diff options
-rw-r--r-- | extensions/libct_proto_icmp.c | 19 | ||||
-rw-r--r-- | extensions/libct_proto_sctp.c | 9 | ||||
-rw-r--r-- | extensions/libct_proto_tcp.c | 9 | ||||
-rw-r--r-- | extensions/libct_proto_udp.c | 8 | ||||
-rw-r--r-- | src/conntrack.c | 12 | ||||
-rw-r--r-- | src/libct.c | 60 |
6 files changed, 75 insertions, 42 deletions
diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c index 24d3d3f..e0de27e 100644 --- a/extensions/libct_proto_icmp.c +++ b/extensions/libct_proto_icmp.c @@ -1,5 +1,6 @@ /* * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> + * Harald Welte <laforge@netfilter.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -68,6 +69,21 @@ int parse(char c, char *argv[], return 1; } +void parse_proto(struct nfattr *cda[], struct ctnl_tuple *tuple) +{ + if (cda[CTA_PROTO_ICMP_TYPE-1]) + tuple->l4dst.icmp.type = + *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_TYPE-1]); + + if (cda[CTA_PROTO_ICMP_CODE-1]) + tuple->l4dst.icmp.code = + *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_CODE-1]); + + if (cda[CTA_PROTO_ICMP_ID-1]) + tuple->l4src.icmp.id = + *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_ID-1]); +} + int final_check(unsigned int flags, struct ctnl_tuple *orig, struct ctnl_tuple *reply) @@ -82,7 +98,7 @@ int final_check(unsigned int flags, void print_proto(struct ctnl_tuple *t) { - fprintf(stdout, "type=%d code=%d id=%d", t->l4dst.icmp.type, + fprintf(stdout, "type=%d code=%d id=%d ", t->l4dst.icmp.type, t->l4dst.icmp.code, t->l4src.icmp.id); } @@ -91,6 +107,7 @@ static struct ctproto_handler icmp = { .name = "icmp", .protonum = 1, .parse_opts = parse, + .parse_proto = parse_proto, .print_proto = print_proto, .final_check = final_check, .help = help, diff --git a/extensions/libct_proto_sctp.c b/extensions/libct_proto_sctp.c index 5b50fbc..d5ff298 100644 --- a/extensions/libct_proto_sctp.c +++ b/extensions/libct_proto_sctp.c @@ -10,6 +10,7 @@ #include <stdio.h> #include <getopt.h> #include <stdlib.h> +#include <string.h> #include <netinet/in.h> /* For htons */ #include <linux/netfilter_ipv4/ip_conntrack_netlink.h> #include "libct_proto.h" @@ -138,12 +139,12 @@ int final_check(unsigned int flags, void parse_proto(struct nfattr *cda[], struct ctnl_tuple *tuple) { - if (cda[CTA_PROTO_SCTP_SRC-1]) + if (cda[CTA_PROTO_SRC_PORT-1]) tuple->l4src.sctp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SCTP_SRC-1]); - if (cda[CTA_PROTO_SCTP_DST-1]) + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); + if (cda[CTA_PROTO_DST_PORT-1]) tuple->l4dst.sctp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SCTP_DST-1]); + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); } void parse_protoinfo(struct nfattr *cda[], struct ctnl_conntrack *ct) diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index 5fa3652..973c5ab 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -10,6 +10,7 @@ #include <stdio.h> #include <getopt.h> #include <stdlib.h> +#include <string.h> #include <netinet/in.h> /* For htons */ #include <linux/netfilter_ipv4/ip_conntrack_netlink.h> #include "libct_proto.h" @@ -160,12 +161,12 @@ int final_check(unsigned int flags, void parse_proto(struct nfattr *cda[], struct ctnl_tuple *tuple) { - if (cda[CTA_PROTO_TCP_SRC-1]) + if (cda[CTA_PROTO_SRC_PORT-1]) tuple->l4src.tcp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_TCP_SRC-1]); - if (cda[CTA_PROTO_TCP_DST-1]) + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); + if (cda[CTA_PROTO_DST_PORT-1]) tuple->l4dst.tcp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_TCP_DST-1]); + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); } void parse_protoinfo(struct nfattr *cda[], struct ctnl_conntrack *ct) diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c index aa733f0..7821d5b 100644 --- a/extensions/libct_proto_udp.c +++ b/extensions/libct_proto_udp.c @@ -127,12 +127,12 @@ int final_check(unsigned int flags, void parse_proto(struct nfattr *cda[], struct ctnl_tuple *tuple) { - if (cda[CTA_PROTO_UDP_SRC-1]) + if (cda[CTA_PROTO_SRC_PORT-1]) tuple->l4src.udp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_UDP_SRC-1]); - if (cda[CTA_PROTO_UDP_DST-1]) + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); + if (cda[CTA_PROTO_DST_PORT-1]) tuple->l4dst.udp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_UDP_DST-1]); + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); } void print_proto(struct ctnl_tuple *tuple) diff --git a/src/conntrack.c b/src/conntrack.c index a6efd8b..2a8fa87 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -455,7 +455,7 @@ parse_parameter(const char *arg, unsigned int *status, int parse_type) } static void -add_command(int *cmd, const int newcmd, const int othercmds) +add_command(unsigned int *cmd, const int newcmd, const int othercmds) { if (*cmd & (~othercmds)) exit_error(PARAMETER_PROBLEM, "Invalid commands combination\n"); @@ -884,7 +884,7 @@ int main(int argc, char *argv[]) timeout); else if (options & CT_OPT_REPL) res = create_expectation(&reply, - CTA_TUPLE_RPLY, + CTA_TUPLE_REPLY, &exptuple, &mask, timeout); @@ -909,7 +909,7 @@ int main(int argc, char *argv[]) res = delete_conntrack(&orig, CTA_TUPLE_ORIG, CTNL_DIR_ORIGINAL); else if (options & CT_OPT_REPL) - res = delete_conntrack(&reply, CTA_TUPLE_RPLY, + res = delete_conntrack(&reply, CTA_TUPLE_REPLY, CTNL_DIR_REPLY); break; @@ -917,21 +917,21 @@ int main(int argc, char *argv[]) if (options & CT_OPT_ORIG) res = delete_expectation(&orig, CTA_TUPLE_ORIG); else if (options & CT_OPT_REPL) - res = delete_expectation(&reply, CTA_TUPLE_RPLY); + res = delete_expectation(&reply, CTA_TUPLE_REPLY); break; case CT_GET: if (options & CT_OPT_ORIG) res = get_conntrack(&orig, CTA_TUPLE_ORIG, id); else if (options & CT_OPT_REPL) - res = get_conntrack(&reply, CTA_TUPLE_RPLY, id); + res = get_conntrack(&reply, CTA_TUPLE_REPLY, id); break; case EXP_GET: if (options & CT_OPT_ORIG) res = get_expect(&orig, CTA_TUPLE_ORIG); else if (options & CT_OPT_REPL) - res = get_expect(&reply, CTA_TUPLE_RPLY); + res = get_expect(&reply, CTA_TUPLE_REPLY); break; case CT_FLUSH: diff --git a/src/libct.c b/src/libct.c index 94e5b24..245c584 100644 --- a/src/libct.c +++ b/src/libct.c @@ -13,11 +13,12 @@ #include <stdlib.h> #include <signal.h> #include <errno.h> +#include <string.h> /* From kernel.h */ #define INT_MAX ((int)(~0U>>1)) #define INT_MIN (-INT_MAX - 1) #include <linux/netfilter_ipv4/ip_conntrack.h> -#include <linux/netfilter_ipv4/ip_conntrack_netlink.h> +#include <linux/netfilter/nfnetlink_conntrack.h> #include "libctnetlink.h" #include "libnfnetlink.h" #include "linux_list.h" @@ -48,7 +49,7 @@ static void parse_ip(struct nfattr *attr, struct ctnl_tuple *tuple) memset(tb, 0, CTA_IP_MAX * sizeof(struct nfattr *)); - nfnl_parse_attr(tb, CTA_IP_MAX, NFA_DATA(attr), NFA_PAYLOAD(attr)); + nfnl_parse_nested(tb, CTA_IP_MAX, attr); if (tb[CTA_IP_V4_SRC-1]) tuple->src.v4 = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_SRC-1]); @@ -64,7 +65,7 @@ static void parse_proto(struct nfattr *attr, struct ctnl_tuple *tuple) memset(tb, 0, CTA_PROTO_MAX * sizeof(struct nfattr *)); - nfnl_parse_attr(tb, CTA_IP_MAX, NFA_DATA(attr), NFA_PAYLOAD(attr)); + nfnl_parse_nested(tb, CTA_IP_MAX, attr); if (tb[CTA_PROTO_NUM-1]) tuple->protonum = *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]); @@ -79,7 +80,7 @@ static void parse_tuple(struct nfattr *attr, struct ctnl_tuple *tuple) memset(tb, 0, CTA_TUPLE_MAX*sizeof(struct nfattr *)); - nfnl_parse_attr(tb, CTA_TUPLE_MAX, NFA_DATA(attr), NFA_PAYLOAD(attr)); + nfnl_parse_nested(tb, CTA_TUPLE_MAX, attr); if (tb[CTA_TUPLE_IP-1]) parse_ip(tb[CTA_TUPLE_IP-1], tuple); if (tb[CTA_TUPLE_PROTO-1]) @@ -93,7 +94,7 @@ static void parse_protoinfo(struct nfattr *attr, struct ctnl_conntrack *ct) memset(tb, 0, CTA_PROTOINFO_MAX*sizeof(struct nfattr *)); - nfnl_parse_attr(tb,CTA_PROTOINFO_MAX,NFA_DATA(attr), NFA_PAYLOAD(attr)); + nfnl_parse_nested(tb,CTA_PROTOINFO_MAX, attr); h = findproto(proto2str[ct->tuple[CTNL_DIR_ORIGINAL].protonum]); if (h && h->parse_protoinfo) @@ -107,27 +108,23 @@ static void parse_counters(struct nfattr *attr, struct ctnl_conntrack *ct, memset(tb, 0, CTA_COUNTERS_MAX*sizeof(struct nfattr *)); - nfnl_parse_attr(tb, CTA_COUNTERS_MAX, NFA_DATA(attr),NFA_PAYLOAD(attr)); - if (tb[CTA_COUNTERS_PACKETS_ORIG-1]) + nfnl_parse_nested(tb, CTA_COUNTERS_MAX, attr); + if (tb[CTA_COUNTERS_PACKETS-1]) ct->counters[CTNL_DIR_ORIGINAL].packets - = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_PACKETS_ORIG-1]); - if (tb[CTA_COUNTERS_BYTES_ORIG-1]) + = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_PACKETS-1]); + if (tb[CTA_COUNTERS_BYTES-1]) ct->counters[CTNL_DIR_ORIGINAL].bytes - = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_BYTES_ORIG-1]); - if (tb[CTA_COUNTERS_PACKETS_RPLY-1]) - ct->counters[CTNL_DIR_REPLY].packets - = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_PACKETS_RPLY-1]); - if (tb[CTA_COUNTERS_BYTES_RPLY-1]) - ct->counters[CTNL_DIR_REPLY].bytes - = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_BYTES_RPLY-1]); + = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_BYTES-1]); } +/* Some people seem to like counting in decimal... */ #define STATUS 1 #define PROTOINFO 2 #define TIMEOUT 4 #define MARK 8 #define COUNTERS 16 #define USE 32 +#define ID 64 static int handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg) { @@ -153,7 +150,7 @@ static int handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg) case CTA_TUPLE_ORIG: parse_tuple(attr, &ct.tuple[CTNL_DIR_ORIGINAL]); break; - case CTA_TUPLE_RPLY: + case CTA_TUPLE_REPLY: parse_tuple(attr, &ct.tuple[CTNL_DIR_REPLY]); break; case CTA_STATUS: @@ -172,14 +169,19 @@ static int handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg) ct.mark = *(unsigned long *)NFA_DATA(attr); flags |= MARK; break; - case CTA_COUNTERS: - parse_counters(attr, &ct, CTA_COUNTERS-1); + case CTA_COUNTERS_ORIG: + case CTA_COUNTERS_REPLY: + parse_counters(attr, &ct, attr->nfa_type-1); flags |= COUNTERS; break; case CTA_USE: ct.use = *(unsigned int *)NFA_DATA(attr); flags |= USE; break; + case CTA_ID: + ct.id = *(u_int32_t *)NFA_DATA(attr); + flags |= ID; + break; } attr = NFA_NEXT(attr, attrlen); } @@ -227,6 +229,8 @@ static int handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg) fprintf(stdout, "mark=%lu ", ct.mark); if (flags & USE) fprintf(stdout, "use=%u ", ct.use); + if (flags & ID) + fprintf(stdout, "id=%u ", ct.id); fprintf(stdout, "\n"); @@ -257,19 +261,22 @@ static int event_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, } void parse_expect(struct nfattr *attr, struct ctnl_tuple *tuple, - struct ctnl_tuple *mask, unsigned long *timeout) + struct ctnl_tuple *mask, unsigned long *timeout, + u_int32_t *id) { struct nfattr *tb[CTA_EXPECT_MAX]; memset(tb, 0, CTA_EXPECT_MAX*sizeof(struct nfattr *)); - nfnl_parse_attr(tb, CTA_EXPECT_MAX, NFA_DATA(attr), NFA_PAYLOAD(attr)); + nfnl_parse_nested(tb, CTA_EXPECT_MAX, attr); if (tb[CTA_EXPECT_TUPLE-1]) parse_tuple(tb[CTA_EXPECT_TUPLE-1], tuple); if (tb[CTA_EXPECT_MASK-1]) parse_tuple(tb[CTA_EXPECT_MASK-1], mask); if (tb[CTA_EXPECT_TIMEOUT-1]) *timeout = *(unsigned long *)NFA_DATA(tb[CTA_EXPECT_TIMEOUT-1]); + if (tb[CTA_EXPECT_ID-1]) + *id = *(u_int32_t *)NFA_DATA(tb[CTA_EXPECT_ID-1]); } static int expect_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg) @@ -282,6 +289,8 @@ static int expect_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void * int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); struct ctnl_tuple tuple, mask; unsigned long timeout = 0; + u_int32_t id = 0; + unsigned int flags; memset(&tuple, 0, sizeof(struct ctnl_tuple)); memset(&mask, 0, sizeof(struct ctnl_tuple)); @@ -294,7 +303,8 @@ static int expect_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void * while (NFA_OK(attr, attrlen)) { switch(attr->nfa_type) { case CTA_EXPECT: - parse_expect(attr, &tuple, &mask, &timeout); + parse_expect(attr, &tuple, &mask, &timeout, + &id); break; } attr = NFA_NEXT(attr, attrlen); @@ -305,10 +315,14 @@ static int expect_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void * NIPQUAD(tuple.src.v4), NIPQUAD(tuple.dst.v4)); - fprintf(stdout, "src=%u.%u.%u.%u dst=%u.%u.%u.%u\n", + fprintf(stdout, "src=%u.%u.%u.%u dst=%u.%u.%u.%u ", NIPQUAD(mask.src.v4), NIPQUAD(mask.dst.v4)); + fprintf(stdout, "id=0x%x ", id); + + fputc('\n', stdout); + return 0; } |