diff options
author | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org> | 2005-12-03 22:33:53 +0000 |
---|---|---|
committer | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org> | 2005-12-03 22:33:53 +0000 |
commit | 5891b45e0eee0307a29ed5103fe6d596f6a37ebd (patch) | |
tree | 4da61210c620c3dc173257bf556f83627e52f7d6 /extensions | |
parent | 2082ea8a70a1c3b7c8b47115f00fcbe70fac9ffa (diff) | |
download | conntrack-tools-5891b45e0eee0307a29ed5103fe6d596f6a37ebd.tar.gz conntrack-tools-5891b45e0eee0307a29ed5103fe6d596f6a37ebd.zip |
o Add support to filter events. ie: -p tcp --orig-port-dst 80 in
conjuction with -E to get all the requests to HTTP servers
o Update manpage
o Missing static function declaration in the protocol handlers
o Use protocol flags defined in libnetfilter_conntrack
o Kill leftover #include "conntrack.h" in the ICMP helper
o Bumped version to 0.991
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/libct_proto_icmp.c | 39 | ||||
-rw-r--r-- | extensions/libct_proto_sctp.c | 44 | ||||
-rw-r--r-- | extensions/libct_proto_tcp.c | 78 | ||||
-rw-r--r-- | extensions/libct_proto_udp.c | 71 |
4 files changed, 82 insertions, 150 deletions
diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c index dc7374e..afae25e 100644 --- a/extensions/libct_proto_icmp.c +++ b/extensions/libct_proto_icmp.c @@ -14,7 +14,7 @@ #include <netinet/in.h> /* For htons */ #include <netinet/ip_icmp.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include "conntrack.h" +#include <libnetfilter_conntrack/libnetfilter_conntrack_icmp.h> static struct option opts[] = { {"icmp-type", 1, 0, '1'}, @@ -23,18 +23,7 @@ static struct option opts[] = { {0, 0, 0, 0} }; -enum icmp_param_flags { - ICMP_TYPE_BIT = 0, - ICMP_TYPE = (1 << ICMP_TYPE_BIT), - - ICMP_CODE_BIT = 1, - ICMP_CODE = (1 << ICMP_CODE_BIT), - - ICMP_ID_BIT = 2, - ICMP_ID = (1 << ICMP_ID_BIT) -}; - -void help() +static void help() { fprintf(stdout, "--icmp-type icmp type\n"); fprintf(stdout, "--icmp-code icmp code\n"); @@ -52,12 +41,12 @@ static u_int8_t invmap[] [ICMP_ADDRESS] = ICMP_ADDRESSREPLY + 1, [ICMP_ADDRESSREPLY] = ICMP_ADDRESS + 1}; -int parse(char c, char *argv[], - struct nfct_tuple *orig, - struct nfct_tuple *reply, - struct nfct_tuple *mask, - union nfct_protoinfo *proto, - unsigned int *flags) +static int parse(char c, char *argv[], + struct nfct_tuple *orig, + struct nfct_tuple *reply, + struct nfct_tuple *mask, + union nfct_protoinfo *proto, + unsigned int *flags) { switch(c) { case '1': @@ -86,10 +75,10 @@ int parse(char c, char *argv[], return 1; } -int final_check(unsigned int flags, - unsigned int command, - struct nfct_tuple *orig, - struct nfct_tuple *reply) +static int final_check(unsigned int flags, + unsigned int command, + struct nfct_tuple *orig, + struct nfct_tuple *reply) { if (!(flags & ICMP_TYPE)) return 0; @@ -109,9 +98,9 @@ static struct ctproto_handler icmp = { .version = VERSION, }; -void __attribute__ ((constructor)) init(void); +static void __attribute__ ((constructor)) init(void); -void init(void) +static void init(void) { register_proto(&icmp); } diff --git a/extensions/libct_proto_sctp.c b/extensions/libct_proto_sctp.c index 64cfd23..7ff1dcf 100644 --- a/extensions/libct_proto_sctp.c +++ b/extensions/libct_proto_sctp.c @@ -14,6 +14,7 @@ #include <netinet/in.h> /* For htons */ #include "conntrack.h" #include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_sctp.h> static struct option opts[] = { {"orig-port-src", 1, 0, '1'}, @@ -24,23 +25,6 @@ static struct option opts[] = { {0, 0, 0, 0} }; -enum sctp_param_flags { - ORIG_SPORT_BIT = 0, - ORIG_SPORT = (1 << ORIG_SPORT_BIT), - - ORIG_DPORT_BIT = 1, - ORIG_DPORT = (1 << ORIG_DPORT_BIT), - - REPL_SPORT_BIT = 2, - REPL_SPORT = (1 << REPL_SPORT_BIT), - - REPL_DPORT_BIT = 3, - REPL_DPORT = (1 << REPL_DPORT_BIT), - - STATE_BIT = 4, - STATE = (1 << STATE_BIT) -}; - static const char *states[] = { "NONE", "CLOSED", @@ -52,7 +36,7 @@ static const char *states[] = { "SHUTDOWN_ACK_SENT", }; -void help() +static void help() { fprintf(stdout, "--orig-port-src original source port\n"); fprintf(stdout, "--orig-port-dst original destination port\n"); @@ -61,12 +45,12 @@ void help() fprintf(stdout, "--state SCTP state, fe. ESTABLISHED\n"); } -int parse_options(char c, char *argv[], - struct nfct_tuple *orig, - struct nfct_tuple *reply, - struct nfct_tuple *mask, - union nfct_protoinfo *proto, - unsigned int *flags) +static int parse_options(char c, char *argv[], + struct nfct_tuple *orig, + struct nfct_tuple *reply, + struct nfct_tuple *mask, + union nfct_protoinfo *proto, + unsigned int *flags) { switch(c) { case '1': @@ -115,10 +99,10 @@ int parse_options(char c, char *argv[], return 1; } -int final_check(unsigned int flags, - unsigned int command, - struct nfct_tuple *orig, - struct nfct_tuple *reply) +static int final_check(unsigned int flags, + unsigned int command, + struct nfct_tuple *orig, + struct nfct_tuple *reply) { int ret = 0; @@ -154,9 +138,9 @@ static struct ctproto_handler sctp = { .version = VERSION, }; -void __attribute__ ((constructor)) init(void); +static void __attribute__ ((constructor)) init(void); -void init(void) +static void init(void) { register_proto(&sctp); } diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index 3a01c0a..35fa292 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -13,6 +13,7 @@ #include <string.h> #include <netinet/in.h> /* For htons */ #include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h> #include "conntrack.h" @@ -27,29 +28,6 @@ static struct option opts[] = { {0, 0, 0, 0} }; -enum tcp_param_flags { - ORIG_SPORT_BIT = 0, - ORIG_SPORT = (1 << ORIG_SPORT_BIT), - - ORIG_DPORT_BIT = 1, - ORIG_DPORT = (1 << ORIG_DPORT_BIT), - - REPL_SPORT_BIT = 2, - REPL_SPORT = (1 << REPL_SPORT_BIT), - - REPL_DPORT_BIT = 3, - REPL_DPORT = (1 << REPL_DPORT_BIT), - - MASK_SPORT_BIT = 4, - MASK_SPORT = (1 << MASK_SPORT_BIT), - - MASK_DPORT_BIT = 5, - MASK_DPORT = (1 << MASK_DPORT_BIT), - - STATE_BIT = 6, - STATE = (1 << STATE_BIT) -}; - static const char *states[] = { "NONE", "SYN_SENT", @@ -63,7 +41,7 @@ static const char *states[] = { "LISTEN" }; -void help() +static void help() { fprintf(stdout, "--orig-port-src original source port\n"); fprintf(stdout, "--orig-port-dst original destination port\n"); @@ -74,48 +52,48 @@ void help() fprintf(stdout, "--state TCP state, fe. ESTABLISHED\n"); } -int parse_options(char c, char *argv[], - struct nfct_tuple *orig, - struct nfct_tuple *reply, - struct nfct_tuple *mask, - union nfct_protoinfo *proto, - unsigned int *flags) +static int parse_options(char c, char *argv[], + struct nfct_tuple *orig, + struct nfct_tuple *reply, + struct nfct_tuple *mask, + union nfct_protoinfo *proto, + unsigned int *flags) { switch(c) { case '1': if (optarg) { orig->l4src.tcp.port = htons(atoi(optarg)); - *flags |= ORIG_SPORT; + *flags |= TCP_ORIG_SPORT; } break; case '2': if (optarg) { orig->l4dst.tcp.port = htons(atoi(optarg)); - *flags |= ORIG_DPORT; + *flags |= TCP_ORIG_DPORT; } break; case '3': if (optarg) { reply->l4src.tcp.port = htons(atoi(optarg)); - *flags |= REPL_SPORT; + *flags |= TCP_REPL_SPORT; } break; case '4': if (optarg) { reply->l4dst.tcp.port = htons(atoi(optarg)); - *flags |= REPL_DPORT; + *flags |= TCP_REPL_DPORT; } break; case '5': if (optarg) { mask->l4src.tcp.port = htons(atoi(optarg)); - *flags |= MASK_SPORT; + *flags |= TCP_MASK_SPORT; } break; case '6': if (optarg) { mask->l4dst.tcp.port = htons(atoi(optarg)); - *flags |= MASK_DPORT; + *flags |= TCP_MASK_DPORT; } break; case '7': @@ -131,37 +109,37 @@ int parse_options(char c, char *argv[], printf("doh?\n"); return 0; } - *flags |= STATE; + *flags |= TCP_STATE; } break; } return 1; } -int final_check(unsigned int flags, - unsigned int command, - struct nfct_tuple *orig, - struct nfct_tuple *reply) +static int final_check(unsigned int flags, + unsigned int command, + struct nfct_tuple *orig, + struct nfct_tuple *reply) { int ret = 0; - if ((flags & (ORIG_SPORT|ORIG_DPORT)) - && !(flags & (REPL_SPORT|REPL_DPORT))) { + if ((flags & (TCP_ORIG_SPORT|TCP_ORIG_DPORT)) + && !(flags & (TCP_REPL_SPORT|TCP_REPL_DPORT))) { reply->l4src.tcp.port = orig->l4dst.tcp.port; reply->l4dst.tcp.port = orig->l4src.tcp.port; ret = 1; - } else if (!(flags & (ORIG_SPORT|ORIG_DPORT)) - && (flags & (REPL_SPORT|REPL_DPORT))) { + } else if (!(flags & (TCP_ORIG_SPORT|TCP_ORIG_DPORT)) + && (flags & (TCP_REPL_SPORT|TCP_REPL_DPORT))) { orig->l4src.tcp.port = reply->l4dst.tcp.port; orig->l4dst.tcp.port = reply->l4src.tcp.port; ret = 1; } - if ((flags & (ORIG_SPORT|ORIG_DPORT)) - && ((flags & (REPL_SPORT|REPL_DPORT)))) + if ((flags & (TCP_ORIG_SPORT|TCP_ORIG_DPORT)) + && ((flags & (TCP_REPL_SPORT|TCP_REPL_DPORT)))) ret = 1; /* --state is missing and we are trying to create a conntrack */ - if (ret && (command & CT_CREATE) && (!(flags & STATE))) + if (ret && (command & CT_CREATE) && (!(flags & TCP_STATE))) ret = 0; return ret; @@ -177,9 +155,9 @@ static struct ctproto_handler tcp = { .version = VERSION, }; -void __attribute__ ((constructor)) init(void); +static void __attribute__ ((constructor)) init(void); -void init(void) +static void init(void) { register_proto(&tcp); } diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c index 958d464..974e455 100644 --- a/extensions/libct_proto_udp.c +++ b/extensions/libct_proto_udp.c @@ -13,6 +13,7 @@ #include <netinet/in.h> /* For htons */ #include "conntrack.h" #include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_udp.h> static struct option opts[] = { {"orig-port-src", 1, 0, '1'}, @@ -24,27 +25,7 @@ static struct option opts[] = { {0, 0, 0, 0} }; -enum udp_param_flags { - ORIG_SPORT_BIT = 0, - ORIG_SPORT = (1 << ORIG_SPORT_BIT), - - ORIG_DPORT_BIT = 1, - ORIG_DPORT = (1 << ORIG_DPORT_BIT), - - REPL_SPORT_BIT = 2, - REPL_SPORT = (1 << REPL_SPORT_BIT), - - REPL_DPORT_BIT = 3, - REPL_DPORT = (1 << REPL_DPORT_BIT), - - MASK_SPORT_BIT = 4, - MASK_SPORT = (1 << MASK_SPORT_BIT), - - MASK_DPORT_BIT = 5, - MASK_DPORT = (1 << MASK_DPORT_BIT), -}; - -void help() +static void help() { fprintf(stdout, "--orig-port-src original source port\n"); fprintf(stdout, "--orig-port-dst original destination port\n"); @@ -54,72 +35,72 @@ void help() fprintf(stdout, "--mask-port-dst mask destination port\n"); } -int parse_options(char c, char *argv[], - struct nfct_tuple *orig, - struct nfct_tuple *reply, - struct nfct_tuple *mask, - union nfct_protoinfo *proto, - unsigned int *flags) +static int parse_options(char c, char *argv[], + struct nfct_tuple *orig, + struct nfct_tuple *reply, + struct nfct_tuple *mask, + union nfct_protoinfo *proto, + unsigned int *flags) { switch(c) { case '1': if (optarg) { orig->l4src.udp.port = htons(atoi(optarg)); - *flags |= ORIG_SPORT; + *flags |= UDP_ORIG_SPORT; } break; case '2': if (optarg) { orig->l4dst.udp.port = htons(atoi(optarg)); - *flags |= ORIG_DPORT; + *flags |= UDP_ORIG_DPORT; } break; case '3': if (optarg) { reply->l4src.udp.port = htons(atoi(optarg)); - *flags |= REPL_SPORT; + *flags |= UDP_REPL_SPORT; } break; case '4': if (optarg) { reply->l4dst.udp.port = htons(atoi(optarg)); - *flags |= REPL_DPORT; + *flags |= UDP_REPL_DPORT; } break; case '5': if (optarg) { mask->l4src.udp.port = htons(atoi(optarg)); - *flags |= MASK_SPORT; + *flags |= UDP_MASK_SPORT; } break; case '6': if (optarg) { mask->l4dst.udp.port = htons(atoi(optarg)); - *flags |= MASK_DPORT; + *flags |= UDP_MASK_DPORT; } break; } return 1; } -int final_check(unsigned int flags, - unsigned int command, - struct nfct_tuple *orig, - struct nfct_tuple *reply) +static int final_check(unsigned int flags, + unsigned int command, + struct nfct_tuple *orig, + struct nfct_tuple *reply) { - if ((flags & (ORIG_SPORT|ORIG_DPORT)) - && !(flags & (REPL_SPORT|REPL_DPORT))) { + if ((flags & (UDP_ORIG_SPORT|UDP_ORIG_DPORT)) + && !(flags & (UDP_REPL_SPORT|UDP_REPL_DPORT))) { reply->l4src.udp.port = orig->l4dst.udp.port; reply->l4dst.udp.port = orig->l4src.udp.port; return 1; - } else if (!(flags & (ORIG_SPORT|ORIG_DPORT)) - && (flags & (REPL_SPORT|REPL_DPORT))) { + } else if (!(flags & (UDP_ORIG_SPORT|UDP_ORIG_DPORT)) + && (flags & (UDP_REPL_SPORT|UDP_REPL_DPORT))) { orig->l4src.udp.port = reply->l4dst.udp.port; orig->l4dst.udp.port = reply->l4src.udp.port; return 1; } - if ((flags & (ORIG_SPORT|ORIG_DPORT)) - && ((flags & (REPL_SPORT|REPL_DPORT)))) + if ((flags & (UDP_ORIG_SPORT|UDP_ORIG_DPORT)) + && ((flags & (UDP_REPL_SPORT|UDP_REPL_DPORT)))) return 1; return 0; @@ -135,9 +116,9 @@ static struct ctproto_handler udp = { .version = VERSION, }; -void __attribute__ ((constructor)) init(void); +static void __attribute__ ((constructor)) init(void); -void init(void) +static void init(void) { register_proto(&udp); } |