4_DST) ==
- nfct_get_attr_u32(u2->ct, ATTR_REPL_IPV4_DST)) &&
- __compare(u1->ct, u2->ct));
-}
-
-static int
-__compare6(const struct us_conntrack *u1, const struct us_conntrack *u2)
-{
- return ((memcmp(nfct_get_attr(u1->ct, ATTR_ORIG_IPV6_SRC),
- nfct_get_attr(u2->ct, ATTR_ORIG_IPV6_SRC),
- sizeof(uint32_t)*4) == 0) &&
- (memcmp(nfct_get_attr(u1->ct, ATTR_ORIG_IPV6_DST),
- nfct_get_attr(u2->ct, ATTR_ORIG_IPV6_DST),
- sizeof(uint32_t)*4) == 0) &&
- (memcmp(nfct_get_attr(u1->ct, ATTR_REPL_IPV6_SRC),
- nfct_get_attr(u2->ct, ATTR_REPL_IPV6_SRC),
- sizeof(uint32_t)*4) == 0) &&
- (memcmp(nfct_get_attr(u1->ct, ATTR_REPL_IPV6_DST),
- nfct_get_attr(u2->ct, ATTR_REPL_IPV6_DST),
- sizeof(uint32_t)*4) == 0) &&
- __compare(u1->ct, u2->ct));
-}
-
static int compare(const void *data1, const void *data2)
{
- int ret = 0;
const struct us_conntrack *u1 = data1;
const struct us_conntrack *u2 = data2;
- if (nfct_get_attr_u8(u1->ct, ATTR_L3PROTO) !=
- nfct_get_attr_u8(u2->ct, ATTR_L3PROTO))
- return ret;
-
- switch(nfct_get_attr_u8(u1->ct, ATTR_L3PROTO)) {
- case AF_INET:
- ret = __compare4(u1, u2);
- break;
- case AF_INET6:
- ret = __compare6(u1, u2);
- break;
- default:
- dlog(LOG_ERR, "unknown layer 3 in compare");
- break;
- }
- return ret;
+ return nfct_cmp(u1->ct, u2->ct, NFCT_CMP_ORIG | NFCT_CMP_REPL);
}
struct cache_feature *cache_feature[CACHE_MAX_FEATURE] = {
@@ -305,15 +242,7 @@ static struct us_conntrack *__update(struct cache *c, struct nf_conntrack *ct)
unsigned i;
char *data = u->data;
- if (nfct_attr_is_set(ct, ATTR_STATUS))
- nfct_set_attr_u32(u->ct, ATTR_STATUS,
- nfct_get_attr_u32(ct, ATTR_STATUS));
- if (nfct_attr_is_set(ct, ATTR_TCP_STATE))
- nfct_set_attr_u8(u->ct, ATTR_TCP_STATE,
- nfct_get_attr_u8(ct, ATTR_TCP_STATE));
- if (nfct_attr_is_set(ct, ATTR_TIMEOUT))
- nfct_set_attr_u32(u->ct, ATTR_TIMEOUT,
- nfct_get_attr_u32(ct, ATTR_TIMEOUT));
+ nfct_copy(u->ct, ct, NFCT_CP_META);
for (i = 0; i < c->num_features; i++) {
c->features[i]->update(u, data);
diff --git a/src/stats-mode.c b/src/stats-mode.c
index 5808320..1650d5d 100644
--- a/src/stats-mode.c
+++ b/src/stats-mode.c
@@ -89,7 +89,12 @@ static int local_handler_stats(int fd, int type, void *data)
static void dump_stats(struct nf_conntrack *ct)
{
+ nfct_attr_unset(ct, ATTR_ORIG_COUNTER_BYTES);
+ nfct_attr_unset(ct, ATTR_ORIG_COUNTER_PACKETS);
+ nfct_attr_unset(ct, ATTR_REPL_COUNTER_BYTES);
+ nfct_attr_unset(ct, ATTR_REPL_COUNTER_PACKETS);
nfct_attr_unset(ct, ATTR_TIMEOUT);
+ nfct_attr_unset(ct, ATTR_USE);
if (cache_update_force(STATE_STATS(cache), ct))
debug_ct(ct, "resync entry");