diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-10-06 11:19:28 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-12-19 15:24:20 +0100 |
commit | 65645763ebe870fa01b5c1a5dbe810feb9397ff2 (patch) | |
tree | 05ecf9a76c8d77bf0cf5e7e331a08d980fe87e80 | |
parent | 2f52fea14f94fb267e22280bce2d45f44c3b34f0 (diff) | |
download | conntrack-tools-65645763ebe870fa01b5c1a5dbe810feb9397ff2.tar.gz conntrack-tools-65645763ebe870fa01b5c1a5dbe810feb9397ff2.zip |
conntrackd: add ICMP support for state-synchronization
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | doc/sync/alarm/conntrackd.conf | 1 | ||||
-rw-r--r-- | doc/sync/ftfw/conntrackd.conf | 1 | ||||
-rw-r--r-- | doc/sync/notrack/conntrackd.conf | 1 | ||||
-rw-r--r-- | include/network.h | 3 | ||||
-rw-r--r-- | src/build.c | 9 | ||||
-rw-r--r-- | src/parse.c | 15 |
6 files changed, 29 insertions, 1 deletions
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 800012f..3424e39 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -332,6 +332,7 @@ General { TCP SCTP DCCP + # ICMP # This requires a Linux kernel >= 2.6.31 } # diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 81f2de1..df10aca 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -357,6 +357,7 @@ General { TCP SCTP DCCP + # ICMP # This requires a Linux kernel >= 2.6.31 } # diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 529fbd9..5b9ebbb 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -338,6 +338,7 @@ General { TCP SCTP DCCP + # ICMP # This requires a Linux kernel >= 2.6.31 } # diff --git a/include/network.h b/include/network.h index dfc3015..70812b1 100644 --- a/include/network.h +++ b/include/network.h @@ -217,6 +217,9 @@ enum nta_attr { NTA_SCTP_VTAG_REPL, /* uint32_t */ NTA_DCCP_STATE = 20, /* uint8_t */ NTA_DCCP_ROLE, /* uint8_t */ + NTA_ICMP_TYPE, /* uint8_t */ + NTA_ICMP_CODE, /* uint8_t */ + NTA_ICMP_ID, /* uint16_t */ NTA_MAX }; diff --git a/src/build.c b/src/build.c index defb2ec..6d8b12e 100644 --- a/src/build.c +++ b/src/build.c @@ -124,6 +124,13 @@ static void build_l4proto_dccp(const struct nf_conntrack *ct, struct nethdr *n) __build_u8(ct, ATTR_DCCP_ROLE, n, NTA_DCCP_ROLE); } +static void build_l4proto_icmp(const struct nf_conntrack *ct, struct nethdr *n) +{ + __build_u8(ct, ATTR_ICMP_TYPE, n, NTA_ICMP_TYPE); + __build_u8(ct, ATTR_ICMP_CODE, n, NTA_ICMP_CODE); + __build_u16(ct, ATTR_ICMP_ID, n, NTA_ICMP_ID); +} + #ifndef IPPROTO_DCCP #define IPPROTO_DCCP 33 #endif @@ -134,9 +141,9 @@ static struct build_l4proto { [IPPROTO_TCP] = { .build = build_l4proto_tcp }, [IPPROTO_SCTP] = { .build = build_l4proto_sctp }, [IPPROTO_DCCP] = { .build = build_l4proto_dccp }, + [IPPROTO_ICMP] = { .build = build_l4proto_icmp }, }; -/* XXX: ICMP not supported */ void build_payload(const struct nf_conntrack *ct, struct nethdr *n) { uint8_t l4proto = nfct_get_attr_u8(ct, ATTR_L4PROTO); diff --git a/src/parse.c b/src/parse.c index b5f257c..e6eefe4 100644 --- a/src/parse.c +++ b/src/parse.c @@ -146,6 +146,21 @@ static struct parser h[NTA_MAX] = { .attr = ATTR_DCCP_ROLE, .size = NTA_SIZE(sizeof(uint8_t)), }, + [NTA_ICMP_TYPE] = { + .parse = parse_u8, + .attr = ATTR_ICMP_TYPE, + .size = NTA_SIZE(sizeof(uint8_t)), + }, + [NTA_ICMP_CODE] = { + .parse = parse_u8, + .attr = ATTR_ICMP_CODE, + .size = NTA_SIZE(sizeof(uint8_t)), + }, + [NTA_ICMP_ID] = { + .parse = parse_u16, + .attr = ATTR_ICMP_ID, + .size = NTA_SIZE(sizeof(uint16_t)), + }, }; static void |