diff options
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | conntrack.8 | 28 | ||||
-rw-r--r-- | extensions/libct_proto_icmp.c | 21 | ||||
-rw-r--r-- | extensions/libct_proto_tcp.c | 18 | ||||
-rw-r--r-- | extensions/libct_proto_udp.c | 16 | ||||
-rw-r--r-- | include/conntrack.h | 17 | ||||
-rw-r--r-- | src/conntrack.c | 53 |
7 files changed, 96 insertions, 60 deletions
@@ -32,13 +32,14 @@ o add support to dump internal/external cache in XML format '-x' = conntrack = o port conntrack to the new libnetfilter_conntrack API -o introduce '--xml' option for '-L', '-G' and '-E' +o introduce '--output xml,extended,timestamp' option for '-L', '-G' and '-E' o deprecated '--id' o replace '-a' by '--src-nat' and '--dst-nat' o use positive logic in error handling o remove sctp support until is fully supported in the kernel side o update conntrack manpage o update test.sh file in examples/cli/ +o several fixes for the output of usage messages version 0.9.2 (2006/01/17) -------------------------- diff --git a/conntrack.8 b/conntrack.8 index 6c5d9d6..3a35613 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -4,7 +4,7 @@ .\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007) .SH NAME -conntrack \- administration tool for netfilter connection tracking +conntrack \- command line interface for netfilter connection tracking .SH SYNOPSIS .BR "conntrack -L [table] [-z]" .br @@ -19,9 +19,7 @@ conntrack \- administration tool for netfilter connection tracking .BR "conntrack -F [table]" .SH DESCRIPTION .B conntrack -is used to search, list, inspect and maintain the netfilter connection tracking -subsystem of the Linux kernel. -.PP +provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. Using .B conntrack , you can dump a list of all (or a filtered selection of) currently tracked @@ -75,9 +73,9 @@ Flush the whole given table Atomically zero counters after reading them. This option is only valid in combination with the "-L, --dump" command options. .TP -.BI "-x, --xml " -Display output in XML format. This option is only valid in combination with -the "-L, --dump", "-E, --event" and "-G, --get" command options. +.BI "-o, --output [extended,xml,timestamp] " +Display output in a certain format. This option is only valid in combination +with the "-L, --dump", "-E, --event" and "-G, --get" command options. .TP .BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]" Set the bitmask of events that are to be generated by the in-kernel ctnetlink @@ -132,6 +130,22 @@ Specify the destination address mask of an expectation. The exit code is 0 for correct function. Errors which appear to be caused by invalid command line parameters cause an exit code of 2. Any other errors cause an exit code of 1. +.SH EXAMPLES +.TP +.B conntrack \-L +Dump the connection tracking table in /proc/net/ip_conntrack format +.TP +.B conntrack \-L -o extended +Dump the connection tracking table in /proc/net/nf_conntrack format +.TP +.B conntrack \-L \-o xml +Dump the connection tracking table in XML +.TP +.B conntrack \-L -f ipv6 -o extended +Only dump IPv6 connections in /proc/net/nf_conntrack format +.TP +.B conntrack \-E \-o timestamp +Show connection events together with the timestamp .SH BUGS Bugs? What's this ;-) .SH SEE ALSO diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c index 7b02dec..5c7717a 100644 --- a/extensions/libct_proto_icmp.c +++ b/extensions/libct_proto_icmp.c @@ -26,22 +26,11 @@ static struct option opts[] = { static void help() { - fprintf(stdout, "--icmp-type icmp type\n"); - fprintf(stdout, "--icmp-code icmp code\n"); - fprintf(stdout, "--icmp-id icmp id\n"); + fprintf(stdout, " --icmp-type\t\t\ticmp type\n"); + fprintf(stdout, " --icmp-code\t\t\ticmp code\n"); + fprintf(stdout, " --icmp-id\t\t\ticmp id\n"); } -/* Add 1; spaces filled with 0. */ -static u_int8_t invmap[] - = { [ICMP_ECHO] = ICMP_ECHOREPLY + 1, - [ICMP_ECHOREPLY] = ICMP_ECHO + 1, - [ICMP_TIMESTAMP] = ICMP_TIMESTAMPREPLY + 1, - [ICMP_TIMESTAMPREPLY] = ICMP_TIMESTAMP + 1, - [ICMP_INFO_REQUEST] = ICMP_INFO_REPLY + 1, - [ICMP_INFO_REPLY] = ICMP_INFO_REQUEST + 1, - [ICMP_ADDRESS] = ICMP_ADDRESSREPLY + 1, - [ICMP_ADDRESSREPLY] = ICMP_ADDRESS + 1}; - static int parse(char c, char *argv[], struct nf_conntrack *ct, struct nf_conntrack *exptuple, @@ -56,10 +45,6 @@ static int parse(char c, char *argv[], nfct_set_attr_u8(ct, ATTR_ICMP_TYPE, atoi(optarg)); - /* FIXME: - reply->l4dst.icmp.type = - invmap[orig->l4dst.icmp.type] - 1; - */ *flags |= ICMP_TYPE; break; case '2': diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index 736bcff..5a5c5c4 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -45,15 +45,15 @@ static const char *states[] = { static void help() { - fprintf(stdout, "--orig-port-src original source port\n"); - fprintf(stdout, "--orig-port-dst original destination port\n"); - fprintf(stdout, "--reply-port-src reply source port\n"); - fprintf(stdout, "--reply-port-dst reply destination port\n"); - fprintf(stdout, "--mask-port-src mask source port\n"); - fprintf(stdout, "--mask-port-dst mask destination port\n"); - fprintf(stdout, "--tuple-port-src expectation tuple src port\n"); - fprintf(stdout, "--tuple-port-src expectation tuple dst port\n"); - fprintf(stdout, "--state TCP state, fe. ESTABLISHED\n"); + fprintf(stdout, " --orig-port-src\t\toriginal source port\n"); + fprintf(stdout, " --orig-port-dst\t\toriginal destination port\n"); + fprintf(stdout, " --reply-port-src\t\treply source port\n"); + fprintf(stdout, " --reply-port-dst\t\treply destination port\n"); + fprintf(stdout, " --mask-port-src\t\tmask source port\n"); + fprintf(stdout, " --mask-port-dst\t\tmask destination port\n"); + fprintf(stdout, " --tuple-port-src\t\texpectation tuple src port\n"); + fprintf(stdout, " --tuple-port-src\t\texpectation tuple dst port\n"); + fprintf(stdout, " --state\t\t\tTCP state, fe. ESTABLISHED\n"); } static int parse_options(char c, char *argv[], diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c index 1bc70d4..6e8d13c 100644 --- a/extensions/libct_proto_udp.c +++ b/extensions/libct_proto_udp.c @@ -31,14 +31,14 @@ static struct option opts[] = { static void help() { - fprintf(stdout, "--orig-port-src original source port\n"); - fprintf(stdout, "--orig-port-dst original destination port\n"); - fprintf(stdout, "--reply-port-src reply source port\n"); - fprintf(stdout, "--reply-port-dst reply destination port\n"); - fprintf(stdout, "--mask-port-src mask source port\n"); - fprintf(stdout, "--mask-port-dst mask destination port\n"); - fprintf(stdout, "--tuple-port-src expectation tuple src port\n"); - fprintf(stdout, "--tuple-port-src expectation tuple dst port\n"); + fprintf(stdout, " --orig-port-src\t\toriginal source port\n"); + fprintf(stdout, " --orig-port-dst\t\toriginal destination port\n"); + fprintf(stdout, " --reply-port-src\t\treply source port\n"); + fprintf(stdout, " --reply-port-dst\t\treply destination port\n"); + fprintf(stdout, " --mask-port-src\t\tmask source port\n"); + fprintf(stdout, " --mask-port-dst\t\tmask destination port\n"); + fprintf(stdout, " --tuple-port-src\t\texpectation tuple src port\n"); + fprintf(stdout, " --tuple-port-src\t\texpectation tuple dst port\n"); } static int parse_options(char c, char *argv[], diff --git a/include/conntrack.h b/include/conntrack.h index 50aec19..31f4f4f 100644 --- a/include/conntrack.h +++ b/include/conntrack.h @@ -124,13 +124,24 @@ enum options { CT_OPT_DST_NAT_BIT = 18, CT_OPT_DST_NAT = (1 << CT_OPT_DST_NAT_BIT), - CT_OPT_XML_BIT = 19, - CT_OPT_XML = (1 << CT_OPT_XML_BIT), + CT_OPT_OUTPUT_BIT = 19, + CT_OPT_OUTPUT = (1 << CT_OPT_OUTPUT_BIT), - CT_OPT_MAX = CT_OPT_XML_BIT + CT_OPT_MAX = CT_OPT_OUTPUT_BIT }; #define NUMBER_OF_OPT CT_OPT_MAX+1 +enum { + _O_XML_BIT = 0, + _O_XML = (1 << _O_XML_BIT), + + _O_EXT_BIT = 1, + _O_EXT = (1 << _O_EXT_BIT), + + _O_TMS_BIT = 2, + _O_TMS = (1 << _O_TMS_BIT), +}; + struct ctproto_handler { struct list_head head; diff --git a/src/conntrack.c b/src/conntrack.c index e9e8167..2339a2c 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -96,7 +96,7 @@ static struct option original_opts[] = { {"family", 1, 0, 'f'}, {"src-nat", 1, 0, 'n'}, {"dst-nat", 1, 0, 'g'}, - {"xml", 0, 0, 'x'}, + {"output", 0, 0, 'o'}, {0, 0, 0, 0} }; @@ -118,7 +118,7 @@ static unsigned int global_option_offset = 0; static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = /* Well, it's better than "Re: Linux vs FreeBSD" */ { - /* s d r q p t u z e x y k l a m i f n g x */ + /* s d r q p t u z e [ ] { } a m i f n g o */ /*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,0,0,2}, /*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0,2,2,0}, /*CT_UPDATE*/ {2,2,2,2,1,2,2,0,0,0,0,0,0,0,2,2,0,0,0,0}, @@ -343,7 +343,8 @@ err2str(int err, enum action command) #define PARSE_STATUS 0 #define PARSE_EVENT 1 -#define PARSE_MAX 2 +#define PARSE_OUTPUT 2 +#define PARSE_MAX 3 static struct parse_parameter { char *parameter[6]; @@ -355,6 +356,9 @@ static struct parse_parameter { { {"ALL", "NEW", "UPDATES", "DESTROY"}, 4, {~0U, NF_NETLINK_CONNTRACK_NEW, NF_NETLINK_CONNTRACK_UPDATE, NF_NETLINK_CONNTRACK_DESTROY} }, + { {"xml", "extended", "timestamp" }, 3, + { _O_XML, _O_EXT, _O_TMS }, + }, }; static int @@ -542,12 +546,12 @@ static const char usage_tables[] = static const char usage_conntrack_parameters[] = "Conntrack parameters and options:\n" - " -n, --src-nat ip\tsource NAT ip\n" - " -g, --dst-nat ip\tdestination NAT ip\n" + " -n, --src-nat ip\t\t\tsource NAT ip\n" + " -g, --dst-nat ip\t\t\tdestination NAT ip\n" " -m, --mark mark\t\t\tSet mark\n" " -e, --event-mask eventmask\t\tEvent mask, eg. NEW,DESTROY\n" " -z, --zero \t\t\t\tZero counters while listing\n" - " -x, --xml \t\t\t\tDisplay output in XML format\n"; + " -o, --output type[,...]\t\tOutput format, eg. xml\n"; ; static const char usage_expectation_parameters[] = @@ -571,7 +575,8 @@ static const char usage_parameters[] = void usage(char *prog) { - fprintf(stdout, "Tool to manipulate conntrack and expectations. Version %s\n", VERSION); + fprintf(stdout, "Command line interface for the connection " + "tracking system. Version %s\n", VERSION); fprintf(stdout, "Usage: %s [commands] [options]\n", prog); fprintf(stdout, "\n%s", usage_commands); @@ -581,7 +586,7 @@ void usage(char *prog) { fprintf(stdout, "\n%s", usage_parameters); } -unsigned int output_flags = NFCT_O_DEFAULT; +static unsigned int output_mask; static int event_cb(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, @@ -589,12 +594,25 @@ static int event_cb(enum nf_conntrack_msg_type type, { char buf[1024]; struct nf_conntrack *obj = data; + unsigned int output_type = NFCT_O_DEFAULT; + unsigned int output_flags = 0; if (options & CT_COMPARISON && !nfct_compare(obj, ct)) return NFCT_CB_CONTINUE; - nfct_snprintf(buf, 1024, ct, type, output_flags, 0); + if (output_mask & _O_XML) + output_type = NFCT_O_XML; + if (output_mask & _O_EXT) + output_flags = NFCT_OF_SHOW_LAYER3; + if ((output_mask & _O_TMS) && !(output_mask & _O_XML)) { + struct timeval tv; + gettimeofday(&tv, NULL); + printf("[%-8ld.%-6ld]\t", tv.tv_sec, tv.tv_usec); + } + + nfct_snprintf(buf, 1024, ct, type, output_type, output_flags); printf("%s\n", buf); + fflush(stdout); return NFCT_CB_CONTINUE; } @@ -605,11 +623,18 @@ static int dump_cb(enum nf_conntrack_msg_type type, { char buf[1024]; struct nf_conntrack *obj = data; + unsigned int output_type = NFCT_O_DEFAULT; + unsigned int output_flags = 0; if (options & CT_COMPARISON && !nfct_compare(obj, ct)) return NFCT_CB_CONTINUE; - nfct_snprintf(buf, 1024, ct, NFCT_T_UNKNOWN, output_flags, 0); + if (output_mask & _O_XML) + output_type = NFCT_O_XML; + if (output_mask & _O_EXT) + output_flags = NFCT_OF_SHOW_LAYER3; + + nfct_snprintf(buf, 1024, ct, NFCT_T_UNKNOWN, output_type, output_flags); printf("%s\n", buf); return NFCT_CB_CONTINUE; @@ -652,7 +677,7 @@ int main(int argc, char *argv[]) memset(__exp, 0, sizeof(__exp)); while ((c = getopt_long(argc, argv, - "L::I::U::D::G::E::F::hVs:d:r:q:p:t:u:e:a:z[:]:{:}:m:i::f:x", + "L::I::U::D::G::E::F::hVs:d:r:q:p:t:u:e:a:z[:]:{:}:m:i::f:o:", opts, NULL)) != -1) { switch(c) { case 'L': @@ -931,9 +956,9 @@ int main(int argc, char *argv[]) exit_error(PARAMETER_PROBLEM, "Unknown " "protocol family\n"); break; - case 'x': - options |= CT_OPT_XML; - output_flags = NFCT_O_XML; + case 'o': + options |= CT_OPT_OUTPUT; + parse_parameter(optarg, &output_mask, PARSE_OUTPUT); break; default: if (h && h->parse_opts |