diff options
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | TODO | 13 | ||||
-rw-r--r-- | extensions/libct_proto_tcp.c | 14 | ||||
-rw-r--r-- | extensions/libct_proto_udp.c | 14 | ||||
-rw-r--r-- | src/conntrack.c | 37 | ||||
-rw-r--r-- | src/libct.c | 105 | ||||
-rw-r--r-- | test.sh | 8 |
7 files changed, 121 insertions, 80 deletions
@@ -21,3 +21,13 @@ <azez@ufomechanic.net> o Autoconf stuff for conntrack + some pablo's modifications. o Fixed packet counters formatting (use %llu instead of %lu) + +2005-05-16 +<pablo@eurodev.net> + o Implemented ICMP proto helper + o Added help() and final_check() functions for proto helpers. + +2005-05-17 +<pablo@eurodev.net> + o Added descriptive error messages. + o Fix wrong flags check in [tcp|udp] proto helpers. @@ -1,12 +1,15 @@ +X = done +N = forget it + user space tool --------------- [X] Proper Makefiles [X] Modify Event Display (-E conntrack). Extensions: -[ ] ICMP library +[X] ICMP library [X] finish TCP: protocol specific stuff: --state, etc... -[ ] finish UDP, TCP, ICMP: help +[X] finish UDP, TCP, ICMP: help nfnetlink_conntrack: -------------------- @@ -15,11 +18,11 @@ Now: [X] Error handling (nlerrmsg) [X] Use id's to identify conntracks [ ] Split NEW and CHANGE -[ ] Split DUMP and GET -[ ] Kill Change API. Move locks to ip_conntrack_[protocol|helper]. +[N] Split DUMP and GET +[N] Kill Change API. Move locks to ip_conntrack_[protocol|helper]. [X] implement conntrack FLUSH Later: -[ ] convert CTA_SOMETHING-1 to CTA_SOMETHING, annoying! +[N] convert CTA_SOMETHING-1 to CTA_SOMETHING, annoying! [ ] NAT handlings [ ] Expectations diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index a2243dc..4cddf53 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -115,16 +115,12 @@ int parse(char c, char *argv[], int final_check(unsigned int flags) { - if (!(flags & ORIG_SPORT)) - return 0; - else if (!(flags & ORIG_DPORT)) - return 0; - else if (!(flags & REPL_SPORT)) - return 0; - else if (!(flags & REPL_DPORT)) - return 0; + if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT)) + return 1; + else if ((flags & REPL_SPORT) && (flags & REPL_DPORT)) + return 1; - return 1; + return 0; } void print_tuple(struct ip_conntrack_tuple *t) diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c index 8e20bd5..0088cc5 100644 --- a/extensions/libct_proto_udp.c +++ b/extensions/libct_proto_udp.c @@ -82,16 +82,12 @@ int parse(char c, char *argv[], int final_check(unsigned int flags) { - if (!(flags & ORIG_SPORT)) - return 0; - else if (!(flags & ORIG_DPORT)) - return 0; - else if (!(flags & REPL_SPORT)) - return 0; - else if (!(flags & REPL_DPORT)) - return 0; + if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT)) + return 1; + else if ((flags & REPL_SPORT) && (flags & REPL_DPORT)) + return 1; - return 1; + return 0; } void print_tuple(struct ip_conntrack_tuple *t) diff --git a/src/conntrack.c b/src/conntrack.c index 676049e..11a6b54 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -38,6 +38,7 @@ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> +#include <string.h> #include <linux/netfilter_ipv4/ip_conntrack_tuple.h> #include <linux/netfilter_ipv4/ip_conntrack.h> #include "libctnetlink.h" @@ -46,7 +47,7 @@ #include "libct_proto.h" #define PROGNAME "conntrack" -#define VERSION "0.60" +#define VERSION "0.62" #if 0 #define DEBUGP printf @@ -299,6 +300,36 @@ merge_options(struct option *oldopts, const struct option *newopts, return merge; } +/* From linux/errno.h */ +#define ENOTSUPP 524 /* Operation is not supported */ + +/* Translates errno numbers into more human-readable form than strerror. */ +const char * +err2str(int err, enum action command) +{ + unsigned int i; + struct table_struct { + enum action act; + int err; + const char *message; + } table [] = + { { CT_LIST, -ENOTSUPP, "function not implemented" }, + { 0xFFFF, -EINVAL, "invalid parameters" }, + { CT_CREATE|CT_GET|CT_DELETE, -ENOENT, + "such conntrack doesn't exist" }, + { CT_CREATE|CT_GET, -ENOMEM, "not enough memory" }, + { CT_GET, -EAFNOSUPPORT, "protocol not supported" }, + { CT_CREATE, -ETIME, "conntrack has expired" }, + }; + + for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) { + if ((table[i].act & command) && table[i].err == err) + return table[i].message; + } + + return strerror(err); +} + static void dump_tuple(struct ip_conntrack_tuple *tp) { fprintf(stdout, "tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", @@ -732,6 +763,6 @@ int main(int argc, char *argv[]) global_option_offset = 0; } - if (res == -1) - fprintf(stderr, "Operation failed\n"); + if (res < 0) + fprintf(stderr, "Operation failed: %s\n", err2str(res, command)); } diff --git a/src/libct.c b/src/libct.c index cb0fabb..b40b818 100644 --- a/src/libct.c +++ b/src/libct.c @@ -216,18 +216,19 @@ int create_conntrack(struct ip_conntrack_tuple *orig, struct cta_proto cta; struct nfattr *cda[CTA_MAX]; struct ctnl_handle cth; + int ret; cta.num_proto = orig->dst.protonum; memcpy(&cta.proto, proto, sizeof(*proto)); - if (ctnl_open(&cth, 0) < 0) - return -1; + if ((ret = ctnl_open(&cth, 0)) < 0) + return ret; - /* FIXME: please unify returns values... */ - if (ctnl_new_conntrack(&cth, orig, reply, timeout, &cta, status) < 0) - return -1; + if ((ret = ctnl_new_conntrack(&cth, orig, reply, timeout, &cta, + status)) < 0) + return ret; - if (ctnl_close(&cth) < 0) - return -1; + if ((ret = ctnl_close(&cth)) < 0) + return ret; return 0; } @@ -237,16 +238,16 @@ int delete_conntrack(struct ip_conntrack_tuple *tuple, { struct nfattr *cda[CTA_MAX]; struct ctnl_handle cth; + int ret; - if (ctnl_open(&cth, 0) < 0) - return -1; + if ((ret = ctnl_open(&cth, 0)) < 0) + return ret; - /* FIXME: please unify returns values... */ - if (ctnl_del_conntrack(&cth, tuple, t) < 0) - return -1; + if ((ret = ctnl_del_conntrack(&cth, tuple, t)) < 0) + return ret; - if (ctnl_close(&cth) < 0) - return -1; + if ((ret = ctnl_close(&cth)) < 0) + return ret; return 0; } @@ -262,18 +263,19 @@ int get_conntrack(struct ip_conntrack_tuple *tuple, .type = 0, .handler = handler }; + int ret; - if (ctnl_open(&cth, 0) < 0) - return -1; + if ((ret = ctnl_open(&cth, 0)) < 0) + return ret; ctnl_register_handler(&cth, &h); /* FIXME!!!! get_conntrack_handler returns -100 */ - if (ctnl_get_conntrack(&cth, tuple, t) != -100) - return -1; + if ((ret = ctnl_get_conntrack(&cth, tuple, t)) != -100) + return ret; - if (ctnl_close(&cth) < 0) - return -1; + if ((ret = ctnl_close(&cth)) < 0) + return ret; return 0; } @@ -287,8 +289,8 @@ int dump_conntrack_table(int zero) .handler = handler }; - if (ctnl_open(&cth, 0) < 0) - return -1; + if ((ret = ctnl_open(&cth, 0)) < 0) + return ret; ctnl_register_handler(&cth, &h); @@ -298,10 +300,10 @@ int dump_conntrack_table(int zero) ret = ctnl_list_conntrack(&cth, AF_INET); if (ret != -100) - return -1; + return ret; - if (ctnl_close(&cth) < 0) - return -1; + if ((ret = ctnl_close(&cth)) < 0) + return ret; return 0; } @@ -317,17 +319,18 @@ int event_conntrack(unsigned int event_mask) .type = 2, /* destroy */ .handler = event_handler }; + int ret; - if (ctnl_open(&cth, event_mask) < 0) - return -1; + if ((ret = ctnl_open(&cth, event_mask)) < 0) + return ret; ctnl_register_handler(&cth, &hnew); ctnl_register_handler(&cth, &hdestroy); - if (ctnl_event_conntrack(&cth, AF_INET) < 0) - return -1; + if ((ret = ctnl_event_conntrack(&cth, AF_INET)) < 0) + return ret; - if (ctnl_close(&cth) < 0) - return -1; + if ((ret = ctnl_close(&cth)) < 0) + return ret; return 0; } @@ -383,17 +386,18 @@ int dump_expect_list() .type = 0, /* Hm... really? */ .handler = expect_handler }; + int ret; - if (ctnl_open(&cth, 0) < 0) - return -1; + if ((ret = ctnl_open(&cth, 0)) < 0) + return ret; ctnl_register_handler(&cth, &h); - if (ctnl_list_expect(&cth, AF_INET) != -100) - return -1; + if ((ret = ctnl_list_expect(&cth, AF_INET)) != -100) + return ret; - if (ctnl_close(&cth) < 0) - return -1; + if ((ret = ctnl_close(&cth)) < 0) + return ret; return 0; } @@ -402,6 +406,7 @@ int set_mask(unsigned int mask, int type) { struct ctnl_handle cth; enum ctattr_type_t cta_type; + int ret; switch(type) { case 0: @@ -411,17 +416,18 @@ int set_mask(unsigned int mask, int type) cta_type = CTA_EVENTMASK; break; default: + /* Shouldn't happen */ return -1; } - if (ctnl_open(&cth, 0) < 0) - return -1; + if ((ret = ctnl_open(&cth, 0)) < 0) + return ret; - if (ctnl_set_mask(&cth, mask, cta_type) < 0) - return -1; + if ((ret = ctnl_set_mask(&cth, mask, cta_type)) < 0) + return ret; - if (ctnl_close(&cth) < 0) - return -1; + if ((ret = ctnl_close(&cth)) < 0) + return ret; return 0; } @@ -429,15 +435,16 @@ int set_mask(unsigned int mask, int type) int flush_conntrack() { struct ctnl_handle cth; + int ret; - if (ctnl_open(&cth, 0) < 0) - return -1; + if ((ret = ctnl_open(&cth, 0)) < 0) + return ret; - if (ctnl_flush_conntrack(&cth) < 0) - return -1; + if ((ret = ctnl_flush_conntrack(&cth)) < 0) + return ret; - if (ctnl_close(&cth) < 0) - return -1; + if ((ret = ctnl_close(&cth)) < 0) + return ret; return 0; } @@ -44,13 +44,11 @@ case $1 in --reply-src $DST --reply-dst $SRC -p tcp \ --orig-port-src $SPORT --orig-port-dst $DPORT \ --reply-port-src $DPORT --reply-port-dst $SPORT \ - --state TIME_WAIT -u ASSURED -t 500 + --state TIME_WAIT -u ASSURED,SEEN_REPLY -t 500 ;; delete) - # 66.111.58.52 dst=85.136.125.64 sport=22 dport=60239 - $CONNTRACK -D conntrack --orig-src 66.111.58.1 \ - --orig-dst 85.136.125.64 -p tcp --orig-port-src 22 \ - --orig-port-dst 60239 + $CONNTRACK -D --orig-src $SRC --orig-dst $DST \ + -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT ;; output) proc=$(cat /proc/net/ip_conntrack | wc -l) |