diff options
author | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org> | 2005-06-24 16:28:24 +0000 |
---|---|---|
committer | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org> | 2005-06-24 16:28:24 +0000 |
commit | e8c0b55fc1aac2238419cf6119930559d5c3119b (patch) | |
tree | 661764c91f6a22c6b4b9e51ad166d436f7d4466a /extensions | |
parent | ce61f15a286854ce74e864924b552a55432785f5 (diff) | |
download | conntrack-tools-e8c0b55fc1aac2238419cf6119930559d5c3119b.tar.gz conntrack-tools-e8c0b55fc1aac2238419cf6119930559d5c3119b.zip |
o Fixed syntax error (tab/space issue) in help message
o Fixed getopt handling on big endian machines
o Fixed possible future read-over-end-of-array in TCP extension
o Add manpage
o Add missing space at output of libct_proto_icmp.c
o Add status bits that were introduced in 2.6.11
o Add SCTP extension
o Add support for expect creation
o Bump version number to 0.63
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/Makefile.am | 4 | ||||
-rw-r--r-- | extensions/libct_proto_icmp.c | 2 | ||||
-rw-r--r-- | extensions/libct_proto_icmp.man | 10 | ||||
-rw-r--r-- | extensions/libct_proto_sctp.c | 160 | ||||
-rw-r--r-- | extensions/libct_proto_tcp.c | 18 | ||||
-rw-r--r-- | extensions/libct_proto_tcp.man | 16 | ||||
-rw-r--r-- | extensions/libct_proto_udp.man | 13 |
7 files changed, 214 insertions, 9 deletions
diff --git a/extensions/Makefile.am b/extensions/Makefile.am index ab29a6d..ecd3a91 100644 --- a/extensions/Makefile.am +++ b/extensions/Makefile.am @@ -8,8 +8,10 @@ INCLUDES=-I../include -I/lib/modules/$(shell (uname -r))/build/include CFLAGS=-fPIC -Wall LIBS= -lib_LTLIBRARIES = libct_proto_tcp.la libct_proto_udp.la libct_proto_icmp.la +lib_LTLIBRARIES = libct_proto_tcp.la libct_proto_udp.la libct_proto_icmp.la \ + libct_proto_sctp.la libct_proto_tcp_la_SOURCES = libct_proto_tcp.c libct_proto_udp_la_SOURCES = libct_proto_udp.c libct_proto_icmp_la_SOURCES = libct_proto_icmp.c +libct_proto_sctp_la_SOURCES = libct_proto_sctp.c diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c index 43ffa30..6a2db92 100644 --- a/extensions/libct_proto_icmp.c +++ b/extensions/libct_proto_icmp.c @@ -81,7 +81,7 @@ int final_check(unsigned int flags) void print_tuple(struct ip_conntrack_tuple *t) { - fprintf(stdout, "type=%d code=%d id=%d", t->dst.u.icmp.type, + fprintf(stdout, "type=%d code=%d id=%d ", t->dst.u.icmp.type, t->dst.u.icmp.code, t->src.u.icmp.id); } diff --git a/extensions/libct_proto_icmp.man b/extensions/libct_proto_icmp.man new file mode 100644 index 0000000..3b860d0 --- /dev/null +++ b/extensions/libct_proto_icmp.man @@ -0,0 +1,10 @@ +This module matches on ICMP-specific fields. +.TP +.BI "--icmp-type " "TYPE" +ICMP Type. Has to be specified numerically. +.TP +.BI "--icmp-code " "CODE" +ICMP Code. Has to be specified numerically. +.TP +.BI "--icmp-id " "ID" +ICMP Id. Has to be specified numerically. diff --git a/extensions/libct_proto_sctp.c b/extensions/libct_proto_sctp.c new file mode 100644 index 0000000..b84c2ba --- /dev/null +++ b/extensions/libct_proto_sctp.c @@ -0,0 +1,160 @@ +/* + * (C) 2005 by Harald Welte <lafoorge@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation + * + */ +#include <stdio.h> +#include <getopt.h> +#include <stdlib.h> +#include <string.h> +#include <netinet/in.h> /* For htons */ +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> +#include <linux/netfilter_ipv4/ip_conntrack.h> +#include "libct_proto.h" + +static struct option opts[] = { + {"orig-port-src", 1, 0, '1'}, + {"orig-port-dst", 1, 0, '2'}, + {"reply-port-src", 1, 0, '3'}, + {"reply-port-dst", 1, 0, '4'}, + {"state", 1, 0, '5'}, + {0, 0, 0, 0} +}; + +enum sctp_param_flags { + ORIG_SPORT_BIT = 0, + ORIG_SPORT = (1 << ORIG_SPORT_BIT), + + ORIG_DPORT_BIT = 1, + ORIG_DPORT = (1 << ORIG_DPORT_BIT), + + REPL_SPORT_BIT = 2, + REPL_SPORT = (1 << REPL_SPORT_BIT), + + REPL_DPORT_BIT = 3, + REPL_DPORT = (1 << REPL_DPORT_BIT), + + STATE_BIT = 4, + STATE = (1 << STATE_BIT) +}; + +static const char *states[] = { + "NONE", + "CLOSED", + "COOKIE_WAIT", + "COOKIE_ECHOED", + "ESTABLISHED", + "SHUTDOWN_SENT", + "SHUTDOWN_RECV", + "SHUTDOWN_ACK_SENT", +}; + +static void help() +{ + fprintf(stdout, "--orig-port-src original source port\n"); + fprintf(stdout, "--orig-port-dst original destination port\n"); + fprintf(stdout, "--reply-port-src reply source port\n"); + fprintf(stdout, "--reply-port-dst reply destination port\n"); + fprintf(stdout, "--state SCTP state, eg. ESTABLISHED\n"); +} + +static int parse(char c, char *argv[], + struct ip_conntrack_tuple *orig, + struct ip_conntrack_tuple *reply, + union ip_conntrack_proto *proto, + unsigned int *flags) +{ + switch(c) { + case '1': + if (optarg) { + orig->src.u.sctp.port = htons(atoi(optarg)); + *flags |= ORIG_SPORT; + } + break; + case '2': + if (optarg) { + orig->dst.u.sctp.port = htons(atoi(optarg)); + *flags |= ORIG_DPORT; + } + break; + case '3': + if (optarg) { + reply->src.u.sctp.port = htons(atoi(optarg)); + *flags |= REPL_SPORT; + } + break; + case '4': + if (optarg) { + reply->dst.u.sctp.port = htons(atoi(optarg)); + *flags |= REPL_DPORT; + } + break; + case '5': + if (optarg) { + int i; + for (i=0; i<10; i++) { + if (strcmp(optarg, states[i]) == 0) { + proto->sctp.state = i; + break; + } + } + if (i == 10) { + printf("doh?\n"); + return 0; + } + } + break; + } + return 1; +} + +static int final_check(unsigned int flags) +{ + if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT)) + return 1; + else if ((flags & REPL_SPORT) && (flags & REPL_DPORT)) + return 1; + + return 0; +} + +static void print_tuple(struct ip_conntrack_tuple *t) +{ + fprintf(stdout, "sport=%d dport=%d ", ntohs(t->src.u.sctp.port), + ntohs(t->dst.u.sctp.port)); +} + +static void print_proto(union ip_conntrack_proto *proto) +{ + if (proto->sctp.state > sizeof(states)/sizeof(char *)) + fprintf(stdout, "[%u] ", proto->sctp.state); + else + fprintf(stdout, "[%s] ", states[proto->sctp.state]); +} + +static struct ctproto_handler sctp = { + .name = "sctp", + .protonum = 132, + .parse = parse, + .print_tuple = print_tuple, + .print_proto = print_proto, + .final_check = final_check, + .help = help, + .opts = opts, +}; + +void __attribute__ ((constructor)) init(void); +void __attribute__ ((destructor)) fini(void); + +void init(void) +{ + register_proto(&sctp); +} + +void fini(void) +{ + unregister_proto(&sctp); +} diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index 4cddf53..45ee29b 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -10,6 +10,7 @@ #include <stdio.h> #include <getopt.h> #include <stdlib.h> +#include <string.h> #include <netinet/in.h> /* For htons */ #include <linux/netfilter_ipv4/ip_conntrack_tuple.h> #include <linux/netfilter_ipv4/ip_conntrack.h> @@ -54,7 +55,7 @@ static const char *states[] = { "LISTEN" }; -void help() +static void help() { fprintf(stdout, "--orig-port-src original source port\n"); fprintf(stdout, "--orig-port-dst original destination port\n"); @@ -63,7 +64,7 @@ void help() fprintf(stdout, "--state TCP state, fe. ESTABLISHED\n"); } -int parse(char c, char *argv[], +static int parse(char c, char *argv[], struct ip_conntrack_tuple *orig, struct ip_conntrack_tuple *reply, union ip_conntrack_proto *proto, @@ -113,7 +114,7 @@ int parse(char c, char *argv[], return 1; } -int final_check(unsigned int flags) +static int final_check(unsigned int flags) { if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT)) return 1; @@ -123,15 +124,18 @@ int final_check(unsigned int flags) return 0; } -void print_tuple(struct ip_conntrack_tuple *t) +static void print_tuple(struct ip_conntrack_tuple *t) { fprintf(stdout, "sport=%d dport=%d ", ntohs(t->src.u.tcp.port), ntohs(t->dst.u.tcp.port)); } -void print_proto(union ip_conntrack_proto *proto) +static void print_proto(union ip_conntrack_proto *proto) { - fprintf(stdout, "[%s] ", states[proto->tcp.state]); + if (proto->tcp.state > sizeof(states)/sizeof(char *)) + fprintf(stdout, "[%u] ", states[proto->tcp.state]); + else + fprintf(stdout, "[%s] ", states[proto->tcp.state]); } static struct ctproto_handler tcp = { @@ -142,7 +146,7 @@ static struct ctproto_handler tcp = { .print_proto = print_proto, .final_check = final_check, .help = help, - .opts = opts + .opts = opts, }; void __attribute__ ((constructor)) init(void); diff --git a/extensions/libct_proto_tcp.man b/extensions/libct_proto_tcp.man new file mode 100644 index 0000000..41783f8 --- /dev/null +++ b/extensions/libct_proto_tcp.man @@ -0,0 +1,16 @@ +This module matches on TCP-specific fields. +.TP +.BI "--orig-port-src " "PORT" +Source port in original direction +.TP +.BI "--orig-port-dst " "PORT" +Destination port in original direction +.TP +.BI "--reply-port-src " "PORT" +Source port in reply direction +.TP +.BI "--reply-port-dst " "PORT" +Destination port in reply direction +.TP +.BI "--state " "[NONE|SYN_SENT|SYN_RECV|ESTABLISHED|FIN_WAIT|CLOSE_WAIT|LAST_ACK|TIME_WAIT|CLOSE|LISTEN]" +TCP state diff --git a/extensions/libct_proto_udp.man b/extensions/libct_proto_udp.man new file mode 100644 index 0000000..c67fedf --- /dev/null +++ b/extensions/libct_proto_udp.man @@ -0,0 +1,13 @@ +This module matches on UDP-specific fields. +.TP +.BI "--orig-port-src " "PORT" +Source port in original direction +.TP +.BI "--orig-port-dst " "PORT" +Destination port in original direction +.TP +.BI "--reply-port-src " "PORT" +Source port in reply direction +.TP +.BI "--reply-port-dst " "PORT" +Destination port in reply direction |