summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2010-07-05 17:58:45 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2010-07-05 17:58:45 +0200
commit3562ca2e16cac2af2ac6f344ba462b40a05d370f (patch)
treedff0dc3a3f620d5726cec61347cb998a0b7651a0
parentc93ff79c70e1595af94abbadce685087f702c39b (diff)
downloadconntrack-tools-3562ca2e16cac2af2ac6f344ba462b40a05d370f.tar.gz
conntrack-tools-3562ca2e16cac2af2ac6f344ba462b40a05d370f.zip
conntrack: add zone support
This patch adds `--zone' to the command line tool. This adds the missing user-space support for Patrick's McHardy iptables CT target. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--conntrack.85
-rw-r--r--include/conntrack.h2
-rw-r--r--qa/testsuite/04zone8
-rw-r--r--src/conntrack.c59
4 files changed, 50 insertions, 24 deletions
diff --git a/conntrack.8 b/conntrack.8
index fee3a8c..fb4336f 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -1,4 +1,4 @@
-.TH CONNTRACK 8 "Apr 11, 2009" "" ""
+.TH CONNTRACK 8 "Jul 5, 2010" "" ""
.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
.\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007)
@@ -149,6 +149,9 @@ Filter destination NAT connections.
.BI "-j, --any-nat "
Filter any NAT connections.
.TP
+.BI "-w, --zone "
+Filter by conntrack zone. See iptables CT target for more information.
+.TP
.BI "--tuple-src " IP_ADDRESS
Specify the tuple source address of an expectation.
.TP
diff --git a/include/conntrack.h b/include/conntrack.h
index 8e18e51..3882de7 100644
--- a/include/conntrack.h
+++ b/include/conntrack.h
@@ -10,7 +10,7 @@
#include <netinet/in.h>
#define NUMBER_OF_CMD 18
-#define NUMBER_OF_OPT 23
+#define NUMBER_OF_OPT 24
struct ctproto_handler {
struct list_head head;
diff --git a/qa/testsuite/04zone b/qa/testsuite/04zone
new file mode 100644
index 0000000..4ff3d34
--- /dev/null
+++ b/qa/testsuite/04zone
@@ -0,0 +1,8 @@
+# create dummy
+-I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 --zone 1; OK
+# display dummy
+-L --zone 1; OK
+# display dummy
+-L --zone 0; OK
+# delete dummy
+-D --zone 1; OK
diff --git a/src/conntrack.c b/src/conntrack.c
index dd129c9..51ea472 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -193,12 +193,16 @@ enum ct_options {
CT_OPT_ANY_NAT_BIT = 22,
CT_OPT_ANY_NAT = (1 << CT_OPT_ANY_NAT_BIT),
+
+ CT_OPT_ZONE_BIT = 23,
+ CT_OPT_ZONE = (1 << CT_OPT_ZONE_BIT),
};
/* If you add a new option, you have to update NUMBER_OF_OPT in conntrack.h */
/* Update this mask to allow to filter based on new options. */
-#define CT_COMPARISON (CT_OPT_PROTO | CT_OPT_ORIG | CT_OPT_REPL | CT_OPT_MARK |\
- CT_OPT_SECMARK | CT_OPT_STATUS | CT_OPT_ID)
+#define CT_COMPARISON (CT_OPT_PROTO | CT_OPT_ORIG | CT_OPT_REPL | \
+ CT_OPT_MARK | CT_OPT_SECMARK | CT_OPT_STATUS | \
+ CT_OPT_ID | CT_OPT_ZONE)
static const char *optflags[NUMBER_OF_OPT] = {
[CT_OPT_ORIG_SRC_BIT] = "src",
@@ -224,6 +228,7 @@ static const char *optflags[NUMBER_OF_OPT] = {
[CT_OPT_SECMARK_BIT] = "secmark",
[CT_OPT_BUFFERSIZE_BIT] = "buffer-size",
[CT_OPT_ANY_NAT_BIT] = "any-nat",
+ [CT_OPT_ZONE_BIT] = "zone",
};
static struct option original_opts[] = {
@@ -263,12 +268,13 @@ static struct option original_opts[] = {
{"output", 1, 0, 'o'},
{"buffer-size", 1, 0, 'b'},
{"any-nat", 2, 0, 'j'},
+ {"zone", 1, 0, 'w'},
{0, 0, 0, 0}
};
static const char *getopt_str = "L::I::U::D::G::E::F::hVs:d:r:q:"
"p:t:u:e:a:z[:]:{:}:m:i:f:o:n::"
- "g::c:b:C::Sj::";
+ "g::c:b:C::Sj::w:";
/* Table of legal combinations of commands and options. If any of the
* given commands make an option legal, that option is legal (applies to
@@ -283,25 +289,25 @@ static const char *getopt_str = "L::I::U::D::G::E::F::hVs:d:r:q:"
static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
/* Well, it's better than "Re: Linux vs FreeBSD" */
{
- /* s d r q p t u z e [ ] { } a m i f n g o c b j*/
-/*CT_LIST*/ {2,2,2,2,2,0,2,2,0,0,0,0,0,0,2,0,2,2,2,2,2,0,2},
-/*CT_CREATE*/ {3,3,3,3,1,1,2,0,0,0,0,0,0,2,2,0,0,2,2,0,0,0,0},
-/*CT_UPDATE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,0,0,0},
-/*CT_DELETE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,0,0,0},
-/*CT_GET*/ {3,3,3,3,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2,0,0,0},
-/*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2,2,2,2},
-/*VERSION*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*HELP*/ {0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_LIST*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0},
-/*EXP_CREATE*/{1,1,2,2,1,1,2,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0},
-/*EXP_DELETE*/{1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_GET*/ {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_EVENT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*CT_COUNT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_COUNT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*X_STATS*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+ /* s d r q p t u z e [ ] { } a m i f n g o c b j w*/
+/*CT_LIST*/ {2,2,2,2,2,0,2,2,0,0,0,0,0,0,2,0,2,2,2,2,2,0,2,2},
+/*CT_CREATE*/ {3,3,3,3,1,1,2,0,0,0,0,0,0,2,2,0,0,2,2,0,0,0,0,2},
+/*CT_UPDATE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,0,0,0,0},
+/*CT_DELETE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,0,0,0,2},
+/*CT_GET*/ {3,3,3,3,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2,0,0,0,0},
+/*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2,2,2,2,2},
+/*VERSION*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*HELP*/ {0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_LIST*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0},
+/*EXP_CREATE*/{1,1,2,2,1,1,2,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_DELETE*/{1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_GET*/ {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_EVENT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*CT_COUNT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_COUNT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*X_STATS*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
};
static const int cmd2type[][2] = {
@@ -331,6 +337,7 @@ static const int opt2type[] = {
['c'] = CT_OPT_SECMARK,
['i'] = CT_OPT_ID,
['j'] = CT_OPT_ANY_NAT,
+ ['w'] = CT_OPT_ZONE,
};
static const int opt2family_attr[][2] = {
@@ -352,6 +359,7 @@ static const int opt2attr[] = {
['m'] = ATTR_MARK,
['c'] = ATTR_SECMARK,
['i'] = ATTR_ID,
+ ['w'] = ATTR_ZONE,
};
static char exit_msg[NUMBER_OF_CMD][64] = {
@@ -408,6 +416,7 @@ static const char usage_parameters[] =
" -f, --family proto\t\tLayer 3 Protocol, eg. 'ipv6'\n"
" -t, --timeout timeout\t\tSet timeout\n"
" -u, --status status\t\tSet status, eg. ASSURED\n"
+ " -w, --zone value\t\tSet conntrack zone\n"
" -b, --buffer-size\t\tNetlink socket buffer size\n"
;
@@ -1429,6 +1438,12 @@ int main(int argc, char *argv[])
nat_parse(tmp, obj, opt2type[c]);
break;
}
+ case 'w':
+ options |= opt2type[c];
+ nfct_set_attr_u16(obj,
+ opt2attr[c],
+ strtoul(optarg, NULL, 0));
+ break;
case 'i':
case 'm':
case 'c':