diff options
-rw-r--r-- | ChangeLog | 20 | ||||
-rw-r--r-- | configure.in | 2 | ||||
-rw-r--r-- | src/conntrack.c | 289 |
3 files changed, 233 insertions, 78 deletions
@@ -1,20 +1,24 @@ version 0.9.7 (yet unreleased) ------------------------------ -Pablo Neira Ayuso <pablo@netfilter.org>: o remove .svn directory from make distcheck tarballs (reported by B.Benjamini) o fix minor compilation issue in amd64 with gcc4.3 (reported by Daniel Schepler) -o fix asymmetric path support (reported by Gary Richards) -o improve netlink overrun handling o update manpages with the new URL: http://conntrack-tools.netfilter.org + += conntrack = +o fix minor compilation warning (Krzysztof Oledzki) +o add ICMPv6 (-p icmpv6) support (Krzysztof Oledzki) +o distinguish between invalid (unknown) and empty proto (Krzysztof Oledzki) o simplify parameter-handling code -o check for missing source/address IP/ports +o check for missing source/address IP/ports in creation and get operations +o way more flexible conntrack updates and deletions +o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki) +o show display counters to stderr o minor cleanups -Krzysztof Oledzki <ole@ans.pl>: -o fix minor compilation warning -o add ICMPv6 (-p icmpv6) support -o add possibility to distinguish between invalid (unknown) and empty proto += conntrackd = +o fix asymmetric path support (reported by Gary Richards) +o improve netlink overrun handling version 0.9.6 (2008/03/08) ------------------------------ diff --git a/configure.in b/configure.in index a98a324..92a0389 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ esac dnl Dependencies LIBNFNETLINK_REQUIRED=0.0.32 -LIBNETFILTER_CONNTRACK_REQUIRED=0.0.89 +LIBNETFILTER_CONNTRACK_REQUIRED=0.0.91 PKG_CHECK_MODULES(LIBNFNETLINK, libnfnetlink >= $LIBNFNETLINK_REQUIRED,, AC_MSG_ERROR(Cannot find libnfnetlink >= $LIBNFNETLINK_REQUIRED)) diff --git a/src/conntrack.c b/src/conntrack.c index 4fa5c9a..f4dfec7 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -1,5 +1,5 @@ /* - * (C) 2005-2007 by Pablo Neira Ayuso <pablo@netfilter.org> + * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,7 +31,8 @@ * Remove remaints of "-A" * 2007-04-22 Pablo Neira Ayuso <pablo@netfilter.org>: * Ported to the new libnetfilter_conntrack API - * + * 2008-04-13 Pablo Neira Ayuso <pablo@netfilter.org>: + * Way more flexible update and delete operations */ #include "conntrack.h" @@ -103,7 +104,7 @@ static struct option original_opts[] = { #define OPTION_OFFSET 256 -static struct nfct_handle *cth; +static struct nfct_handle *cth, *ith; static struct option *opts = original_opts; static unsigned int global_option_offset = 0; @@ -122,8 +123,8 @@ static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = /* s d r q p t u z e [ ] { } a m i f n g o c */ /*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,2,2,2,2}, /*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0,2,2,0,2}, -/*CT_UPDATE*/ {2,2,2,2,1,2,2,0,0,0,0,0,0,0,2,2,0,0,0,0,2}, -/*CT_DELETE*/ {2,2,2,2,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0}, +/*CT_UPDATE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,2}, +/*CT_DELETE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,2}, /*CT_GET*/ {2,2,2,2,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2,0}, /*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}, /*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2,2}, @@ -499,14 +500,6 @@ nat_parse(char *arg, int portok, struct nf_conntrack *obj, int type) nfct_set_attr_u32(obj, ATTR_DNAT_IPV4, parse.v4); } -static void __attribute__((noreturn)) -event_sighandler(int s) -{ - fprintf(stdout, "Now closing conntrack event dumping...\n"); - nfct_close(cth); - exit(0); -} - static const char usage_commands[] = "Commands:\n" " -L [table] [options]\t\tList conntrack or expectation table\n" @@ -566,82 +559,207 @@ usage(char *prog) static unsigned int output_mask; +static int ignore_nat(const struct nf_conntrack *obj, + const struct nf_conntrack *ct) +{ + uint32_t ip; + + if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) { + if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) && + !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) + return 1; + + if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4)) { + ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4); + if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST)) + return 1; + } + + if (nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) { + ip = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4); + if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC)) + return 1; + } + } else if (options & CT_OPT_SRC_NAT) { + if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) + return 1; + + if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4)) { + ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4); + if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST)) + return 1; + } + } else if (options & CT_OPT_DST_NAT) { + if (!nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) + return 1; + + if (nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) { + ip = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4); + if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC)) + return 1; + } + } + + return 0; +} + +static int events_counter; + +static void __attribute__((noreturn)) +event_sighandler(int s) +{ + fprintf(stderr, "%s v%s: ", PROGNAME, VERSION); + fprintf(stderr, "%d flow events has been shown.\n", events_counter); + nfct_close(cth); + exit(0); +} + static int event_cb(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) { char buf[1024]; struct nf_conntrack *obj = data; - unsigned int output_type = NFCT_O_DEFAULT; - unsigned int output_flags = 0; + unsigned int op_type = NFCT_O_DEFAULT; + unsigned int op_flags = 0; - if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) { - if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) && - !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) - return NFCT_CB_CONTINUE; - } else if (options & CT_OPT_SRC_NAT && - !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) { - return NFCT_CB_CONTINUE; - } else if (options & CT_OPT_DST_NAT && - !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) { + if (ignore_nat(obj, ct)) return NFCT_CB_CONTINUE; - } - if (options & CT_COMPARISON && !nfct_compare(obj, ct)) + if (options & CT_COMPARISON && !nfct_cmp(obj, ct, NFCT_CMP_ALL)) return NFCT_CB_CONTINUE; if (output_mask & _O_XML) - output_type = NFCT_O_XML; + op_type = NFCT_O_XML; if (output_mask & _O_EXT) - output_flags = NFCT_OF_SHOW_LAYER3; + op_flags = NFCT_OF_SHOW_LAYER3; if (output_mask & _O_TMS) { if (!(output_mask & _O_XML)) { struct timeval tv; gettimeofday(&tv, NULL); printf("[%-8ld.%-6ld]\t", tv.tv_sec, tv.tv_usec); } else - output_flags |= NFCT_OF_TIME; + op_flags |= NFCT_OF_TIME; } - nfct_snprintf(buf, 1024, ct, type, output_type, output_flags); + nfct_snprintf(buf, 1024, ct, type, op_type, op_flags); printf("%s\n", buf); fflush(stdout); + events_counter++; + return NFCT_CB_CONTINUE; } +static int list_counter; + static int dump_cb(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) { char buf[1024]; struct nf_conntrack *obj = data; - unsigned int output_type = NFCT_O_DEFAULT; - unsigned int output_flags = 0; + unsigned int op_type = NFCT_O_DEFAULT; + unsigned int op_flags = 0; - if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) { - if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) && - !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) - return NFCT_CB_CONTINUE; - } else if (options & CT_OPT_SRC_NAT && - !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) { - return NFCT_CB_CONTINUE; - } else if (options & CT_OPT_DST_NAT && - !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) { + if (ignore_nat(obj, ct)) return NFCT_CB_CONTINUE; - } - if (options & CT_COMPARISON && !nfct_compare(obj, ct)) + if (options & CT_COMPARISON && !nfct_cmp(obj, ct, NFCT_CMP_ALL)) return NFCT_CB_CONTINUE; if (output_mask & _O_XML) - output_type = NFCT_O_XML; + op_type = NFCT_O_XML; if (output_mask & _O_EXT) - output_flags = NFCT_OF_SHOW_LAYER3; + op_flags = NFCT_OF_SHOW_LAYER3; - nfct_snprintf(buf, 1024, ct, NFCT_T_UNKNOWN, output_type, output_flags); + nfct_snprintf(buf, 1024, ct, NFCT_T_UNKNOWN, op_type, op_flags); printf("%s\n", buf); + list_counter++; + + return NFCT_CB_CONTINUE; +} + +static int delete_counter; + +static int delete_cb(enum nf_conntrack_msg_type type, + struct nf_conntrack *ct, + void *data) +{ + int res; + char buf[1024]; + struct nf_conntrack *obj = data; + unsigned int op_type = NFCT_O_DEFAULT; + unsigned int op_flags = 0; + + if (ignore_nat(obj, ct)) + return NFCT_CB_CONTINUE; + + if (options & CT_COMPARISON && !nfct_cmp(obj, ct, NFCT_CMP_ALL)) + return NFCT_CB_CONTINUE; + + res = nfct_query(ith, NFCT_Q_DESTROY, ct); + if (res < 0) + exit_error(OTHER_PROBLEM, + "Operation failed: %s", + err2str(errno, CT_DELETE)); + + if (output_mask & _O_XML) + op_type = NFCT_O_XML; + if (output_mask & _O_EXT) + op_flags = NFCT_OF_SHOW_LAYER3; + + nfct_snprintf(buf, 1024, ct, NFCT_T_UNKNOWN, op_type, op_flags); + printf("%s\n", buf); + + delete_counter++; + + return NFCT_CB_CONTINUE; +} + +static int update_counter; + +static int update_cb(enum nf_conntrack_msg_type type, + struct nf_conntrack *ct, + void *data) +{ + int res; + char buf[1024]; + struct nf_conntrack *obj = data; + char __tmp[nfct_maxsize()]; + struct nf_conntrack *tmp = (struct nf_conntrack *) (void *)__tmp; + unsigned int op_type = NFCT_O_DEFAULT; + unsigned int op_flags = 0; + + memcpy(tmp, obj, sizeof(__tmp)); + + if (ignore_nat(tmp, ct)) + return NFCT_CB_CONTINUE; + + if (options & CT_OPT_ORIG && !nfct_cmp(tmp, ct, NFCT_CMP_ORIG)) + return NFCT_CB_CONTINUE; + if (options & CT_OPT_REPL && !nfct_cmp(tmp, ct, NFCT_CMP_REPL)) + return NFCT_CB_CONTINUE; + + nfct_copy(tmp, ct, NFCT_CP_ORIG); + + res = nfct_query(ith, NFCT_Q_UPDATE, tmp); + if (res < 0) + exit_error(OTHER_PROBLEM, + "Operation failed: %s", + err2str(errno, CT_UPDATE)); + + if (output_mask & _O_XML) + op_type = NFCT_O_XML; + if (output_mask & _O_EXT) + op_flags = NFCT_OF_SHOW_LAYER3; + + nfct_snprintf(buf, 1024, ct, NFCT_T_UNKNOWN, op_type, op_flags); + printf("%s\n", buf); + + update_counter++; + return NFCT_CB_CONTINUE; } @@ -665,6 +783,7 @@ static const int cmd2type[][2] = { ['D'] = { CT_DELETE, EXP_DELETE }, ['G'] = { CT_GET, EXP_GET }, ['F'] = { CT_FLUSH, EXP_FLUSH }, + ['E'] = { CT_EVENT, EXP_EVENT }, ['V'] = { CT_VERSION, CT_VERSION }, ['h'] = { CT_HELP, CT_HELP }, }; @@ -714,7 +833,8 @@ int main(int argc, char *argv[]) char __exptuple[nfct_maxsize()]; char __mask[nfct_maxsize()]; struct nf_conntrack *obj = (struct nf_conntrack *)(void*) __obj; - struct nf_conntrack *exptuple = (struct nf_conntrack *)(void*) __exptuple; + struct nf_conntrack *exptuple = + (struct nf_conntrack *)(void*) __exptuple; struct nf_conntrack *mask = (struct nf_conntrack *)(void*) __mask; char __exp[nfexp_maxsize()]; struct nf_expect *exp = (struct nf_expect *)(void*) __exp; @@ -869,15 +989,24 @@ int main(int argc, char *argv[]) options |= CT_OPT_ZERO; break; case 'n': - case 'g': - if (!optarg) - exit_error(PARAMETER_PROBLEM, - "-%c requires an IP", c); + case 'g': { + char *tmp = NULL; options |= opt2type[c]; + + if (optarg) + continue; + else if (optind < argc && argv[optind][0] != '-' + && argv[optind][0] != '!') + tmp = argv[optind++]; + + if (tmp == NULL) + continue; + set_family(&family, AF_INET); - nat_parse(optarg, 1, obj, opt2type[c]); + nat_parse(tmp, 1, obj, opt2type[c]); break; + } case 'm': case 'c': options |= opt2type[c]; @@ -930,7 +1059,7 @@ int main(int argc, char *argv[]) commands_v_options[cmd], optflags); - if (command & (CT_CREATE|CT_UPDATE|CT_DELETE|CT_GET) && + if (command & (CT_CREATE|CT_GET) && !((options & CT_OPT_ORIG_SRC && options & CT_OPT_ORIG_DST) || (options & CT_OPT_REPL_SRC && options & CT_OPT_REPL_DST))) exit_error(PARAMETER_PROBLEM, "missing IP address"); @@ -958,6 +1087,10 @@ int main(int argc, char *argv[]) res = nfct_query(cth, NFCT_Q_DUMP, &family); nfct_close(cth); + + fprintf(stderr, "%s v%s: ", PROGNAME, VERSION); + fprintf(stderr, "%d flow entries has been shown.\n", + list_counter); break; case EXP_LIST: @@ -982,6 +1115,9 @@ int main(int argc, char *argv[]) res = nfct_query(cth, NFCT_Q_CREATE, obj); nfct_close(cth); + fprintf(stderr, "%s v%s: ", PROGNAME, VERSION); + fprintf(stderr, "%d flow entry has been created.\n", + res == -1 ? 0 : 1); break; case EXP_CREATE: @@ -998,29 +1134,38 @@ int main(int argc, char *argv[]) break; case CT_UPDATE: - if ((options & CT_OPT_ORIG) && !(options & CT_OPT_REPL)) - nfct_setobjopt(obj, NFCT_SOPT_SETUP_REPLY); - else if (!(options & CT_OPT_ORIG) && (options & CT_OPT_REPL)) - nfct_setobjopt(obj, NFCT_SOPT_SETUP_ORIGINAL); - cth = nfct_open(CONNTRACK, 0); - if (!cth) + /* internal handler for delete_cb, otherwise we hit EILSEQ */ + ith = nfct_open(CONNTRACK, 0); + if (!cth || !ith) exit_error(OTHER_PROBLEM, "Can't open handler"); - res = nfct_query(cth, NFCT_Q_UPDATE, obj); + nfct_callback_register(cth, NFCT_T_ALL, update_cb, obj); + + res = nfct_query(cth, NFCT_Q_DUMP, &family); + nfct_close(ith); nfct_close(cth); + + fprintf(stderr, "%s v%s: ", PROGNAME, VERSION); + fprintf(stderr, "%d flow entries has been updated.\n", + update_counter); break; case CT_DELETE: - if (!(options & CT_OPT_ORIG) && !(options & CT_OPT_REPL)) - exit_error(PARAMETER_PROBLEM, "Can't kill conntracks " - "just by its ID"); cth = nfct_open(CONNTRACK, 0); - if (!cth) + ith = nfct_open(CONNTRACK, 0); + if (!cth || !ith) exit_error(OTHER_PROBLEM, "Can't open handler"); - res = nfct_query(cth, NFCT_Q_DESTROY, obj); + nfct_callback_register(cth, NFCT_T_ALL, delete_cb, obj); + + res = nfct_query(cth, NFCT_Q_DUMP, &family); + nfct_close(ith); nfct_close(cth); + + fprintf(stderr, "%s v%s: ", PROGNAME, VERSION); + fprintf(stderr, "%d flow entries has been deleted.\n", + delete_counter); break; case EXP_DELETE: @@ -1042,6 +1187,9 @@ int main(int argc, char *argv[]) nfct_callback_register(cth, NFCT_T_ALL, dump_cb, obj); res = nfct_query(cth, NFCT_Q_GET, obj); nfct_close(cth); + fprintf(stderr, "%s v%s: ", PROGNAME, VERSION); + fprintf(stderr, "%d flow entry has been shown.\n", + res == -1 ? 0 : 1); break; case EXP_GET: @@ -1062,6 +1210,8 @@ int main(int argc, char *argv[]) exit_error(OTHER_PROBLEM, "Can't open handler"); res = nfct_query(cth, NFCT_Q_FLUSH, &family); nfct_close(cth); + fprintf(stderr, "%s v%s: ", PROGNAME, VERSION); + fprintf(stderr,"connection tracking table has been emptied.\n"); break; case EXP_FLUSH: @@ -1081,6 +1231,7 @@ int main(int argc, char *argv[]) if (!cth) exit_error(OTHER_PROBLEM, "Can't open handler"); signal(SIGINT, event_sighandler); + signal(SIGTERM, event_sighandler); nfct_callback_register(cth, NFCT_T_ALL, event_cb, obj); res = nfct_catch(cth); nfct_close(cth); @@ -1091,6 +1242,7 @@ int main(int argc, char *argv[]) if (!cth) exit_error(OTHER_PROBLEM, "Can't open handler"); signal(SIGINT, event_sighandler); + signal(SIGTERM, event_sighandler); nfexp_callback_register(cth, NFCT_T_ALL, dump_exp_cb, NULL); res = nfexp_catch(cth); nfct_close(cth); @@ -1115,10 +1267,9 @@ int main(int argc, char *argv[]) global_option_offset = 0; } - if (res < 0) { - fprintf(stderr, "Operation failed: %s\n", err2str(errno, command)); - exit(OTHER_PROBLEM); - } + if (res < 0) + exit_error(OTHER_PROBLEM, "Operation failed: %s", + err2str(errno, command)); return 0; } |