summaryrefslogtreecommitdiff
path: root/src/netlink.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/netlink.c')
-rw-r--r--src/netlink.c166
1 files changed, 32 insertions, 134 deletions
diff --git a/src/netlink.c b/src/netlink.c
index b8a2a02..81ac7a1 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -18,103 +18,27 @@
#include "netlink.h"
#include "conntrackd.h"
-#include "traffic_stats.h"
#include "filter.h"
#include "log.h"
#include "debug.h"
#include <string.h>
#include <errno.h>
-
-static int sanity_check(struct nf_conntrack *ct)
-{
- if (!nfct_attr_is_set(ct, ATTR_L3PROTO)) {
- dlog(LOG_ERR, "missing layer 3 protocol");
- return 0;
- }
-
- switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
- case AF_INET:
- if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) ||
- !nfct_attr_is_set(ct, ATTR_IPV4_DST) ||
- !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) ||
- !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) {
- dlog(LOG_ERR, "missing IPv4 address. "
- "You forgot to load "
- "nf_conntrack_ipv4?");
- return 0;
- }
- break;
- case AF_INET6:
- if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) ||
- !nfct_attr_is_set(ct, ATTR_IPV6_DST) ||
- !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) ||
- !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) {
- dlog(LOG_ERR, "missing IPv6 address. "
- "You forgot to load "
- "nf_conntrack_ipv6?");
- return 0;
- }
- break;
- }
- return 1;
-}
-
-/* we do user-space filtering for dump and resyncs */
-int ignore_conntrack(struct nf_conntrack *ct, int userspace)
-{
- /* missing mandatory attributes in object */
- if (!sanity_check(ct))
- return 1;
-
- if (userspace && !ct_filter_check(STATE(us_filter), ct)) {
- debug_ct(ct, "ignore traffic");
- return 1;
- }
-
- return 0;
-}
-
-static int event_handler(enum nf_conntrack_msg_type type,
- struct nf_conntrack *ct,
- void *data)
-{
- /* skip user-space filtering if already do it in the kernel */
- if (ignore_conntrack(ct, !CONFIG(filter_from_kernelspace)))
- return NFCT_CB_STOP;
-
- switch(type) {
- case NFCT_T_NEW:
- STATE(mode)->event_new(ct);
- break;
- case NFCT_T_UPDATE:
- STATE(mode)->event_upd(ct);
- break;
- case NFCT_T_DESTROY:
- if (STATE(mode)->event_dst(ct))
- update_traffic_stats(ct);
- break;
- default:
- dlog(LOG_WARNING, "unknown msg from ctnetlink\n");
- break;
- }
-
- return NFCT_CB_CONTINUE;
-}
-
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/fcntl.h>
-int nl_init_event_handler(void)
+struct nfct_handle *nl_init_event_handler(void)
{
- STATE(event) = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS);
- if (!STATE(event))
- return -1;
+ struct nfct_handle *h;
+
+ h = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS);
+ if (h == NULL)
+ return NULL;
if (STATE(filter)) {
if (CONFIG(filter_from_kernelspace)) {
- if (nfct_filter_attach(nfct_fd(STATE(event)),
+ if (nfct_filter_attach(nfct_fd(h),
STATE(filter)) == -1) {
dlog(LOG_ERR, "cannot set event filtering: %s",
strerror(errno));
@@ -126,18 +50,18 @@ int nl_init_event_handler(void)
nfct_filter_destroy(STATE(filter));
}
- fcntl(nfct_fd(STATE(event)), F_SETFL, O_NONBLOCK);
+ fcntl(nfct_fd(h), F_SETFL, O_NONBLOCK);
/* set up socket buffer size */
if (CONFIG(netlink_buffer_size))
- nfnl_rcvbufsiz(nfct_nfnlh(STATE(event)),
+ nfnl_rcvbufsiz(nfct_nfnlh(h),
CONFIG(netlink_buffer_size));
else {
socklen_t socklen = sizeof(unsigned int);
unsigned int read_size;
/* get current buffer size */
- getsockopt(nfct_fd(STATE(event)), SOL_SOCKET,
+ getsockopt(nfct_fd(h), SOL_SOCKET,
SO_RCVBUF, &read_size, &socklen);
CONFIG(netlink_buffer_size) = read_size;
@@ -148,69 +72,43 @@ int nl_init_event_handler(void)
CONFIG(netlink_buffer_size_max_grown) =
CONFIG(netlink_buffer_size);
- /* register callback for events */
- nfct_callback_register(STATE(event), NFCT_T_ALL, event_handler, NULL);
-
- return 0;
+ return h;
}
-static int dump_handler(enum nf_conntrack_msg_type type,
- struct nf_conntrack *ct,
- void *data)
+struct nfct_handle *nl_init_dump_handler(void)
{
- if (ignore_conntrack(ct, 1))
- return NFCT_CB_CONTINUE;
-
- switch(type) {
- case NFCT_T_UPDATE:
- STATE(mode)->dump(ct);
- break;
- default:
- dlog(LOG_WARNING, "unknown msg from ctnetlink");
- break;
- }
- return NFCT_CB_CONTINUE;
-}
+ struct nfct_handle *h;
-int nl_init_dump_handler(void)
-{
/* open dump netlink socket */
- STATE(dump) = nfct_open(CONNTRACK, 0);
- if (!STATE(dump))
- return -1;
-
- /* register callback for dumped entries */
- nfct_callback_register(STATE(dump), NFCT_T_ALL, dump_handler, NULL);
+ h = nfct_open(CONNTRACK, 0);
+ if (h == NULL)
+ return NULL;
- if (nl_dump_conntrack_table() == -1)
- return -1;
-
- return 0;
+ return h;
}
-int nl_init_overrun_handler(void)
+struct nfct_handle *nl_init_overrun_handler(void)
{
- STATE(overrun) = nfct_open(CONNTRACK, 0);
- if (!STATE(overrun))
- return -1;
+ struct nfct_handle *h;
+
+ h = nfct_open(CONNTRACK, 0);
+ if (h == NULL)
+ return NULL;
- fcntl(nfct_fd(STATE(overrun)), F_SETFL, O_NONBLOCK);
+ fcntl(nfct_fd(h), F_SETFL, O_NONBLOCK);
- nfct_callback_register(STATE(overrun),
- NFCT_T_ALL,
- STATE(mode)->overrun,
- NULL);
- return 0;
+ return h;
}
-/* no callback, it does not do anything with the output */
-int nl_init_request_handler(void)
+struct nfct_handle *nl_init_request_handler(void)
{
- STATE(request) = nfct_open(CONNTRACK, 0);
- if (!STATE(request))
- return -1;
+ struct nfct_handle *h;
+
+ h = nfct_open(CONNTRACK, 0);
+ if (h == NULL)
+ return NULL;
- return 0;
+ return h;
}
static int warned = 0;