From 549d78e74c1140b1a4dcd35e44e64d51a3c613e6 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 11 Apr 2009 16:42:20 +0200 Subject: conntrack: add DCCP support This patch adds DCCP support for the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso --- conntrack.8 | 17 ++++ extensions/Makefile.am | 3 +- extensions/libct_proto_dccp.c | 230 ++++++++++++++++++++++++++++++++++++++++++ include/conntrack.h | 1 + src/Makefile.am | 2 +- src/conntrack.c | 1 + 6 files changed, 252 insertions(+), 2 deletions(-) create mode 100644 extensions/libct_proto_dccp.c diff --git a/conntrack.8 b/conntrack.8 index 490d299..e875940 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -237,6 +237,23 @@ Verification tag (32-bits value) in the original direction .BI "--reply-vtag " "value" Verification tag (32-bits value) in the reply direction .TP +DCCP-specific fields: +.TP +.BI "--sport, --orig-port-src " "PORT" +Source port in original direction +.TP +.BI "--dport, --orig-port-dst " "PORT" +Destination port in original direction +.TP +.BI "--reply-port-src " "PORT" +Source port in reply direction +.TP +.BI "--reply-port-dst " "PORT" +Destination port in reply direction +.TP +.BI "--state " "[NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOSING | TIMEWAIT]" +DCCP state +.TP .SH DIAGNOSTICS The exit code is 0 for correct function. Errors which appear to be caused by invalid command line parameters cause an exit code of 2. Any other errors diff --git a/extensions/Makefile.am b/extensions/Makefile.am index 14293d0..dc7bff5 100644 --- a/extensions/Makefile.am +++ b/extensions/Makefile.am @@ -3,7 +3,7 @@ include $(top_srcdir)/Make_global.am noinst_LTLIBRARIES = libct_proto_tcp.la libct_proto_udp.la \ libct_proto_icmp.la libct_proto_icmpv6.la \ libct_proto_unknown.la libct_proto_udplite.la \ - libct_proto_sctp.la + libct_proto_sctp.la libct_proto_dccp.la libct_proto_tcp_la_SOURCES = libct_proto_tcp.c libct_proto_udp_la_SOURCES = libct_proto_udp.c @@ -12,3 +12,4 @@ libct_proto_icmp_la_SOURCES = libct_proto_icmp.c libct_proto_icmpv6_la_SOURCES = libct_proto_icmpv6.c libct_proto_unknown_la_SOURCES = libct_proto_unknown.c libct_proto_sctp_la_SOURCES = libct_proto_sctp.c +libct_proto_dccp_la_SOURCES = libct_proto_dccp.c diff --git a/extensions/libct_proto_dccp.c b/extensions/libct_proto_dccp.c new file mode 100644 index 0000000..deb3e28 --- /dev/null +++ b/extensions/libct_proto_dccp.c @@ -0,0 +1,230 @@ +/* + * (C) 2009 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + */ +#include +#include +#include +#include +#include /* For htons */ +#include +#include + +#include "conntrack.h" + +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 +#endif + +enum { + CT_DCCP_ORIG_SPORT = (1 << 0), + CT_DCCP_ORIG_DPORT = (1 << 1), + CT_DCCP_REPL_SPORT = (1 << 2), + CT_DCCP_REPL_DPORT = (1 << 3), + CT_DCCP_MASK_SPORT = (1 << 4), + CT_DCCP_MASK_DPORT = (1 << 5), + CT_DCCP_STATE = (1 << 6), + CT_DCCP_EXPTUPLE_SPORT = (1 << 7), + CT_DCCP_EXPTUPLE_DPORT = (1 << 8) +}; + +#define DCCP_OPT_MAX 13 +static struct option opts[DCCP_OPT_MAX] = { + { .name = "orig-port-src", .has_arg = 1, .val = '1' }, + { .name = "orig-port-dst", .has_arg = 1, .val = '2' }, + { .name = "reply-port-src", .has_arg = 1, .val = '3' }, + { .name = "reply-port-dst", .has_arg = 1, .val = '4' }, + { .name = "mask-port-src", .has_arg = 1, .val = '5' }, + { .name = "mask-port-dst", .has_arg = 1, .val = '6' }, + { .name = "state", .has_arg = 1, .val = '7' }, + { .name = "tuple-port-src", .has_arg = 1, .val = '8' }, + { .name = "tuple-port-dst", .has_arg = 1, .val = '9' }, + { .name = "sport", .has_arg = 1, .val = '1' }, /* alias */ + { .name = "dport", .has_arg = 1, .val = '2' }, /* alias */ + { 0, 0, 0, 0}, +}; + +static const char *dccp_optflags[DCCP_OPT_MAX] = { + [0] = "sport", + [1] = "dport", + [2] = "reply-port-src", + [3] = "reply-port-dst", + [4] = "mask-port-src", + [5] = "mask-port-dst", + [6] = "state", + [7] = "tuple-port-src", + [8] = "tuple-port-dst" +}; + +static char dccp_commands_v_options[NUMBER_OF_CMD][DCCP_OPT_MAX] = +/* Well, it's better than "Re: Sevilla vs Betis" */ +{ + /* 1 2 3 4 5 6 7 8 9 */ +/*CT_LIST*/ {2,2,2,2,0,0,2,0,0}, +/*CT_CREATE*/ {3,3,3,3,0,0,1,0,0}, +/*CT_UPDATE*/ {2,2,2,2,0,0,2,0,0}, +/*CT_DELETE*/ {2,2,2,2,0,0,2,0,0}, +/*CT_GET*/ {3,3,3,3,0,0,2,0,0}, +/*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0}, +/*CT_EVENT*/ {2,2,2,2,0,0,2,0,0}, +/*CT_VERSION*/ {0,0,0,0,0,0,0,0,0}, +/*CT_HELP*/ {0,0,0,0,0,0,0,0,0}, +/*EXP_LIST*/ {0,0,0,0,0,0,0,0,0}, +/*EXP_CREATE*/ {1,1,1,1,1,1,0,1,1}, +/*EXP_DELETE*/ {1,1,1,1,0,0,0,0,0}, +/*EXP_GET*/ {1,1,1,1,0,0,0,0,0}, +/*EXP_FLUSH*/ {0,0,0,0,0,0,0,0,0}, +/*EXP_EVENT*/ {0,0,0,0,0,0,0,0,0}, +}; + +static const char *dccp_states[DCCP_CONNTRACK_MAX] = { + [DCCP_CONNTRACK_NONE] = "NONE", + [DCCP_CONNTRACK_REQUEST] = "REQUEST", + [DCCP_CONNTRACK_RESPOND] = "RESPOND", + [DCCP_CONNTRACK_PARTOPEN] = "PARTOPEN", + [DCCP_CONNTRACK_OPEN] = "OPEN", + [DCCP_CONNTRACK_CLOSEREQ] = "CLOSEREQ", + [DCCP_CONNTRACK_CLOSING] = "CLOSING", + [DCCP_CONNTRACK_TIMEWAIT] = "TIMEWAIT", + [DCCP_CONNTRACK_IGNORE] = "IGNORE", + [DCCP_CONNTRACK_INVALID] = "INVALID", +}; + +static void help(void) +{ + fprintf(stdout, " --orig-port-src\t\toriginal source port\n"); + fprintf(stdout, " --orig-port-dst\t\toriginal destination port\n"); + fprintf(stdout, " --reply-port-src\t\treply source port\n"); + fprintf(stdout, " --reply-port-dst\t\treply destination port\n"); + fprintf(stdout, " --mask-port-src\t\tmask source port\n"); + fprintf(stdout, " --mask-port-dst\t\tmask destination port\n"); + fprintf(stdout, " --tuple-port-src\t\texpectation tuple src port\n"); + fprintf(stdout, " --tuple-port-src\t\texpectation tuple dst port\n"); + fprintf(stdout, " --state\t\t\tDCCP state, fe. RESPOND\n"); +} + +static int parse_options(char c, + struct nf_conntrack *ct, + struct nf_conntrack *exptuple, + struct nf_conntrack *mask, + unsigned int *flags) +{ + int i; + u_int16_t port; + + switch(c) { + case '1': + port = htons(atoi(optarg)); + nfct_set_attr_u16(ct, ATTR_ORIG_PORT_SRC, port); + nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_DCCP); + *flags |= CT_DCCP_ORIG_SPORT; + break; + case '2': + port = htons(atoi(optarg)); + nfct_set_attr_u16(ct, ATTR_ORIG_PORT_DST, port); + nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_DCCP); + *flags |= CT_DCCP_ORIG_DPORT; + break; + case '3': + port = htons(atoi(optarg)); + nfct_set_attr_u16(ct, ATTR_REPL_PORT_SRC, port); + nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_DCCP); + *flags |= CT_DCCP_REPL_SPORT; + break; + case '4': + port = htons(atoi(optarg)); + nfct_set_attr_u16(ct, ATTR_REPL_PORT_DST, port); + nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_DCCP); + *flags |= CT_DCCP_REPL_DPORT; + break; + case '5': + port = htons(atoi(optarg)); + nfct_set_attr_u16(mask, ATTR_ORIG_PORT_SRC, port); + nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_DCCP); + *flags |= CT_DCCP_MASK_SPORT; + break; + case '6': + port = htons(atoi(optarg)); + nfct_set_attr_u16(mask, ATTR_ORIG_PORT_DST, port); + nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_DCCP); + *flags |= CT_DCCP_MASK_DPORT; + break; + case '7': + for (i=0; i