summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2009-10-06 11:19:28 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2009-12-19 15:24:20 +0100
commit65645763ebe870fa01b5c1a5dbe810feb9397ff2 (patch)
tree05ecf9a76c8d77bf0cf5e7e331a08d980fe87e80
parent2f52fea14f94fb267e22280bce2d45f44c3b34f0 (diff)
downloadconntrack-tools-65645763ebe870fa01b5c1a5dbe810feb9397ff2.tar.gz
conntrack-tools-65645763ebe870fa01b5c1a5dbe810feb9397ff2.zip
conntrackd: add ICMP support for state-synchronization
This patch adds state-synchronization for ICMP. You SHOULD use a Linux kernel >= 2.6.31, otherwise this patch can result in tons of state-updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--doc/sync/alarm/conntrackd.conf1
-rw-r--r--doc/sync/ftfw/conntrackd.conf1
-rw-r--r--doc/sync/notrack/conntrackd.conf1
-rw-r--r--include/network.h3
-rw-r--r--src/build.c9
-rw-r--r--src/parse.c15
6 files changed, 29 insertions, 1 deletions
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index 800012f..3424e39 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -332,6 +332,7 @@ General {
TCP
SCTP
DCCP
+ # ICMP # This requires a Linux kernel >= 2.6.31
}
#
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index 81f2de1..df10aca 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -357,6 +357,7 @@ General {
TCP
SCTP
DCCP
+ # ICMP # This requires a Linux kernel >= 2.6.31
}
#
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 529fbd9..5b9ebbb 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -338,6 +338,7 @@ General {
TCP
SCTP
DCCP
+ # ICMP # This requires a Linux kernel >= 2.6.31
}
#
diff --git a/include/network.h b/include/network.h
index dfc3015..70812b1 100644
--- a/include/network.h
+++ b/include/network.h
@@ -217,6 +217,9 @@ enum nta_attr {
NTA_SCTP_VTAG_REPL, /* uint32_t */
NTA_DCCP_STATE = 20, /* uint8_t */
NTA_DCCP_ROLE, /* uint8_t */
+ NTA_ICMP_TYPE, /* uint8_t */
+ NTA_ICMP_CODE, /* uint8_t */
+ NTA_ICMP_ID, /* uint16_t */
NTA_MAX
};
diff --git a/src/build.c b/src/build.c
index defb2ec..6d8b12e 100644
--- a/src/build.c
+++ b/src/build.c
@@ -124,6 +124,13 @@ static void build_l4proto_dccp(const struct nf_conntrack *ct, struct nethdr *n)
__build_u8(ct, ATTR_DCCP_ROLE, n, NTA_DCCP_ROLE);
}
+static void build_l4proto_icmp(const struct nf_conntrack *ct, struct nethdr *n)
+{
+ __build_u8(ct, ATTR_ICMP_TYPE, n, NTA_ICMP_TYPE);
+ __build_u8(ct, ATTR_ICMP_CODE, n, NTA_ICMP_CODE);
+ __build_u16(ct, ATTR_ICMP_ID, n, NTA_ICMP_ID);
+}
+
#ifndef IPPROTO_DCCP
#define IPPROTO_DCCP 33
#endif
@@ -134,9 +141,9 @@ static struct build_l4proto {
[IPPROTO_TCP] = { .build = build_l4proto_tcp },
[IPPROTO_SCTP] = { .build = build_l4proto_sctp },
[IPPROTO_DCCP] = { .build = build_l4proto_dccp },
+ [IPPROTO_ICMP] = { .build = build_l4proto_icmp },
};
-/* XXX: ICMP not supported */
void build_payload(const struct nf_conntrack *ct, struct nethdr *n)
{
uint8_t l4proto = nfct_get_attr_u8(ct, ATTR_L4PROTO);
diff --git a/src/parse.c b/src/parse.c
index b5f257c..e6eefe4 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -146,6 +146,21 @@ static struct parser h[NTA_MAX] = {
.attr = ATTR_DCCP_ROLE,
.size = NTA_SIZE(sizeof(uint8_t)),
},
+ [NTA_ICMP_TYPE] = {
+ .parse = parse_u8,
+ .attr = ATTR_ICMP_TYPE,
+ .size = NTA_SIZE(sizeof(uint8_t)),
+ },
+ [NTA_ICMP_CODE] = {
+ .parse = parse_u8,
+ .attr = ATTR_ICMP_CODE,
+ .size = NTA_SIZE(sizeof(uint8_t)),
+ },
+ [NTA_ICMP_ID] = {
+ .parse = parse_u16,
+ .attr = ATTR_ICMP_ID,
+ .size = NTA_SIZE(sizeof(uint16_t)),
+ },
};
static void