conntrack: fix coupled-options sanity checkings

This patch extends the generic_opt_check() function to add
extra information on the possible option combinations. Under
some specific situations, like the creation and getting of
a conntrack, you may specify the original or the reply tuple
but at least one MUST be present. This handling has been
always tricky, it still remains but we're more user friendly
at least.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

4 files changed, 56 insertions, 57 deletions

diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c
index 51366f1..3a346ed 100644
--- a/extensions/libct_proto_icmp.c
+++ b/extensions/libct_proto_icmp.c
@@ -103,7 +103,7 @@ static void final_check(unsigned int flags,
 	generic_opt_check(flags,
 			  ICMP_NUMBER_OF_OPT,
 			  icmp_commands_v_options[cmd],
-			  icmp_optflags);
+			  icmp_optflags, NULL, 0, NULL);
 }
 
 static struct ctproto_handler icmp = {
diff --git a/extensions/libct_proto_icmpv6.c b/extensions/libct_proto_icmpv6.c
index cfc5979..070eb7f 100644
--- a/extensions/libct_proto_icmpv6.c
+++ b/extensions/libct_proto_icmpv6.c
@@ -103,10 +103,9 @@ static void final_check(unsigned int flags,
 		        unsigned int cmd,
 		        struct nf_conntrack *ct)
 {
-	generic_opt_check(flags,
-			  ICMPV6_NUMBER_OF_OPT,
-			  icmpv6_commands_v_options[cmd],
-			  icmpv6_optflags);
+	generic_opt_check(flags, ICMPV6_NUMBER_OF_OPT,
+			  icmpv6_commands_v_options[cmd], icmpv6_optflags,
+			  NULL, 0, NULL);
 }
 
 static struct ctproto_handler icmpv6 = {
diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
index 30d7229..ac54ac7 100644
--- a/extensions/libct_proto_tcp.c
+++ b/extensions/libct_proto_tcp.c
@@ -56,10 +56,10 @@ static char tcp_commands_v_options[NUMBER_OF_CMD][TCP_NUMBER_OF_OPT] =
 {
 	    	/* 1 2 3 4 5 6 7 8 9 */
 /*CT_LIST*/   	  {2,2,2,2,0,0,2,0,0},
-/*CT_CREATE*/	  {2,2,2,2,0,0,1,0,0},
+/*CT_CREATE*/	  {3,3,3,3,0,0,1,0,0},
 /*CT_UPDATE*/	  {2,2,2,2,0,0,2,0,0},
 /*CT_DELETE*/	  {2,2,2,2,0,0,2,0,0},
-/*CT_GET*/	  {2,2,2,2,0,0,2,0,0},
+/*CT_GET*/	  {3,3,3,3,0,0,2,0,0},
 /*CT_FLUSH*/	  {0,0,0,0,0,0,0,0,0},
 /*CT_EVENT*/	  {2,2,2,2,0,0,2,0,0},
 /*CT_VERSION*/	  {0,0,0,0,0,0,0,0,0},
@@ -172,36 +172,36 @@ static int parse_options(char c,
 	return 1;
 }
 
+#define TCP_VALID_FLAGS_MAX   2
+static unsigned int tcp_valid_flags[TCP_VALID_FLAGS_MAX] = {
+       CT_TCP_ORIG_SPORT | CT_TCP_ORIG_DPORT,
+       CT_TCP_REPL_SPORT | CT_TCP_REPL_DPORT,
+};
+
 static void final_check(unsigned int flags,
 			unsigned int cmd,
 			struct nf_conntrack *ct)
 {
-	if ((1 << cmd) & (CT_CREATE|CT_GET)) {
-		if (!(flags & CT_TCP_ORIG_SPORT) &&
-		     (flags & CT_TCP_ORIG_DPORT)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "missing `--sport'");
-		}
-		if ((flags & CT_TCP_ORIG_SPORT) &&
-		    !(flags & CT_TCP_ORIG_DPORT)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "missing `--dport'");
-		}
-		if (!(flags & CT_TCP_REPL_SPORT) &&
-		    (flags & CT_TCP_REPL_DPORT)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "missing `--reply-port-src'");
-		}
-		if ((flags & CT_TCP_REPL_SPORT) &&
-		    !(flags & CT_TCP_REPL_DPORT)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "missing `--reply-port-dst'");
+	int ret, partial;
+
+	ret = generic_opt_check(flags, TCP_NUMBER_OF_OPT,
+				tcp_commands_v_options[cmd], tcp_optflags,
+				tcp_valid_flags, TCP_VALID_FLAGS_MAX, &partial);
+	if (!ret) {
+		switch(partial) {
+		case -1:
+		case 0:
+			exit_error(PARAMETER_PROBLEM, "you have to specify "
+						      "`--sport' and "
+						      "`--dport'");
+			break;
+		case 1:
+			exit_error(PARAMETER_PROBLEM, "you have to specify "
+						      "`--reply-src-port' and "
+						      "`--reply-dst-port'");
+			break;
 		}
 	}
-	generic_opt_check(flags, 
-			  TCP_NUMBER_OF_OPT,
-			  tcp_commands_v_options[cmd],
-			  tcp_optflags);
 }
 
 static struct ctproto_handler tcp = {
diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c
index 4f34e3b..d7c4da1 100644
--- a/extensions/libct_proto_udp.c
+++ b/extensions/libct_proto_udp.c
@@ -64,10 +64,10 @@ static char udp_commands_v_options[NUMBER_OF_CMD][UDP_NUMBER_OF_OPT] =
 {
 		/* 1 2 3 4 5 6 7 8 */
 /*CT_LIST*/	  {2,2,2,2,0,0,0,0},
-/*CT_CREATE*/     {2,2,2,2,0,0,0,0},
+/*CT_CREATE*/     {3,3,3,3,0,0,0,0},
 /*CT_UPDATE*/     {2,2,2,2,0,0,0,0},
 /*CT_DELETE*/     {2,2,2,2,0,0,0,0},
-/*CT_GET*/        {2,2,2,2,0,0,0,0},
+/*CT_GET*/        {3,3,3,3,0,0,0,0},
 /*CT_FLUSH*/      {0,0,0,0,0,0,0,0},
 /*CT_EVENT*/      {2,2,2,2,0,0,0,0},
 /*CT_VERSION*/    {0,0,0,0,0,0,0,0},
@@ -144,36 +144,36 @@ static int parse_options(char c,
 	return 1;
 }
 
+#define UDP_VALID_FLAGS_MAX   2
+static unsigned int udp_valid_flags[UDP_VALID_FLAGS_MAX] = {
+       CT_UDP_ORIG_SPORT | CT_UDP_ORIG_DPORT,
+       CT_UDP_REPL_SPORT | CT_UDP_REPL_DPORT,
+};
+
 static void final_check(unsigned int flags,
 		        unsigned int cmd,
 		        struct nf_conntrack *ct)
 {
-	if ((1 << cmd) & (CT_CREATE|CT_GET)) {
-		if (!(flags & CT_UDP_ORIG_SPORT) &&
-		     (flags & CT_UDP_ORIG_DPORT)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "missing `--sport'");
-		}
-		if ((flags & CT_UDP_ORIG_SPORT) &&
-		    !(flags & CT_UDP_ORIG_DPORT)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "missing `--dport'");
-		}
-		if (!(flags & CT_UDP_REPL_SPORT) &&
-		    (flags & CT_UDP_REPL_DPORT)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "missing `--reply-port-src'");
-		}
-		if ((flags & CT_UDP_REPL_SPORT) &&
-		    !(flags & CT_UDP_REPL_DPORT)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "missing `--reply-port-dst'");
+	int ret, partial;
+
+	ret = generic_opt_check(flags, UDP_NUMBER_OF_OPT,
+				udp_commands_v_options[cmd], udp_optflags,
+				udp_valid_flags, UDP_VALID_FLAGS_MAX, &partial);
+	if (!ret) {
+		switch(partial) {
+		case -1:
+		case 0:
+			exit_error(PARAMETER_PROBLEM, "you have to specify "
+						      "`--sport' and "
+						      "`--dport'");
+			break;
+		case 1:
+			exit_error(PARAMETER_PROBLEM, "you have to specify "
+						      "`--reply-src-port' and "
+						      "`--reply-dst-port'");
+			break;
 		}
 	}
-	generic_opt_check(flags, 
-			  UDP_NUMBER_OF_OPT,
-			  udp_commands_v_options[cmd],
-			  udp_optflags);
 }
 
 static struct ctproto_handler udp = {