summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
author/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org>2007-04-24 18:39:51 +0000
committer/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org>2007-04-24 18:39:51 +0000
commit7736631fef63efde9c0fd68af89c3e2900286428 (patch)
tree62d74d3733dc9e06bc608f70944278c6d9d13137
parent888062dd7196528a54753155c71572725597aa25 (diff)
- fix compilation warning in snprintf.c
- introduce the new compare infrastructure: much simple than previous - introduce nfct_maxsize for nf_conntrack object allocated in the stack - more strict checkings in nfct_set_attr: third parameter is const
-rw-r--r--include/internal.h3
-rw-r--r--include/libnetfilter_conntrack/libnetfilter_conntrack.h8
-rw-r--r--src/conntrack/Makefile.am3
-rw-r--r--src/conntrack/api.c44
-rw-r--r--src/conntrack/compare.c102
5 files changed, 156 insertions, 4 deletions
diff --git a/include/internal.h b/include/internal.h
index 56f6962..78020f3 100644
--- a/include/internal.h
+++ b/include/internal.h
@@ -148,11 +148,14 @@ int __build_conntrack(struct nfnl_subsys_handle *ssh, struct nfnlhdr *req, size_
int __parse_message_type(const struct nlmsghdr *nlh);
void __parse_conntrack(const struct nlmsghdr *nlh, const struct nfattr *cda[], struct nf_conntrack *ct);
int __snprintf_conntrack(char *buf, unsigned int len, const struct nf_conntrack *ct, unsigned int type, unsigned int msg_output, unsigned int flags);
+int __snprintf_conntrack_default(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags);
+int __snprintf_conntrack_xml(char *buf, unsigned int len, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int flags);
int __callback(struct nlmsghdr *nlh, struct nfattr *nfa[], void *data);
int __setobjopt(struct nf_conntrack *ct, unsigned int option);
int __getobjopt(const struct nf_conntrack *ct, unsigned int option);
+int __compare(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2);
#endif
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
index 6a26577..e35e626 100644
--- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h
+++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h
@@ -414,6 +414,9 @@ struct nf_conntrack *nfct_clone(const struct nf_conntrack *ct);
/* object size */
extern size_t nfct_sizeof(const struct nf_conntrack *ct);
+/* maximum object size */
+extern size_t nfct_maxsize(void);
+
/* set option */
enum {
NFCT_SOPT_UNDO_SNAT,
@@ -459,7 +462,7 @@ enum {
/* setter */
extern void nfct_set_attr(struct nf_conntrack *ct,
const enum nf_conntrack_attr type,
- void *value);
+ const void *value);
extern void nfct_set_attr_u8(struct nf_conntrack *ct,
const enum nf_conntrack_attr type,
@@ -517,6 +520,9 @@ extern int nfct_snprintf(char *buf,
const unsigned int out_type,
const unsigned int out_flags);
+extern int nfct_compare(const struct nf_conntrack *ct1,
+ const struct nf_conntrack *ct2);
+
/* query */
enum nf_conntrack_query {
NFCT_Q_CREATE,
diff --git a/src/conntrack/Makefile.am b/src/conntrack/Makefile.am
index c58c09d..3a138e4 100644
--- a/src/conntrack/Makefile.am
+++ b/src/conntrack/Makefile.am
@@ -14,4 +14,5 @@ libnetfilter_conntrack_new_api_la_SOURCES = api.c callback.c \
parse.c build.c \
snprintf.c \
snprintf_default.c snprintf_xml.c \
- objopt.c
+ objopt.c \
+ compare.c
diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index 19aca5e..9f14188 100644
--- a/src/conntrack/api.c
+++ b/src/conntrack/api.c
@@ -43,7 +43,7 @@ void nfct_destroy(struct nf_conntrack *ct)
}
/**
- * nf_sizeof - return the size of a certain conntrack object
+ * nf_sizeof - return the size in bytes of a certain conntrack object
* @ct: pointer to the conntrack object
*/
size_t nfct_sizeof(const struct nf_conntrack *ct)
@@ -53,6 +53,25 @@ size_t nfct_sizeof(const struct nf_conntrack *ct)
}
/**
+ * nfct_maxsize - return the maximum size in bytes of a conntrack object
+ *
+ * Use this function if you want to allocate a conntrack object in the stack
+ * instead of the heap. For example:
+ *
+ * char buf[nfct_maxsize()];
+ * struct nf_conntrack *ct = (struct nf_conntrack *) buf;
+ * memset(ct, 0, nfct_maxsize());
+ *
+ * Note: As for now this function returns the same size that nfct_sizeof(ct)
+ * does although _this could change in the future_. Therefore, do not assume
+ * that nfct_sizeof(ct) == nfct_maxsize().
+ */
+size_t nfct_maxsize()
+{
+ return sizeof(struct nf_conntrack);
+}
+
+/**
* nfct_clone - clone a conntrack object
* @ct: pointer to a valid conntrack object
*
@@ -194,7 +213,7 @@ void nfct_callback_unregister(struct nfct_handle *h)
*/
void nfct_set_attr(struct nf_conntrack *ct,
const enum nf_conntrack_attr type,
- void *value)
+ const void *value)
{
assert(ct != NULL);
assert(value != NULL);
@@ -602,3 +621,24 @@ int nfct_snprintf(char *buf,
return __snprintf_conntrack(buf, size, ct, msg_type, out_type, flags);
}
+
+/**
+ * nfct_compare - compare two conntrack objects
+ * @ct1: pointer to a valid conntrack object
+ * @ct2: pointer to a valid conntrack object
+ *
+ * This function only compare attribute set in both objects, ie. if a certain
+ * attribute is not set in ct1 but it is in ct2, then the value of such
+ * attribute is not used in the comparison.
+ *
+ * If both conntrack object are equal, this function returns 1, otherwise
+ * 0 is returned.
+ */
+int nfct_compare(const struct nf_conntrack *ct1,
+ const struct nf_conntrack *ct2)
+{
+ assert(ct1 != NULL);
+ assert(ct2 != NULL);
+
+ return __compare(ct1, ct2);
+}
diff --git a/src/conntrack/compare.c b/src/conntrack/compare.c
new file mode 100644
index 0000000..0792a8a
--- /dev/null
+++ b/src/conntrack/compare.c
@@ -0,0 +1,102 @@
+/*
+ * (C) 2007 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This software may be used and distributed according to the terms
+ * of the GNU General Public License, incorporated herein by reference.
+ */
+
+#include "internal.h"
+
+int __compare(const struct nf_conntrack *ct1,
+ const struct nf_conntrack *ct2)
+{
+ if (test_bit(ATTR_MARK, ct1->set) &&
+ test_bit(ATTR_MARK, ct2->set) &&
+ ct1->mark != ct2->mark)
+ return 0;
+
+ if (test_bit(ATTR_TIMEOUT, ct1->set) &&
+ test_bit(ATTR_TIMEOUT, ct2->set) &&
+ ct1->timeout != ct2->timeout)
+ return 0;
+
+ if (test_bit(ATTR_STATUS, ct1->set) &&
+ test_bit(ATTR_STATUS, ct2->set) &&
+ ct1->status == ct2->status)
+ return 0;
+
+ if (test_bit(ATTR_TCP_STATE, ct1->set) &&
+ test_bit(ATTR_TCP_STATE, ct2->set) &&
+ ct1->protoinfo.tcp.state != ct2->protoinfo.tcp.state)
+ return 0;
+
+ if (test_bit(ATTR_ORIG_L3PROTO, ct1->set) &&
+ test_bit(ATTR_ORIG_L3PROTO, ct2->set) &&
+ ct1->tuple[__DIR_ORIG].l3protonum != AF_UNSPEC &&
+ ct2->tuple[__DIR_ORIG].l3protonum != AF_UNSPEC &&
+ ct1->tuple[__DIR_ORIG].l3protonum !=
+ ct2->tuple[__DIR_ORIG].l3protonum)
+ return 0;
+
+ if (test_bit(ATTR_REPL_L3PROTO, ct1->set) &&
+ test_bit(ATTR_REPL_L3PROTO, ct2->set) &&
+ ct1->tuple[__DIR_REPL].l3protonum != AF_UNSPEC &&
+ ct2->tuple[__DIR_REPL].l3protonum != AF_UNSPEC &&
+ ct1->tuple[__DIR_REPL].l3protonum !=
+ ct2->tuple[__DIR_REPL].l3protonum)
+ return 0;
+
+ if (test_bit(ATTR_ORIG_IPV4_SRC, ct1->set) &&
+ test_bit(ATTR_ORIG_IPV4_SRC, ct2->set) &&
+ ct1->tuple[__DIR_ORIG].src.v4 !=
+ ct2->tuple[__DIR_ORIG].src.v4)
+ return 0;
+
+ if (test_bit(ATTR_ORIG_IPV4_DST, ct1->set) &&
+ test_bit(ATTR_ORIG_IPV4_DST, ct2->set) &&
+ ct1->tuple[__DIR_ORIG].dst.v4 !=
+ ct2->tuple[__DIR_ORIG].dst.v4)
+ return 0;
+
+ if (test_bit(ATTR_REPL_IPV4_SRC, ct1->set) &&
+ test_bit(ATTR_REPL_IPV4_SRC, ct2->set) &&
+ ct1->tuple[__DIR_REPL].src.v4 !=
+ ct2->tuple[__DIR_REPL].src.v4)
+ return 0;
+
+ if (test_bit(ATTR_REPL_IPV4_DST, ct1->set) &&
+ test_bit(ATTR_REPL_IPV4_DST, ct2->set) &&
+ ct1->tuple[__DIR_REPL].dst.v4 !=
+ ct2->tuple[__DIR_REPL].dst.v4)
+ return 0;
+
+ if (test_bit(ATTR_ORIG_IPV6_SRC, ct1->set) &&
+ test_bit(ATTR_ORIG_IPV6_SRC, ct2->set) &&
+ memcmp(&ct1->tuple[__DIR_ORIG].src.v6,
+ &ct2->tuple[__DIR_ORIG].src.v6,
+ sizeof(u_int32_t)*4) == 0)
+ return 0;
+
+ if (test_bit(ATTR_ORIG_IPV6_DST, ct1->set) &&
+ test_bit(ATTR_ORIG_IPV6_DST, ct2->set) &&
+ memcmp(&ct1->tuple[__DIR_ORIG].dst.v6,
+ &ct2->tuple[__DIR_ORIG].dst.v6,
+ sizeof(u_int32_t)*4) == 0)
+ return 0;
+
+ if (test_bit(ATTR_REPL_IPV6_SRC, ct1->set) &&
+ test_bit(ATTR_REPL_IPV6_SRC, ct2->set) &&
+ memcmp(&ct1->tuple[__DIR_REPL].src.v6,
+ &ct2->tuple[__DIR_REPL].src.v6,
+ sizeof(u_int32_t)*4) == 0)
+ return 0;
+
+ if (test_bit(ATTR_REPL_IPV6_DST, ct1->set) &&
+ test_bit(ATTR_REPL_IPV6_DST, ct2->set) &&
+ memcmp(&ct1->tuple[__DIR_REPL].dst.v6,
+ &ct2->tuple[__DIR_REPL].dst.v6,
+ sizeof(u_int32_t)*4) == 0)
+ return 0;
+
+ return 1;
+}