summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--extensions/libct_proto_icmp.c19
-rw-r--r--extensions/libct_proto_sctp.c9
-rw-r--r--extensions/libct_proto_tcp.c9
-rw-r--r--extensions/libct_proto_udp.c8
-rw-r--r--src/conntrack.c12
-rw-r--r--src/libct.c60
6 files changed, 75 insertions, 42 deletions
diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c
index 24d3d3f..e0de27e 100644
--- a/extensions/libct_proto_icmp.c
+++ b/extensions/libct_proto_icmp.c
@@ -1,5 +1,6 @@
/*
* (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
+ * Harald Welte <laforge@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -68,6 +69,21 @@ int parse(char c, char *argv[],
return 1;
}
+void parse_proto(struct nfattr *cda[], struct ctnl_tuple *tuple)
+{
+ if (cda[CTA_PROTO_ICMP_TYPE-1])
+ tuple->l4dst.icmp.type =
+ *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_TYPE-1]);
+
+ if (cda[CTA_PROTO_ICMP_CODE-1])
+ tuple->l4dst.icmp.code =
+ *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_CODE-1]);
+
+ if (cda[CTA_PROTO_ICMP_ID-1])
+ tuple->l4src.icmp.id =
+ *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_ID-1]);
+}
+
int final_check(unsigned int flags,
struct ctnl_tuple *orig,
struct ctnl_tuple *reply)
@@ -82,7 +98,7 @@ int final_check(unsigned int flags,
void print_proto(struct ctnl_tuple *t)
{
- fprintf(stdout, "type=%d code=%d id=%d", t->l4dst.icmp.type,
+ fprintf(stdout, "type=%d code=%d id=%d ", t->l4dst.icmp.type,
t->l4dst.icmp.code,
t->l4src.icmp.id);
}
@@ -91,6 +107,7 @@ static struct ctproto_handler icmp = {
.name = "icmp",
.protonum = 1,
.parse_opts = parse,
+ .parse_proto = parse_proto,
.print_proto = print_proto,
.final_check = final_check,
.help = help,
diff --git a/extensions/libct_proto_sctp.c b/extensions/libct_proto_sctp.c
index 5b50fbc..d5ff298 100644
--- a/extensions/libct_proto_sctp.c
+++ b/extensions/libct_proto_sctp.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <getopt.h>
#include <stdlib.h>
+#include <string.h>
#include <netinet/in.h> /* For htons */
#include <linux/netfilter_ipv4/ip_conntrack_netlink.h>
#include "libct_proto.h"
@@ -138,12 +139,12 @@ int final_check(unsigned int flags,
void parse_proto(struct nfattr *cda[], struct ctnl_tuple *tuple)
{
- if (cda[CTA_PROTO_SCTP_SRC-1])
+ if (cda[CTA_PROTO_SRC_PORT-1])
tuple->l4src.sctp.port =
- *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SCTP_SRC-1]);
- if (cda[CTA_PROTO_SCTP_DST-1])
+ *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]);
+ if (cda[CTA_PROTO_DST_PORT-1])
tuple->l4dst.sctp.port =
- *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SCTP_DST-1]);
+ *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]);
}
void parse_protoinfo(struct nfattr *cda[], struct ctnl_conntrack *ct)
diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
index 5fa3652..973c5ab 100644
--- a/extensions/libct_proto_tcp.c
+++ b/extensions/libct_proto_tcp.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <getopt.h>
#include <stdlib.h>
+#include <string.h>
#include <netinet/in.h> /* For htons */
#include <linux/netfilter_ipv4/ip_conntrack_netlink.h>
#include "libct_proto.h"
@@ -160,12 +161,12 @@ int final_check(unsigned int flags,
void parse_proto(struct nfattr *cda[], struct ctnl_tuple *tuple)
{
- if (cda[CTA_PROTO_TCP_SRC-1])
+ if (cda[CTA_PROTO_SRC_PORT-1])
tuple->l4src.tcp.port =
- *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_TCP_SRC-1]);
- if (cda[CTA_PROTO_TCP_DST-1])
+ *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]);
+ if (cda[CTA_PROTO_DST_PORT-1])
tuple->l4dst.tcp.port =
- *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_TCP_DST-1]);
+ *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]);
}
void parse_protoinfo(struct nfattr *cda[], struct ctnl_conntrack *ct)
diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c
index aa733f0..7821d5b 100644
--- a/extensions/libct_proto_udp.c
+++ b/extensions/libct_proto_udp.c
@@ -127,12 +127,12 @@ int final_check(unsigned int flags,
void parse_proto(struct nfattr *cda[], struct ctnl_tuple *tuple)
{
- if (cda[CTA_PROTO_UDP_SRC-1])
+ if (cda[CTA_PROTO_SRC_PORT-1])
tuple->l4src.udp.port =
- *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_UDP_SRC-1]);
- if (cda[CTA_PROTO_UDP_DST-1])
+ *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]);
+ if (cda[CTA_PROTO_DST_PORT-1])
tuple->l4dst.udp.port =
- *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_UDP_DST-1]);
+ *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]);
}
void print_proto(struct ctnl_tuple *tuple)
diff --git a/src/conntrack.c b/src/conntrack.c
index a6efd8b..2a8fa87 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -455,7 +455,7 @@ parse_parameter(const char *arg, unsigned int *status, int parse_type)
}
static void
-add_command(int *cmd, const int newcmd, const int othercmds)
+add_command(unsigned int *cmd, const int newcmd, const int othercmds)
{
if (*cmd & (~othercmds))
exit_error(PARAMETER_PROBLEM, "Invalid commands combination\n");
@@ -884,7 +884,7 @@ int main(int argc, char *argv[])
timeout);
else if (options & CT_OPT_REPL)
res = create_expectation(&reply,
- CTA_TUPLE_RPLY,
+ CTA_TUPLE_REPLY,
&exptuple,
&mask,
timeout);
@@ -909,7 +909,7 @@ int main(int argc, char *argv[])
res = delete_conntrack(&orig, CTA_TUPLE_ORIG,
CTNL_DIR_ORIGINAL);
else if (options & CT_OPT_REPL)
- res = delete_conntrack(&reply, CTA_TUPLE_RPLY,
+ res = delete_conntrack(&reply, CTA_TUPLE_REPLY,
CTNL_DIR_REPLY);
break;
@@ -917,21 +917,21 @@ int main(int argc, char *argv[])
if (options & CT_OPT_ORIG)
res = delete_expectation(&orig, CTA_TUPLE_ORIG);
else if (options & CT_OPT_REPL)
- res = delete_expectation(&reply, CTA_TUPLE_RPLY);
+ res = delete_expectation(&reply, CTA_TUPLE_REPLY);
break;
case CT_GET:
if (options & CT_OPT_ORIG)
res = get_conntrack(&orig, CTA_TUPLE_ORIG, id);
else if (options & CT_OPT_REPL)
- res = get_conntrack(&reply, CTA_TUPLE_RPLY, id);
+ res = get_conntrack(&reply, CTA_TUPLE_REPLY, id);
break;
case EXP_GET:
if (options & CT_OPT_ORIG)
res = get_expect(&orig, CTA_TUPLE_ORIG);
else if (options & CT_OPT_REPL)
- res = get_expect(&reply, CTA_TUPLE_RPLY);
+ res = get_expect(&reply, CTA_TUPLE_REPLY);
break;
case CT_FLUSH:
diff --git a/src/libct.c b/src/libct.c
index 94e5b24..245c584 100644
--- a/src/libct.c
+++ b/src/libct.c
@@ -13,11 +13,12 @@
#include <stdlib.h>
#include <signal.h>
#include <errno.h>
+#include <string.h>
/* From kernel.h */
#define INT_MAX ((int)(~0U>>1))
#define INT_MIN (-INT_MAX - 1)
#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ip_conntrack_netlink.h>
+#include <linux/netfilter/nfnetlink_conntrack.h>
#include "libctnetlink.h"
#include "libnfnetlink.h"
#include "linux_list.h"
@@ -48,7 +49,7 @@ static void parse_ip(struct nfattr *attr, struct ctnl_tuple *tuple)
memset(tb, 0, CTA_IP_MAX * sizeof(struct nfattr *));
- nfnl_parse_attr(tb, CTA_IP_MAX, NFA_DATA(attr), NFA_PAYLOAD(attr));
+ nfnl_parse_nested(tb, CTA_IP_MAX, attr);
if (tb[CTA_IP_V4_SRC-1])
tuple->src.v4 = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_SRC-1]);
@@ -64,7 +65,7 @@ static void parse_proto(struct nfattr *attr, struct ctnl_tuple *tuple)
memset(tb, 0, CTA_PROTO_MAX * sizeof(struct nfattr *));
- nfnl_parse_attr(tb, CTA_IP_MAX, NFA_DATA(attr), NFA_PAYLOAD(attr));
+ nfnl_parse_nested(tb, CTA_IP_MAX, attr);
if (tb[CTA_PROTO_NUM-1])
tuple->protonum = *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]);
@@ -79,7 +80,7 @@ static void parse_tuple(struct nfattr *attr, struct ctnl_tuple *tuple)
memset(tb, 0, CTA_TUPLE_MAX*sizeof(struct nfattr *));
- nfnl_parse_attr(tb, CTA_TUPLE_MAX, NFA_DATA(attr), NFA_PAYLOAD(attr));
+ nfnl_parse_nested(tb, CTA_TUPLE_MAX, attr);
if (tb[CTA_TUPLE_IP-1])
parse_ip(tb[CTA_TUPLE_IP-1], tuple);
if (tb[CTA_TUPLE_PROTO-1])
@@ -93,7 +94,7 @@ static void parse_protoinfo(struct nfattr *attr, struct ctnl_conntrack *ct)
memset(tb, 0, CTA_PROTOINFO_MAX*sizeof(struct nfattr *));
- nfnl_parse_attr(tb,CTA_PROTOINFO_MAX,NFA_DATA(attr), NFA_PAYLOAD(attr));
+ nfnl_parse_nested(tb,CTA_PROTOINFO_MAX, attr);
h = findproto(proto2str[ct->tuple[CTNL_DIR_ORIGINAL].protonum]);
if (h && h->parse_protoinfo)
@@ -107,27 +108,23 @@ static void parse_counters(struct nfattr *attr, struct ctnl_conntrack *ct,
memset(tb, 0, CTA_COUNTERS_MAX*sizeof(struct nfattr *));
- nfnl_parse_attr(tb, CTA_COUNTERS_MAX, NFA_DATA(attr),NFA_PAYLOAD(attr));
- if (tb[CTA_COUNTERS_PACKETS_ORIG-1])
+ nfnl_parse_nested(tb, CTA_COUNTERS_MAX, attr);
+ if (tb[CTA_COUNTERS_PACKETS-1])
ct->counters[CTNL_DIR_ORIGINAL].packets
- = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_PACKETS_ORIG-1]);
- if (tb[CTA_COUNTERS_BYTES_ORIG-1])
+ = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_PACKETS-1]);
+ if (tb[CTA_COUNTERS_BYTES-1])
ct->counters[CTNL_DIR_ORIGINAL].bytes
- = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_BYTES_ORIG-1]);
- if (tb[CTA_COUNTERS_PACKETS_RPLY-1])
- ct->counters[CTNL_DIR_REPLY].packets
- = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_PACKETS_RPLY-1]);
- if (tb[CTA_COUNTERS_BYTES_RPLY-1])
- ct->counters[CTNL_DIR_REPLY].bytes
- = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_BYTES_RPLY-1]);
+ = *(u_int64_t *)NFA_DATA(tb[CTA_COUNTERS_BYTES-1]);
}
+/* Some people seem to like counting in decimal... */
#define STATUS 1
#define PROTOINFO 2
#define TIMEOUT 4
#define MARK 8
#define COUNTERS 16
#define USE 32
+#define ID 64
static int handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg)
{
@@ -153,7 +150,7 @@ static int handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg)
case CTA_TUPLE_ORIG:
parse_tuple(attr, &ct.tuple[CTNL_DIR_ORIGINAL]);
break;
- case CTA_TUPLE_RPLY:
+ case CTA_TUPLE_REPLY:
parse_tuple(attr, &ct.tuple[CTNL_DIR_REPLY]);
break;
case CTA_STATUS:
@@ -172,14 +169,19 @@ static int handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg)
ct.mark = *(unsigned long *)NFA_DATA(attr);
flags |= MARK;
break;
- case CTA_COUNTERS:
- parse_counters(attr, &ct, CTA_COUNTERS-1);
+ case CTA_COUNTERS_ORIG:
+ case CTA_COUNTERS_REPLY:
+ parse_counters(attr, &ct, attr->nfa_type-1);
flags |= COUNTERS;
break;
case CTA_USE:
ct.use = *(unsigned int *)NFA_DATA(attr);
flags |= USE;
break;
+ case CTA_ID:
+ ct.id = *(u_int32_t *)NFA_DATA(attr);
+ flags |= ID;
+ break;
}
attr = NFA_NEXT(attr, attrlen);
}
@@ -227,6 +229,8 @@ static int handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg)
fprintf(stdout, "mark=%lu ", ct.mark);
if (flags & USE)
fprintf(stdout, "use=%u ", ct.use);
+ if (flags & ID)
+ fprintf(stdout, "id=%u ", ct.id);
fprintf(stdout, "\n");
@@ -257,19 +261,22 @@ static int event_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh,
}
void parse_expect(struct nfattr *attr, struct ctnl_tuple *tuple,
- struct ctnl_tuple *mask, unsigned long *timeout)
+ struct ctnl_tuple *mask, unsigned long *timeout,
+ u_int32_t *id)
{
struct nfattr *tb[CTA_EXPECT_MAX];
memset(tb, 0, CTA_EXPECT_MAX*sizeof(struct nfattr *));
- nfnl_parse_attr(tb, CTA_EXPECT_MAX, NFA_DATA(attr), NFA_PAYLOAD(attr));
+ nfnl_parse_nested(tb, CTA_EXPECT_MAX, attr);
if (tb[CTA_EXPECT_TUPLE-1])
parse_tuple(tb[CTA_EXPECT_TUPLE-1], tuple);
if (tb[CTA_EXPECT_MASK-1])
parse_tuple(tb[CTA_EXPECT_MASK-1], mask);
if (tb[CTA_EXPECT_TIMEOUT-1])
*timeout = *(unsigned long *)NFA_DATA(tb[CTA_EXPECT_TIMEOUT-1]);
+ if (tb[CTA_EXPECT_ID-1])
+ *id = *(u_int32_t *)NFA_DATA(tb[CTA_EXPECT_ID-1]);
}
static int expect_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *arg)
@@ -282,6 +289,8 @@ static int expect_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *
int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len);
struct ctnl_tuple tuple, mask;
unsigned long timeout = 0;
+ u_int32_t id = 0;
+ unsigned int flags;
memset(&tuple, 0, sizeof(struct ctnl_tuple));
memset(&mask, 0, sizeof(struct ctnl_tuple));
@@ -294,7 +303,8 @@ static int expect_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *
while (NFA_OK(attr, attrlen)) {
switch(attr->nfa_type) {
case CTA_EXPECT:
- parse_expect(attr, &tuple, &mask, &timeout);
+ parse_expect(attr, &tuple, &mask, &timeout,
+ &id);
break;
}
attr = NFA_NEXT(attr, attrlen);
@@ -305,10 +315,14 @@ static int expect_handler(struct sockaddr_nl *sock, struct nlmsghdr *nlh, void *
NIPQUAD(tuple.src.v4),
NIPQUAD(tuple.dst.v4));
- fprintf(stdout, "src=%u.%u.%u.%u dst=%u.%u.%u.%u\n",
+ fprintf(stdout, "src=%u.%u.%u.%u dst=%u.%u.%u.%u ",
NIPQUAD(mask.src.v4),
NIPQUAD(mask.dst.v4));
+ fprintf(stdout, "id=0x%x ", id);
+
+ fputc('\n', stdout);
+
return 0;
}