diff options
Diffstat (limited to 'src/netlink.c')
-rw-r--r-- | src/netlink.c | 166 |
1 files changed, 32 insertions, 134 deletions
diff --git a/src/netlink.c b/src/netlink.c index b8a2a02..81ac7a1 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -18,103 +18,27 @@ #include "netlink.h" #include "conntrackd.h" -#include "traffic_stats.h" #include "filter.h" #include "log.h" #include "debug.h" #include <string.h> #include <errno.h> - -static int sanity_check(struct nf_conntrack *ct) -{ - if (!nfct_attr_is_set(ct, ATTR_L3PROTO)) { - dlog(LOG_ERR, "missing layer 3 protocol"); - return 0; - } - - switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) { - case AF_INET: - if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) || - !nfct_attr_is_set(ct, ATTR_IPV4_DST) || - !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) || - !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) { - dlog(LOG_ERR, "missing IPv4 address. " - "You forgot to load " - "nf_conntrack_ipv4?"); - return 0; - } - break; - case AF_INET6: - if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) || - !nfct_attr_is_set(ct, ATTR_IPV6_DST) || - !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) || - !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) { - dlog(LOG_ERR, "missing IPv6 address. " - "You forgot to load " - "nf_conntrack_ipv6?"); - return 0; - } - break; - } - return 1; -} - -/* we do user-space filtering for dump and resyncs */ -int ignore_conntrack(struct nf_conntrack *ct, int userspace) -{ - /* missing mandatory attributes in object */ - if (!sanity_check(ct)) - return 1; - - if (userspace && !ct_filter_check(STATE(us_filter), ct)) { - debug_ct(ct, "ignore traffic"); - return 1; - } - - return 0; -} - -static int event_handler(enum nf_conntrack_msg_type type, - struct nf_conntrack *ct, - void *data) -{ - /* skip user-space filtering if already do it in the kernel */ - if (ignore_conntrack(ct, !CONFIG(filter_from_kernelspace))) - return NFCT_CB_STOP; - - switch(type) { - case NFCT_T_NEW: - STATE(mode)->event_new(ct); - break; - case NFCT_T_UPDATE: - STATE(mode)->event_upd(ct); - break; - case NFCT_T_DESTROY: - if (STATE(mode)->event_dst(ct)) - update_traffic_stats(ct); - break; - default: - dlog(LOG_WARNING, "unknown msg from ctnetlink\n"); - break; - } - - return NFCT_CB_CONTINUE; -} - #include <sys/types.h> #include <sys/socket.h> #include <sys/fcntl.h> -int nl_init_event_handler(void) +struct nfct_handle *nl_init_event_handler(void) { - STATE(event) = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS); - if (!STATE(event)) - return -1; + struct nfct_handle *h; + + h = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS); + if (h == NULL) + return NULL; if (STATE(filter)) { if (CONFIG(filter_from_kernelspace)) { - if (nfct_filter_attach(nfct_fd(STATE(event)), + if (nfct_filter_attach(nfct_fd(h), STATE(filter)) == -1) { dlog(LOG_ERR, "cannot set event filtering: %s", strerror(errno)); @@ -126,18 +50,18 @@ int nl_init_event_handler(void) nfct_filter_destroy(STATE(filter)); } - fcntl(nfct_fd(STATE(event)), F_SETFL, O_NONBLOCK); + fcntl(nfct_fd(h), F_SETFL, O_NONBLOCK); /* set up socket buffer size */ if (CONFIG(netlink_buffer_size)) - nfnl_rcvbufsiz(nfct_nfnlh(STATE(event)), + nfnl_rcvbufsiz(nfct_nfnlh(h), CONFIG(netlink_buffer_size)); else { socklen_t socklen = sizeof(unsigned int); unsigned int read_size; /* get current buffer size */ - getsockopt(nfct_fd(STATE(event)), SOL_SOCKET, + getsockopt(nfct_fd(h), SOL_SOCKET, SO_RCVBUF, &read_size, &socklen); CONFIG(netlink_buffer_size) = read_size; @@ -148,69 +72,43 @@ int nl_init_event_handler(void) CONFIG(netlink_buffer_size_max_grown) = CONFIG(netlink_buffer_size); - /* register callback for events */ - nfct_callback_register(STATE(event), NFCT_T_ALL, event_handler, NULL); - - return 0; + return h; } -static int dump_handler(enum nf_conntrack_msg_type type, - struct nf_conntrack *ct, - void *data) +struct nfct_handle *nl_init_dump_handler(void) { - if (ignore_conntrack(ct, 1)) - return NFCT_CB_CONTINUE; - - switch(type) { - case NFCT_T_UPDATE: - STATE(mode)->dump(ct); - break; - default: - dlog(LOG_WARNING, "unknown msg from ctnetlink"); - break; - } - return NFCT_CB_CONTINUE; -} + struct nfct_handle *h; -int nl_init_dump_handler(void) -{ /* open dump netlink socket */ - STATE(dump) = nfct_open(CONNTRACK, 0); - if (!STATE(dump)) - return -1; - - /* register callback for dumped entries */ - nfct_callback_register(STATE(dump), NFCT_T_ALL, dump_handler, NULL); + h = nfct_open(CONNTRACK, 0); + if (h == NULL) + return NULL; - if (nl_dump_conntrack_table() == -1) - return -1; - - return 0; + return h; } -int nl_init_overrun_handler(void) +struct nfct_handle *nl_init_overrun_handler(void) { - STATE(overrun) = nfct_open(CONNTRACK, 0); - if (!STATE(overrun)) - return -1; + struct nfct_handle *h; + + h = nfct_open(CONNTRACK, 0); + if (h == NULL) + return NULL; - fcntl(nfct_fd(STATE(overrun)), F_SETFL, O_NONBLOCK); + fcntl(nfct_fd(h), F_SETFL, O_NONBLOCK); - nfct_callback_register(STATE(overrun), - NFCT_T_ALL, - STATE(mode)->overrun, - NULL); - return 0; + return h; } -/* no callback, it does not do anything with the output */ -int nl_init_request_handler(void) +struct nfct_handle *nl_init_request_handler(void) { - STATE(request) = nfct_open(CONNTRACK, 0); - if (!STATE(request)) - return -1; + struct nfct_handle *h; + + h = nfct_open(CONNTRACK, 0); + if (h == NULL) + return NULL; - return 0; + return h; } static int warned = 0; |