diff options
-rw-r--r-- | AUTHORS | 1 | ||||
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | configure.in | 2 | ||||
-rw-r--r-- | conntrack.8 | 152 | ||||
-rw-r--r-- | extensions/Makefile.am | 4 | ||||
-rw-r--r-- | extensions/libct_proto_icmp.c | 2 | ||||
-rw-r--r-- | extensions/libct_proto_icmp.man | 10 | ||||
-rw-r--r-- | extensions/libct_proto_sctp.c | 160 | ||||
-rw-r--r-- | extensions/libct_proto_tcp.c | 18 | ||||
-rw-r--r-- | extensions/libct_proto_tcp.man | 16 | ||||
-rw-r--r-- | extensions/libct_proto_udp.man | 13 | ||||
-rw-r--r-- | src/conntrack.c | 86 | ||||
-rw-r--r-- | src/libct.c | 25 |
13 files changed, 468 insertions, 32 deletions
@@ -1 +1,2 @@ Pablo Neira Ayuso <pablo@eurodev.net> +Harald Welte <laforge@netfilter.org> @@ -1,3 +1,14 @@ +2005-05-23 +<laforge@netfilter.org> + o Fixed syntax error (tab/space issue) in help message + o Fixed getopt handling on big endian machines + o Fixed possible future read-over-end-of-array in TCP extension + o Add manpage + o Add missing space at output of libct_proto_icmp.c + o Add status bits that were introduced in 2.6.11 + o Add SCTP extension + o Add support for expect creation + o Bump version number to 0.63 2005-04-25 <pablo@eurodev.net> o Added support for mask based event dumping diff --git a/configure.in b/configure.in index 468e759..efdacf1 100644 --- a/configure.in +++ b/configure.in @@ -2,7 +2,7 @@ AC_INIT AC_CANONICAL_SYSTEM -AM_INIT_AUTOMAKE(conntrack, 0.50) +AM_INIT_AUTOMAKE(conntrack, 0.63) AM_CONFIG_HEADER(config.h) AC_PROG_CC diff --git a/conntrack.8 b/conntrack.8 new file mode 100644 index 0000000..5ba8494 --- /dev/null +++ b/conntrack.8 @@ -0,0 +1,152 @@ +.TH CONNTRACK 8 "Jun 23, 2005" "" "" + +.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005) + +.SH NAME +conntrack \- administration tool for netfilter connection tracking +.SH SYNOPSIS +.BR "conntrack -L [table] [-z]" +.br +.BR "conntrack -G [table] parameters" +.br +.BR "conntrack -D [table] paramaters" +.br +.BR "conntrack -I [table] parameters" +.br +.BR "conntrack -E [table] parameters" +.br +.BR "conntrack -F [table]" +.br +.BR "conntrack -A [table] [options]" +.SH DESCRIPTION +.B conntrack +is used to search, list, inspect and maintain the netfilter connection tracking +subsystem of the Linux kernel. +.PP +Using +.B conntrack +, you can dump a list of all (or a filtered selection of) currently tracked +connections, delete connections from the state table, and even add new ones. +.PP +In addition, you can also monitor connection tracking events, e.g. show an +event message (one line) per newly established connection. +.SH TABLES +The connection tracking subsystem maintains two internal tables: +.TP +.BR "conntrack" : +This is the default table. It contains a list of all currently tracked +connections through the system. If you don't use connection tracking +exemptions (NOTRACK iptables target), this means all connections that go +through the system. +.TP +.BR "expect" : +This is the table of expectations. Connection tracking expectations are the +mechanism used to "expect" RELATED connections to existing ones. Expectations +are generally used by "connection tracking helpers" (sometimes called +application level gateways [ALGs]) for more complex protocols such as FTP, +SIP, H.323. +.SH OPTIONS +The options recognized by +.B conntrack +can be divided into several different groups. +.SS COMMANDS +These options specify the particular operation to perform. Only one of them +can be specified at any given time. +.TP +.BI "-L --dump " +List connection tacking or expectation table +.TP +.BI "-G, --get " +Search for and show a particular (matching) entry in the given table. +.TP +.BI "-D, --delete " +Delete an entry from the given table. +.TP +.BI "-I, --create " +Create a new entry from the given table. +.TP +.BI "-E, --event " +Display a real-time event log. +.TP +.BI "-F, --flush " +Flush the whole given table +.TP +.BI "-A, --action " +Set an action. +.SS PARAMETERS +.TP +.BI "-z, --zero " +Atomically zero counters after reading them. This option is only valid in +combination with the "-L, --dump" command options. +.TP +.BI "-e, --event-mask " "[ALL|NEW|RELATED|DESTROY|REFRESH|STATUS|PROTOINFO|HELPER|HELPINFO|NATINFO][,...]" +Set the bitmask of events that are to be generated by the in-kernel ctnetlink +event code. Using this parameter, you can reduce the event messages generated +by the kernel to those types to those that you are actually interested in. +. +Please note that this is a system-wide setting, so make sure to not disable some events that other ctnetlink-using processes might need! +This option can only be used in conjunction with "-A, --action". +.TP +.BI "-m, --dump-mask " "[ALL|TUPLE|STATUS|TIMEOUT|PROTOINFO|HELPINFO|COUNTERS|MARK][,...]" +Set the bitmask of data fields that are to be sent with each message generated +by the in-kernel ctnetlink code. Using this parameter, you can reduce the +amount of information sent by the kernel to those bits and pieces that you are +actually interested in. +Please note that this is a system-wide setting, so make sure to not disable some data fields that other ctnetlink-using processes might need! +This option can only be used in conjunction with "-A, --action". +.TP +.BI "-g, --group-mask " "[ALL|TCP|UDP|ICMP][,...]" +Set the group bitmask to those netlink groups (resembling layer 4 protocols) +that you're actually interested in. +This option can only be used in conjunction with "-E, --event". +.SS FILTER PARAMETERS +.TP +.BI "-s, --orig-src " IP_ADDRESS +Match only entries whose source address in the original direction equals the one specified as argument. +.TP +.BI "-d, --orig-dst " IP_ADDRESS +Match only entries whose destination address in the original direction equals the one specified as argument. +.TP +.BI "-r, --reply-src " IP_ADDRESS +Match only entries whose source address in the reply direction equals the one specified as argument. +.TP +.BI "-q, --reply-dst " IP_ADDRESS +Match only entries whose destination address in the reply direction equals the one specified as argument. +.TP +.BI "-p, --proto " "PROTO " +Specify layer four (TCP, UDP, ...) protocol. +.TP +.BI "-t, --timeout " "TIMEOUT" +Specify the timeout. +.TP +.BI "-u, --status " "[EXPECTED|ASSURED|SEEN_REPLY|CONFIRMED|SNAT|DNAT|SEQ_ADJUST|UNSET][,...]" +Specify the conntrack status. +.TP +.BI "--tuple-src " IP_ADDRESS +Specify the tuple source address of an expectation. +.TP +.BI "--tuple-dst " IP_ADDRESS +Specify the tuple destination address of an expectation. +.TP +.BI "--mask-src " IP_ADDRESS +Specify the source address mask of an expectation. +.TP +.BI "--mask-dst " IP_ADDRESS +Specify the destination address mask of an expectation. +.SH DIAGNOSTICS +The exit code is 0 for correct function. Errors which appear to be caused by +invalid command line parameters cause an exit code of 2. Any other errors +cause an exit code of 1. +.SH BUGS +Bugs? What's this ;-) +.SH SEE ALSO +.BR iptables (8) +.br +See +.BR "http://netfilter.org/" . +.SH AUTHORS +Jay Schulist, Patrick McHardy and Harald Welte wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool. +.PP +Pablo Neira wrote the conntrack tool, Harald Welte added support for conntrack based accounting counters. +.PP +Man page written by Harald Welte <laforge@netfilter.org>. diff --git a/extensions/Makefile.am b/extensions/Makefile.am index ab29a6d..ecd3a91 100644 --- a/extensions/Makefile.am +++ b/extensions/Makefile.am @@ -8,8 +8,10 @@ INCLUDES=-I../include -I/lib/modules/$(shell (uname -r))/build/include CFLAGS=-fPIC -Wall LIBS= -lib_LTLIBRARIES = libct_proto_tcp.la libct_proto_udp.la libct_proto_icmp.la +lib_LTLIBRARIES = libct_proto_tcp.la libct_proto_udp.la libct_proto_icmp.la \ + libct_proto_sctp.la libct_proto_tcp_la_SOURCES = libct_proto_tcp.c libct_proto_udp_la_SOURCES = libct_proto_udp.c libct_proto_icmp_la_SOURCES = libct_proto_icmp.c +libct_proto_sctp_la_SOURCES = libct_proto_sctp.c diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c index 43ffa30..6a2db92 100644 --- a/extensions/libct_proto_icmp.c +++ b/extensions/libct_proto_icmp.c @@ -81,7 +81,7 @@ int final_check(unsigned int flags) void print_tuple(struct ip_conntrack_tuple *t) { - fprintf(stdout, "type=%d code=%d id=%d", t->dst.u.icmp.type, + fprintf(stdout, "type=%d code=%d id=%d ", t->dst.u.icmp.type, t->dst.u.icmp.code, t->src.u.icmp.id); } diff --git a/extensions/libct_proto_icmp.man b/extensions/libct_proto_icmp.man new file mode 100644 index 0000000..3b860d0 --- /dev/null +++ b/extensions/libct_proto_icmp.man @@ -0,0 +1,10 @@ +This module matches on ICMP-specific fields. +.TP +.BI "--icmp-type " "TYPE" +ICMP Type. Has to be specified numerically. +.TP +.BI "--icmp-code " "CODE" +ICMP Code. Has to be specified numerically. +.TP +.BI "--icmp-id " "ID" +ICMP Id. Has to be specified numerically. diff --git a/extensions/libct_proto_sctp.c b/extensions/libct_proto_sctp.c new file mode 100644 index 0000000..b84c2ba --- /dev/null +++ b/extensions/libct_proto_sctp.c @@ -0,0 +1,160 @@ +/* + * (C) 2005 by Harald Welte <lafoorge@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation + * + */ +#include <stdio.h> +#include <getopt.h> +#include <stdlib.h> +#include <string.h> +#include <netinet/in.h> /* For htons */ +#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> +#include <linux/netfilter_ipv4/ip_conntrack.h> +#include "libct_proto.h" + +static struct option opts[] = { + {"orig-port-src", 1, 0, '1'}, + {"orig-port-dst", 1, 0, '2'}, + {"reply-port-src", 1, 0, '3'}, + {"reply-port-dst", 1, 0, '4'}, + {"state", 1, 0, '5'}, + {0, 0, 0, 0} +}; + +enum sctp_param_flags { + ORIG_SPORT_BIT = 0, + ORIG_SPORT = (1 << ORIG_SPORT_BIT), + + ORIG_DPORT_BIT = 1, + ORIG_DPORT = (1 << ORIG_DPORT_BIT), + + REPL_SPORT_BIT = 2, + REPL_SPORT = (1 << REPL_SPORT_BIT), + + REPL_DPORT_BIT = 3, + REPL_DPORT = (1 << REPL_DPORT_BIT), + + STATE_BIT = 4, + STATE = (1 << STATE_BIT) +}; + +static const char *states[] = { + "NONE", + "CLOSED", + "COOKIE_WAIT", + "COOKIE_ECHOED", + "ESTABLISHED", + "SHUTDOWN_SENT", + "SHUTDOWN_RECV", + "SHUTDOWN_ACK_SENT", +}; + +static void help() +{ + fprintf(stdout, "--orig-port-src original source port\n"); + fprintf(stdout, "--orig-port-dst original destination port\n"); + fprintf(stdout, "--reply-port-src reply source port\n"); + fprintf(stdout, "--reply-port-dst reply destination port\n"); + fprintf(stdout, "--state SCTP state, eg. ESTABLISHED\n"); +} + +static int parse(char c, char *argv[], + struct ip_conntrack_tuple *orig, + struct ip_conntrack_tuple *reply, + union ip_conntrack_proto *proto, + unsigned int *flags) +{ + switch(c) { + case '1': + if (optarg) { + orig->src.u.sctp.port = htons(atoi(optarg)); + *flags |= ORIG_SPORT; + } + break; + case '2': + if (optarg) { + orig->dst.u.sctp.port = htons(atoi(optarg)); + *flags |= ORIG_DPORT; + } + break; + case '3': + if (optarg) { + reply->src.u.sctp.port = htons(atoi(optarg)); + *flags |= REPL_SPORT; + } + break; + case '4': + if (optarg) { + reply->dst.u.sctp.port = htons(atoi(optarg)); + *flags |= REPL_DPORT; + } + break; + case '5': + if (optarg) { + int i; + for (i=0; i<10; i++) { + if (strcmp(optarg, states[i]) == 0) { + proto->sctp.state = i; + break; + } + } + if (i == 10) { + printf("doh?\n"); + return 0; + } + } + break; + } + return 1; +} + +static int final_check(unsigned int flags) +{ + if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT)) + return 1; + else if ((flags & REPL_SPORT) && (flags & REPL_DPORT)) + return 1; + + return 0; +} + +static void print_tuple(struct ip_conntrack_tuple *t) +{ + fprintf(stdout, "sport=%d dport=%d ", ntohs(t->src.u.sctp.port), + ntohs(t->dst.u.sctp.port)); +} + +static void print_proto(union ip_conntrack_proto *proto) +{ + if (proto->sctp.state > sizeof(states)/sizeof(char *)) + fprintf(stdout, "[%u] ", proto->sctp.state); + else + fprintf(stdout, "[%s] ", states[proto->sctp.state]); +} + +static struct ctproto_handler sctp = { + .name = "sctp", + .protonum = 132, + .parse = parse, + .print_tuple = print_tuple, + .print_proto = print_proto, + .final_check = final_check, + .help = help, + .opts = opts, +}; + +void __attribute__ ((constructor)) init(void); +void __attribute__ ((destructor)) fini(void); + +void init(void) +{ + register_proto(&sctp); +} + +void fini(void) +{ + unregister_proto(&sctp); +} diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index 4cddf53..45ee29b 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -10,6 +10,7 @@ #include <stdio.h> #include <getopt.h> #include <stdlib.h> +#include <string.h> #include <netinet/in.h> /* For htons */ #include <linux/netfilter_ipv4/ip_conntrack_tuple.h> #include <linux/netfilter_ipv4/ip_conntrack.h> @@ -54,7 +55,7 @@ static const char *states[] = { "LISTEN" }; -void help() +static void help() { fprintf(stdout, "--orig-port-src original source port\n"); fprintf(stdout, "--orig-port-dst original destination port\n"); @@ -63,7 +64,7 @@ void help() fprintf(stdout, "--state TCP state, fe. ESTABLISHED\n"); } -int parse(char c, char *argv[], +static int parse(char c, char *argv[], struct ip_conntrack_tuple *orig, struct ip_conntrack_tuple *reply, union ip_conntrack_proto *proto, @@ -113,7 +114,7 @@ int parse(char c, char *argv[], return 1; } -int final_check(unsigned int flags) +static int final_check(unsigned int flags) { if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT)) return 1; @@ -123,15 +124,18 @@ int final_check(unsigned int flags) return 0; } -void print_tuple(struct ip_conntrack_tuple *t) +static void print_tuple(struct ip_conntrack_tuple *t) { fprintf(stdout, "sport=%d dport=%d ", ntohs(t->src.u.tcp.port), ntohs(t->dst.u.tcp.port)); } -void print_proto(union ip_conntrack_proto *proto) +static void print_proto(union ip_conntrack_proto *proto) { - fprintf(stdout, "[%s] ", states[proto->tcp.state]); + if (proto->tcp.state > sizeof(states)/sizeof(char *)) + fprintf(stdout, "[%u] ", states[proto->tcp.state]); + else + fprintf(stdout, "[%s] ", states[proto->tcp.state]); } static struct ctproto_handler tcp = { @@ -142,7 +146,7 @@ static struct ctproto_handler tcp = { .print_proto = print_proto, .final_check = final_check, .help = help, - .opts = opts + .opts = opts, }; void __attribute__ ((constructor)) init(void); diff --git a/extensions/libct_proto_tcp.man b/extensions/libct_proto_tcp.man new file mode 100644 index 0000000..41783f8 --- /dev/null +++ b/extensions/libct_proto_tcp.man @@ -0,0 +1,16 @@ +This module matches on TCP-specific fields. +.TP +.BI "--orig-port-src " "PORT" +Source port in original direction +.TP +.BI "--orig-port-dst " "PORT" +Destination port in original direction +.TP +.BI "--reply-port-src " "PORT" +Source port in reply direction +.TP +.BI "--reply-port-dst " "PORT" +Destination port in reply direction +.TP +.BI "--state " "[NONE|SYN_SENT|SYN_RECV|ESTABLISHED|FIN_WAIT|CLOSE_WAIT|LAST_ACK|TIME_WAIT|CLOSE|LISTEN]" +TCP state diff --git a/extensions/libct_proto_udp.man b/extensions/libct_proto_udp.man new file mode 100644 index 0000000..c67fedf --- /dev/null +++ b/extensions/libct_proto_udp.man @@ -0,0 +1,13 @@ +This module matches on UDP-specific fields. +.TP +.BI "--orig-port-src " "PORT" +Source port in original direction +.TP +.BI "--orig-port-dst " "PORT" +Destination port in original direction +.TP +.BI "--reply-port-src " "PORT" +Source port in reply direction +.TP +.BI "--reply-port-dst " "PORT" +Destination port in reply direction diff --git a/src/conntrack.c b/src/conntrack.c index 11a6b54..dfedf68 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -25,6 +25,8 @@ * * 2005-04-16 Harald Welte <laforge@netfilter.org>: * Add support for conntrack accounting and conntrack mark + * 2005-06-23 Harald Welte <laforge@netfilter.org>: + * Add support for expect creation * */ #include <stdio.h> @@ -47,7 +49,7 @@ #include "libct_proto.h" #define PROGNAME "conntrack" -#define VERSION "0.62" +#define VERSION "0.63" #if 0 #define DEBUGP printf @@ -127,11 +129,22 @@ enum options { CT_OPT_EVENT_MASK_BIT = 10, CT_OPT_EVENT_MASK = (1 << CT_OPT_EVENT_MASK_BIT), + CT_OPT_TUPLE_SRC_BIT = 11, + CT_OPT_TUPLE_SRC = (1 << CT_OPT_TUPLE_SRC_BIT), + + CT_OPT_TUPLE_DST_BIT = 12, + CT_OPT_TUPLE_DST = (1 << CT_OPT_TUPLE_DST_BIT), + + CT_OPT_MASK_SRC_BIT = 13, + CT_OPT_MASK_SRC = (1 << CT_OPT_MASK_SRC_BIT), + + CT_OPT_MASK_DST_BIT = 14, + CT_OPT_MASK_DST = (1 << CT_OPT_MASK_DST_BIT), }; -#define NUMBER_OF_OPT 11 +#define NUMBER_OF_OPT 15 static const char optflags[NUMBER_OF_OPT] -= { 's', 'd', 'r', 'q', 'p', 't', 'u', 'z','m','g','e'}; += { 's', 'd', 'r', 'q', 'p', 't', 'u', 'z','m','g','e', '[',']','{','}'}; static struct option original_opts[] = { {"dump", 2, 0, 'L'}, @@ -154,6 +167,10 @@ static struct option original_opts[] = { {"dump-mask", 1, 0, 'm'}, {"groups", 1, 0, 'g'}, {"event-mask", 1, 0, 'e'}, + {"tuple-src", 1, 0, '['}, + {"tuple-dst", 1, 0, ']'}, + {"mask-src", 1, 0, '{'}, + {"mask-dst", 1, 0, '}'}, {0, 0, 0, 0} }; @@ -174,16 +191,16 @@ static unsigned int global_option_offset = 0; static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = /* Well, it's better than "Re: Linux vs FreeBSD" */ { - /* -s -d -r -q -p -t -u -z -m -g -e */ -/*LIST*/ {'x','x','x','x','x','x','x',' ','x','x','x'}, -/*CREATE*/ {'+','+','+','+','+','+','+','x','x','x','x'}, -/*DELETE*/ {' ',' ',' ',' ',' ','x','x','x','x','x','x'}, -/*GET*/ {' ',' ',' ',' ','+','x','x','x','x','x','x'}, -/*FLUSH*/ {'x','x','x','x','x','x','x','x','x','x','x'}, -/*EVENT*/ {'x','x','x','x','x','x','x','x','x',' ','x'}, -/*ACTION*/ {'x','x','x','x','x','x','x','x',' ','x',' '}, -/*VERSION*/ {'x','x','x','x','x','x','x','x','x','x','x'}, -/*HELP*/ {'x','x','x','x',' ','x','x','x','x','x','x'}, + /* -s -d -r -q -p -t -u -z -m -g -e ts td ms md */ +/*LIST*/ {'x','x','x','x','x','x','x',' ','x','x','x','x','x','x','x'}, +/*CREATE*/ {'+','+','+','+','+','+','+','x','x','x','x','+','+','+','+'}, +/*DELETE*/ {' ',' ',' ',' ',' ','x','x','x','x','x','x',' ',' ',' ',' '}, +/*GET*/ {' ',' ',' ',' ','+','x','x','x','x','x','x',' ',' ',' ',' '}, +/*FLUSH*/ {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x'}, +/*EVENT*/ {'x','x','x','x','x','x','x','x','x',' ','x','x','x','x','x'}, +/*ACTION*/ {'x','x','x','x','x','x','x','x',' ','x',' ','x','x','x','x'}, +/*VERSION*/ {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x'}, +/*HELP*/ {'x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x'}, }; /* FIXME: hardcoded!, this must be defined during compilation time */ @@ -355,9 +372,11 @@ static struct parse_parameter { size_t size; unsigned int value[10]; } parse_array[PARSE_MAX] = { - { {"ASSURED", "SEEN_REPLY", "UNSET"}, - 3, - { IPS_ASSURED, IPS_SEEN_REPLY, 0} }, + { {"EXPECTED", "ASSURED", "SEEN_REPLY", "CONFIRMED", "SNAT", "DNAT", + "SEQ_ADJUST", "UNSET"}, + 8, + { IPS_EXPECTED, IPS_ASSURED, IPS_SEEN_REPLY, IPS_CONFIRMED, + IPS_SRC_NAT, IPS_DST_NAT, IPS_SEQ_ADJUST, 0} }, { {"ALL", "TCP", "UDP", "ICMP"}, 4, {~0U, NFGRP_IPV4_CT_TCP, NFGRP_IPV4_CT_UDP, NFGRP_IPV4_CT_ICMP} }, @@ -502,7 +521,7 @@ fprintf(stdout, "Usage: %s [commands] [options]\n", prog); fprintf(stdout, "\n"); fprintf(stdout, "Commands:\n"); fprintf(stdout, "-L [table] [-z] List conntrack or expectation table\n"); -fprintf(stdout, "-G [table] parameters Get conntrack or expectation\n"); +fprintf(stdout, "-G [table] parameters Get conntrack or expectation\n"); fprintf(stdout, "-D [table] parameters Delete conntrack or expectation\n"); fprintf(stdout, "-I [table] parameters Create a conntrack or expectation\n"); fprintf(stdout, "-E [table] [options] Show events\n"); @@ -514,6 +533,10 @@ fprintf(stdout, "--orig-src ip Source address from original direction\n"); fprintf(stdout, "--orig-dst ip Destination address from original direction\n"); fprintf(stdout, "--reply-src ip Source addres from reply direction\n"); fprintf(stdout, "--reply-dst ip Destination address from reply direction\n"); +fprintf(stdout, "--tuple-src ip Source address in expect tuple\n"); +fprintf(stdout, "--tuple-dst ip Destination address in expect tuple\n"); +fprintf(stdout, "--mask-src ip Source mask in expect\n"); +fprintf(stdout, "--mask-dst ip Destination mask in expect\n"); fprintf(stdout, "-p proto Layer 4 Protocol\n"); fprintf(stdout, "-t timeout Set timeout\n"); fprintf(stdout, "-u status Set status\n"); @@ -525,9 +548,9 @@ fprintf(stdout, "-z Zero Counters\n"); int main(int argc, char *argv[]) { - char c; + int c; unsigned int command = 0, options = 0; - struct ip_conntrack_tuple orig, reply, *o = NULL, *r = NULL; + struct ip_conntrack_tuple orig, reply, tuple, mask, *o = NULL, *r = NULL; struct ctproto_handler *h = NULL; union ip_conntrack_proto proto; unsigned long timeout = 0; @@ -543,7 +566,7 @@ int main(int argc, char *argv[]) reply.dst.dir = IP_CT_DIR_REPLY; while ((c = getopt_long(argc, argv, - "L::I::D::G::E::A::F::hVs:d:r:q:p:t:u:m:g:e:z", + "L::I::D::G::E::A::F::hVs:d:r:q:p:t:u:m:g:e:z[:]:{:}:", opts, NULL)) != -1) { switch(c) { case 'L': @@ -644,6 +667,26 @@ int main(int argc, char *argv[]) case 'z': options |= CT_OPT_ZERO; break; + case '[': + options |= CT_OPT_TUPLE_SRC; + if (optarg) + tuple.src.ip = inet_addr(optarg); + break; + case ']': + options |= CT_OPT_TUPLE_DST; + if (optarg) + tuple.dst.ip = inet_addr(optarg); + break; + case '{': + options |= CT_OPT_MASK_SRC; + if (optarg) + mask.src.ip = inet_addr(optarg); + break; + case '}': + options |= CT_OPT_MASK_DST; + if (optarg) + mask.dst.ip = inet_addr(optarg); + break; default: if (h && h->parse && !h->parse(c - h->option_offset, argv, &orig, &reply, @@ -687,7 +730,8 @@ int main(int argc, char *argv[]) res = create_conntrack(&orig, &reply, timeout, &proto, status); else - not_implemented_yet(); + res = create_expect(&tuple, &mask, &orig, + &reply, timeout); break; case CT_DELETE: diff --git a/src/libct.c b/src/libct.c index d40c7f1..0555ec8 100644 --- a/src/libct.c +++ b/src/libct.c @@ -1,5 +1,6 @@ /* - * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> + * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>, + * Harald Welte <laforge@netfilter.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -233,6 +234,28 @@ int create_conntrack(struct ip_conntrack_tuple *orig, return 0; } +int create_expect(struct ip_conntrack_tuple *tuple, + struct ip_conntrack_tuple *mask, + struct ip_conntrack_tuple *master_tuple_orig, + struct ip_conntrack_tuple *master_tuple_reply, + unsigned long timeout) +{ + struct ctnl_handle cth; + int ret; + + if ((ret = ctnl_open(&cth, 0)) < 0) + return ret; + + if ((ret = ctnl_new_expect(&cth, tuple, mask, master_tuple_orig, + master_tuple_reply, timeout)) < 0) + return ret; + + if ((ret = ctnl_close(&cth)) < 0) + return ret; + + return -1; +} + int delete_conntrack(struct ip_conntrack_tuple *tuple, enum ctattr_type_t t) { |