From ebb9a1aa3813d71b99d7508c88b9cbf525e15b4a Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org" Date: Sun, 13 Apr 2008 21:59:46 +0000 Subject: fix conntrack -U -p tcp [...] --- extensions/libct_proto_icmp.c | 9 +++++++++ extensions/libct_proto_icmpv6.c | 9 +++++++++ extensions/libct_proto_tcp.c | 20 ++++++++++++++++++++ extensions/libct_proto_udp.c | 20 ++++++++++++++++++++ include/conntrack.h | 3 +++ src/conntrack.c | 17 +++++++---------- 6 files changed, 68 insertions(+), 10 deletions(-) diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c index f81c3b4..62ad00f 100644 --- a/extensions/libct_proto_icmp.c +++ b/extensions/libct_proto_icmp.c @@ -74,6 +74,9 @@ static int parse(char c, nfct_set_attr_u8(ct, ATTR_ICMP_TYPE, atoi(optarg)); + + nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP); + *flags |= ICMP_TYPE; break; case '2': @@ -83,6 +86,9 @@ static int parse(char c, nfct_set_attr_u8(ct, ATTR_ICMP_CODE, atoi(optarg)); + + nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP); + *flags |= ICMP_CODE; break; case '3': @@ -92,6 +98,9 @@ static int parse(char c, nfct_set_attr_u16(ct, ATTR_ICMP_ID, htons(atoi(optarg))); + + nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP); + *flags |= ICMP_ID; break; } diff --git a/extensions/libct_proto_icmpv6.c b/extensions/libct_proto_icmpv6.c index 6c1c358..5346b59 100644 --- a/extensions/libct_proto_icmpv6.c +++ b/extensions/libct_proto_icmpv6.c @@ -77,6 +77,9 @@ static int parse(char c, nfct_set_attr_u8(ct, ATTR_ICMP_TYPE, atoi(optarg)); + + nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6); + *flags |= ICMP_TYPE; break; @@ -87,6 +90,9 @@ static int parse(char c, nfct_set_attr_u8(ct, ATTR_ICMP_CODE, atoi(optarg)); + + nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6); + *flags |= ICMP_CODE; break; @@ -97,6 +103,9 @@ static int parse(char c, nfct_set_attr_u16(ct, ATTR_ICMP_ID, htons(atoi(optarg))); + + nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6); + *flags |= ICMP_ID; break; } diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index dc48d09..0246758 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -103,6 +103,8 @@ static int parse_options(char c, ATTR_ORIG_PORT_SRC, htons(atoi(optarg))); + nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_TCP); + *flags |= TCP_ORIG_SPORT; break; case '2': @@ -113,6 +115,8 @@ static int parse_options(char c, ATTR_ORIG_PORT_DST, htons(atoi(optarg))); + nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_TCP); + *flags |= TCP_ORIG_DPORT; break; case '3': @@ -123,6 +127,8 @@ static int parse_options(char c, ATTR_REPL_PORT_SRC, htons(atoi(optarg))); + nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_TCP); + *flags |= TCP_REPL_SPORT; break; case '4': @@ -133,6 +139,8 @@ static int parse_options(char c, ATTR_REPL_PORT_DST, htons(atoi(optarg))); + nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_TCP); + *flags |= TCP_REPL_DPORT; break; case '5': @@ -143,6 +151,8 @@ static int parse_options(char c, ATTR_ORIG_PORT_SRC, htons(atoi(optarg))); + nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_TCP); + *flags |= TCP_MASK_SPORT; break; case '6': @@ -153,6 +163,8 @@ static int parse_options(char c, ATTR_ORIG_PORT_DST, htons(atoi(optarg))); + nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_TCP); + *flags |= TCP_MASK_DPORT; break; case '7': @@ -180,6 +192,10 @@ static int parse_options(char c, ATTR_ORIG_PORT_SRC, htons(atoi(optarg))); + nfct_set_attr_u8(exptuple, + ATTR_ORIG_L4PROTO, + IPPROTO_TCP); + *flags |= TCP_EXPTUPLE_SPORT; break; case '9': @@ -190,6 +206,10 @@ static int parse_options(char c, ATTR_ORIG_PORT_DST, htons(atoi(optarg))); + nfct_set_attr_u8(exptuple, + ATTR_ORIG_L4PROTO, + IPPROTO_TCP); + *flags |= TCP_EXPTUPLE_DPORT; break; } diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c index d74def5..f9793d0 100644 --- a/extensions/libct_proto_udp.c +++ b/extensions/libct_proto_udp.c @@ -85,6 +85,8 @@ static int parse_options(char c, ATTR_ORIG_PORT_SRC, htons(atoi(optarg))); + nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_UDP); + *flags |= UDP_ORIG_SPORT; break; case '2': @@ -95,6 +97,8 @@ static int parse_options(char c, ATTR_ORIG_PORT_DST, htons(atoi(optarg))); + nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_UDP); + *flags |= UDP_ORIG_DPORT; break; case '3': @@ -105,6 +109,8 @@ static int parse_options(char c, ATTR_REPL_PORT_SRC, htons(atoi(optarg))); + nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_UDP); + *flags |= UDP_REPL_SPORT; break; case '4': @@ -115,6 +121,8 @@ static int parse_options(char c, ATTR_REPL_PORT_DST, htons(atoi(optarg))); + nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_UDP); + *flags |= UDP_REPL_DPORT; break; case '5': @@ -125,6 +133,8 @@ static int parse_options(char c, ATTR_ORIG_PORT_SRC, htons(atoi(optarg))); + nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_UDP); + *flags |= UDP_MASK_SPORT; break; case '6': @@ -135,6 +145,8 @@ static int parse_options(char c, ATTR_ORIG_PORT_DST, htons(atoi(optarg))); + nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_UDP); + *flags |= UDP_MASK_DPORT; break; case '7': @@ -145,6 +157,10 @@ static int parse_options(char c, ATTR_ORIG_PORT_SRC, htons(atoi(optarg))); + nfct_set_attr_u8(exptuple, + ATTR_ORIG_L4PROTO, + IPPROTO_UDP); + *flags |= UDP_EXPTUPLE_SPORT; break; case '8': @@ -155,6 +171,10 @@ static int parse_options(char c, ATTR_ORIG_PORT_DST, htons(atoi(optarg))); + nfct_set_attr_u8(exptuple, + ATTR_ORIG_L4PROTO, + IPPROTO_UDP); + *flags |= UDP_EXPTUPLE_DPORT; break; } diff --git a/include/conntrack.h b/include/conntrack.h index 36897c2..9e005d9 100644 --- a/include/conntrack.h +++ b/include/conntrack.h @@ -82,6 +82,9 @@ enum options { CT_OPT_PROTO_BIT = 4, CT_OPT_PROTO = (1 << CT_OPT_PROTO_BIT), + CT_OPT_TUPLE_ORIG = (CT_OPT_ORIG | CT_OPT_PROTO), + CT_OPT_TUPLE_REPL = (CT_OPT_REPL | CT_OPT_PROTO), + CT_OPT_TIMEOUT_BIT = 5, CT_OPT_TIMEOUT = (1 << CT_OPT_TIMEOUT_BIT), diff --git a/src/conntrack.c b/src/conntrack.c index f4dfec7..2dfb601 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -737,9 +737,9 @@ static int update_cb(enum nf_conntrack_msg_type type, if (ignore_nat(tmp, ct)) return NFCT_CB_CONTINUE; - if (options & CT_OPT_ORIG && !nfct_cmp(tmp, ct, NFCT_CMP_ORIG)) + if (options & CT_OPT_TUPLE_ORIG && !nfct_cmp(tmp, ct, NFCT_CMP_ORIG)) return NFCT_CB_CONTINUE; - if (options & CT_OPT_REPL && !nfct_cmp(tmp, ct, NFCT_CMP_REPL)) + if (options & CT_OPT_TUPLE_REPL && !nfct_cmp(tmp, ct, NFCT_CMP_REPL)) return NFCT_CB_CONTINUE; nfct_copy(tmp, ct, NFCT_CP_ORIG); @@ -935,14 +935,6 @@ int main(int argc, char *argv[]) "`%s' unsupported protocol", optarg); - nfct_set_attr_u8(obj, ATTR_ORIG_L4PROTO, h->protonum); - nfct_set_attr_u8(obj, ATTR_REPL_L4PROTO, h->protonum); - nfct_set_attr_u8(exptuple, - ATTR_ORIG_L4PROTO, - h->protonum); - nfct_set_attr_u8(mask, - ATTR_ORIG_L4PROTO, - h->protonum); opts = merge_options(opts, h->opts, &h->option_offset); if (opts == NULL) exit_error(OTHER_PROBLEM, "out of memory"); @@ -1052,6 +1044,11 @@ int main(int argc, char *argv[]) if (family == AF_UNSPEC) family = AF_INET; + /* set the protocol number if we have seen -p with no parameters */ + if (h && !nfct_attr_is_set(obj, ATTR_ORIG_L4PROTO) && + !nfct_attr_is_set(obj, ATTR_REPL_L4PROTO)) + nfct_set_attr_u8(obj, ATTR_L4PROTO, h->protonum); + cmd = bit2cmd(command); generic_cmd_check(cmd, options); generic_opt_check(options, -- cgit v1.2.3