diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/libnetfilter_conntrack.c | 61 |
1 files changed, 51 insertions, 10 deletions
diff --git a/src/libnetfilter_conntrack.c b/src/libnetfilter_conntrack.c index e207a7f..54dd82c 100644 --- a/src/libnetfilter_conntrack.c +++ b/src/libnetfilter_conntrack.c @@ -8,6 +8,7 @@ * (at your option) any later version. */ #include <stdio.h> +#include <unistd.h> #include <getopt.h> #include <dlfcn.h> #include <stdlib.h> @@ -604,6 +605,10 @@ int nfct_default_conntrack_display(void *arg, unsigned int flags, int type, { char buf[512]; int size; + struct nfct_conntrack_compare *cmp = data; + + if (cmp && !nfct_conntrack_compare(cmp->ct, arg, 0, cmp->protoflag)) + return 0; memset(buf, 0, sizeof(buf)); size = nfct_sprintf_conntrack(buf, arg, flags); @@ -618,6 +623,10 @@ int nfct_default_conntrack_display_id(void *arg, unsigned int flags, int type, { char buf[512]; int size; + struct nfct_conntrack_compare *cmp = data; + + if (cmp && !nfct_conntrack_compare(cmp->ct, arg, 0, cmp->protoflag)) + return 0; memset(buf, 0, sizeof(buf)); size = nfct_sprintf_conntrack_id(buf, arg, flags); @@ -627,6 +636,13 @@ int nfct_default_conntrack_display_id(void *arg, unsigned int flags, int type, return 0; } +int nfct_default_conntrack_event_display(void *arg, unsigned int flags, + int type, void *data) +{ + fprintf(stdout, "%9s ", msgtype[type]); + return nfct_default_conntrack_display_id(arg, flags, type, data); +} + int nfct_sprintf_expect_proto(char *buf, struct nfct_expect *exp) { return(sprintf(buf, "%u proto=%d ", exp->timeout, @@ -684,15 +700,6 @@ int nfct_default_expect_display_id(void *arg, unsigned int flags, int type, return 0; } -static int nfct_event_netlink_handler(struct nfct_handle *cth, - struct nlmsghdr *nlh, - void *arg) -{ - int type = NFNL_MSG_TYPE(nlh->nlmsg_type); - fprintf(stdout, "%9s ", msgtype[typemsg2enum(type, nlh->nlmsg_flags)]); - return nfct_conntrack_netlink_handler(cth, nlh, arg); -} - static int nfct_expect_netlink_handler(struct nfct_handle *cth, struct nlmsghdr *nlh, void *arg) { @@ -763,6 +770,28 @@ void nfct_conntrack_free(struct nfct_conntrack *ct) free(ct); } +int nfct_conntrack_compare(struct nfct_conntrack *ct1, + struct nfct_conntrack *ct2, + unsigned int cmp_flag, + unsigned int cmp_protoflag) +{ + struct nfct_proto *proto; + + if (ct1->tuple[NFCT_DIR_ORIGINAL].protonum != + ct2->tuple[NFCT_DIR_ORIGINAL].protonum) + return 0; + + /* + * TODO: implement tuple, status, mark... comparison. + */ + + proto = findproto(proto2str[ct1->tuple[NFCT_DIR_ORIGINAL].protonum]); + if (!proto) + return 0; + + return proto->compare(ct1, ct2, cmp_protoflag); +} + int nfct_create_conntrack(struct nfct_handle *cth, struct nfct_conntrack *ct) { struct nfnlhdr *req; @@ -938,7 +967,13 @@ int nfct_dump_conntrack_table_reset_counters(struct nfct_handle *cth) int nfct_event_conntrack(struct nfct_handle *cth) { - cth->handler = nfct_event_netlink_handler; + /* + * You need to be root to listen to conntrack events + */ + if (getuid() != 0) + return -EPERM; + + cth->handler = nfct_conntrack_netlink_handler; return nfnl_listen(&cth->nfnlh, &callback_handler, cth); } @@ -1092,6 +1127,12 @@ int nfct_delete_expectation(struct nfct_handle *cth,struct nfct_tuple *tuple, int nfct_event_expectation(struct nfct_handle *cth) { + /* + * You need to be root to listen to conntrack events + */ + if (getuid() != 0) + return -EPERM; + cth->handler = nfct_expect_netlink_handler; return nfnl_listen(&cth->nfnlh, &callback_handler, cth); } |