diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/conntrack/api.c | 31 | ||||
-rw-r--r-- | src/conntrack/bsf.c | 29 | ||||
-rw-r--r-- | src/conntrack/build.c | 2 | ||||
-rw-r--r-- | src/conntrack/build_mnl.c | 101 | ||||
-rw-r--r-- | src/conntrack/filter.c | 17 | ||||
-rw-r--r-- | src/conntrack/filter_dump.c | 46 | ||||
-rw-r--r-- | src/conntrack/labels.c | 2 | ||||
-rw-r--r-- | src/conntrack/stack.c | 4 | ||||
-rw-r--r-- | src/expect/api.c | 4 | ||||
-rw-r--r-- | src/expect/build.c | 2 |
10 files changed, 191 insertions, 47 deletions
diff --git a/src/conntrack/api.c b/src/conntrack/api.c index b7f64fb..2efb175 100644 --- a/src/conntrack/api.c +++ b/src/conntrack/api.c @@ -307,7 +307,7 @@ int nfct_callback_register2(struct nfct_handle *h, assert(h != NULL); - container = calloc(sizeof(struct __data_container), 1); + container = calloc(1, sizeof(struct __data_container)); if (container == NULL) return -1; @@ -779,6 +779,8 @@ int nfct_build_conntrack(struct nfnl_subsys_handle *ssh, assert(req != NULL); assert(ct != NULL); + memset(req, 0, size); + return __build_conntrack(ssh, req, size, type, flags, ct); } @@ -812,7 +814,7 @@ __build_query_ct(struct nfnl_subsys_handle *ssh, assert(data != NULL); assert(req != NULL); - memset(req, 0, size); + memset(buffer, 0, size); switch(qt) { case NFCT_Q_CREATE: @@ -833,6 +835,8 @@ __build_query_ct(struct nfnl_subsys_handle *ssh, break; case NFCT_Q_FLUSH_FILTER: nfct_fill_hdr(req, IPCTNL_MSG_CT_DELETE, NLM_F_ACK, *family, 1); + if (__build_filter_flush(req, size, data) < 0) + return -1; break; case NFCT_Q_DUMP: nfct_fill_hdr(req, IPCTNL_MSG_CT_GET, NLM_F_DUMP, *family, @@ -848,12 +852,14 @@ __build_query_ct(struct nfnl_subsys_handle *ssh, case NFCT_Q_DUMP_FILTER: nfct_fill_hdr(req, IPCTNL_MSG_CT_GET, NLM_F_DUMP, AF_UNSPEC, NFNETLINK_V0); - __build_filter_dump(req, size, data); + if (__build_filter_dump(req, size, data) < 0) + return -1; break; case NFCT_Q_DUMP_FILTER_RESET: nfct_fill_hdr(req, IPCTNL_MSG_CT_GET_CTRZERO, NLM_F_DUMP, AF_UNSPEC, NFNETLINK_V0); - __build_filter_dump(req, size, data); + if (__build_filter_dump(req, size, data) < 0) + return -1; break; default: errno = ENOTSUP; @@ -1359,7 +1365,7 @@ void nfct_copy_attr(struct nf_conntrack *ct1, */ struct nfct_filter *nfct_filter_create(void) { - return calloc(sizeof(struct nfct_filter), 1); + return calloc(1, sizeof(struct nfct_filter)); } /** @@ -1498,7 +1504,7 @@ int nfct_filter_detach(int fd) */ struct nfct_filter_dump *nfct_filter_dump_create(void) { - return calloc(sizeof(struct nfct_filter_dump), 1); + return calloc(1, sizeof(struct nfct_filter_dump)); } /** @@ -1550,6 +1556,19 @@ void nfct_filter_dump_set_attr_u8(struct nfct_filter_dump *filter_dump, } /** + * nfct_filter_dump_attr_set_u16 - set u16 dump filter attribute + * \param filter dump filter object that we want to modify + * \param type filter attribute type + * \param value value of the filter attribute using unsigned int (32 bits). + */ +void nfct_filter_dump_set_attr_u16(struct nfct_filter_dump *filter_dump, + const enum nfct_filter_dump_attr type, + uint16_t value) +{ + nfct_filter_dump_set_attr(filter_dump, type, &value); +} + +/** * @} */ diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c index 1549815..1e78bad 100644 --- a/src/conntrack/bsf.c +++ b/src/conntrack/bsf.c @@ -9,6 +9,7 @@ #include "internal/internal.h" #include "internal/stack.h" +#include <endian.h> #include <linux/filter.h> #include <stddef.h> /* offsetof */ @@ -162,7 +163,7 @@ struct jump { static int nfct_bsf_cmp_k_stack(struct sock_filter *this, int k, - int jump_true, int pos, struct stack *s) + int jump_true, int pos, struct stack *s) { struct sock_filter __code = { .code = BPF_JMP|BPF_JEQ|BPF_K, @@ -301,10 +302,14 @@ bsf_cmp_subsys(struct sock_filter *this, int pos, uint8_t subsys) [1] = { /* A = skb->data[X+k:B] (subsys_id) */ .code = BPF_LD|BPF_B|BPF_IND, +#if BYTE_ORDER == BIG_ENDIAN + .k = 0, +#else .k = sizeof(uint8_t), +#endif }, [2] = { - /* A == subsys ? jump +1 : accept */ + /* A == subsys ? jump + 1 : accept */ .code = BPF_JMP|BPF_JEQ|BPF_K, .k = subsys, .jt = 1, @@ -331,7 +336,7 @@ add_state_filter_cta(struct sock_filter *this, s = stack_create(sizeof(struct jump), 3 + 32); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jt = 1; @@ -398,7 +403,7 @@ add_state_filter(struct sock_filter *this, if (cta[proto].cta_protoinfo == 0 && cta[proto].cta_state == 0) { errno = ENOTSUP; - return -1; + return 0; } return add_state_filter_cta(this, @@ -443,7 +448,7 @@ bsf_add_proto_filter(const struct nfct_filter *f, struct sock_filter *this) s = stack_create(sizeof(struct jump), 3 + 255); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jt = 1; @@ -515,7 +520,7 @@ bsf_add_addr_ipv4_filter(const struct nfct_filter *f, s = stack_create(sizeof(struct jump), 3 + 127); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jt = 1; @@ -600,7 +605,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, s = stack_create(sizeof(struct jump), 3 + 80); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jf = 1; @@ -635,8 +640,8 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, j); if (k < 3) { j += nfct_bsf_cmp_k_stack_jf(this, ip, - jf - j - 1, - j, s); + (3 - k) * 3 + 1, + j, s); } else { /* last word: jump if true */ j += nfct_bsf_cmp_k_stack(this, ip, jf - j, @@ -650,7 +655,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, this[jmp.line].jt += jmp.jt + j; } if (jmp.jf) { - this[jmp.line].jf += jmp.jf + j; + this[jmp.line].jf += jmp.jf; } } @@ -699,7 +704,7 @@ bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this) s = stack_create(sizeof(struct jump), 3 + 127); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jt = 1; @@ -778,7 +783,7 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f) show_filter(bsf, from, j, "---- final verdict ----"); from = j; - sf.len = (sizeof(struct sock_filter) * j) / sizeof(bsf[0]); + sf.len = j; sf.filter = bsf; return setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &sf, sizeof(sf)); diff --git a/src/conntrack/build.c b/src/conntrack/build.c index b5a7061..f80cfc1 100644 --- a/src/conntrack/build.c +++ b/src/conntrack/build.c @@ -27,8 +27,6 @@ int __build_conntrack(struct nfnl_subsys_handle *ssh, return -1; } - memset(req, 0, size); - buf = (char *)&req->nlh; nlh = mnl_nlmsg_put_header(buf); nlh->nlmsg_type = (NFNL_SUBSYS_CTNETLINK << 8) | type; diff --git a/src/conntrack/build_mnl.c b/src/conntrack/build_mnl.c index 0067a1c..e563c4e 100644 --- a/src/conntrack/build_mnl.c +++ b/src/conntrack/build_mnl.c @@ -73,8 +73,7 @@ nfct_build_tuple_proto(struct nlmsghdr *nlh, const struct __nfct_tuple *t) mnl_attr_put_u16(nlh, CTA_PROTO_ICMPV6_ID, t->l4src.icmp.id); break; default: - mnl_attr_nest_cancel(nlh, nest); - return -1; + break; } mnl_attr_nest_end(nlh, nest); return 0; @@ -595,3 +594,101 @@ nfct_nlmsg_build(struct nlmsghdr *nlh, const struct nf_conntrack *ct) return 0; } + +static uint32_t get_flags_from_ct(const struct nf_conntrack *ct, int family) +{ + uint32_t tuple_flags = 0; + + if (family == AF_INET) { + if (test_bit(ATTR_ORIG_IPV4_SRC, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_IP_SRC; + if (test_bit(ATTR_ORIG_IPV4_DST, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_IP_DST; + + if (test_bit(ATTR_ICMP_TYPE, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_PROTO_ICMP_TYPE; + if (test_bit(ATTR_ICMP_CODE, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_PROTO_ICMP_CODE; + if (test_bit(ATTR_ICMP_ID, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_PROTO_ICMP_ID; + } else if (family == AF_INET6) { + if (test_bit(ATTR_ORIG_IPV6_SRC, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_IP_SRC; + if (test_bit(ATTR_ORIG_IPV6_DST, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_IP_DST; + + if (test_bit(ATTR_ICMP_TYPE, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_PROTO_ICMPV6_TYPE; + if (test_bit(ATTR_ICMP_CODE, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_PROTO_ICMPV6_CODE; + if (test_bit(ATTR_ICMP_ID, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_PROTO_ICMPV6_ID; + } + + if (test_bit(ATTR_ORIG_ZONE, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_TUPLE_ZONE; + + if (test_bit(ATTR_ORIG_L4PROTO, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_PROTO_NUM; + if (test_bit(ATTR_ORIG_PORT_SRC, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_PROTO_SRC_PORT; + if (test_bit(ATTR_ORIG_PORT_DST, ct->head.set)) + tuple_flags |= CTA_FILTER_FLAG_CTA_PROTO_DST_PORT; + + return tuple_flags; +} + +int nfct_nlmsg_build_filter(struct nlmsghdr *nlh, + const struct nfct_filter_dump *filter_dump) +{ + struct nfgenmsg *nfg; + + if (filter_dump->set & (1 << NFCT_FILTER_DUMP_MARK)) { + mnl_attr_put_u32(nlh, CTA_MARK, htonl(filter_dump->mark.val)); + mnl_attr_put_u32(nlh, CTA_MARK_MASK, htonl(filter_dump->mark.mask)); + } + if (filter_dump->set & (1 << NFCT_FILTER_DUMP_L3NUM)) { + nfg = mnl_nlmsg_get_payload(nlh); + nfg->nfgen_family = filter_dump->l3num; + } + if (filter_dump->set & (1 << NFCT_FILTER_DUMP_STATUS)) { + mnl_attr_put_u32(nlh, CTA_STATUS, htonl(filter_dump->status.val)); + mnl_attr_put_u32(nlh, CTA_STATUS_MASK, + htonl(filter_dump->status.mask)); + } + if (filter_dump->set & (1 << NFCT_FILTER_DUMP_ZONE)) { + mnl_attr_put_u16(nlh, CTA_ZONE, htons(filter_dump->zone)); + } + if (filter_dump->set & (1 << NFCT_FILTER_DUMP_TUPLE)) { + const struct nf_conntrack *ct = &filter_dump->ct; + struct nlattr *nest; + int ret; + + ret = nfct_nlmsg_build(nlh, ct); + if (ret == -1) + return -1; + + nest = mnl_attr_nest_start(nlh, CTA_FILTER); + if (nest == NULL) + return -1; + + nfg = mnl_nlmsg_get_payload(nlh); + + if (test_bit(ATTR_ORIG_L3PROTO, ct->head.set)) { + if (filter_dump->set & (1 << NFCT_FILTER_DUMP_L3NUM) && + filter_dump->l3num != ct->head.orig.l3protonum) { + errno = EINVAL; + return -1; + } + + nfg->nfgen_family = ct->head.orig.l3protonum; + } + + mnl_attr_put_u32(nlh, CTA_FILTER_ORIG_FLAGS, + get_flags_from_ct(&filter_dump->ct, + nfg->nfgen_family)); + mnl_attr_put_u32(nlh, CTA_FILTER_REPLY_FLAGS, 0); + mnl_attr_nest_end(nlh, nest); + } + return 0; +} diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c index 4cbc116..57b2294 100644 --- a/src/conntrack/filter.c +++ b/src/conntrack/filter.c @@ -11,18 +11,31 @@ static void filter_attr_l4proto(struct nfct_filter *filter, const void *value) { + int protonum; + if (filter->l4proto_len >= __FILTER_L4PROTO_MAX) return; - set_bit(*((int *) value), filter->l4proto_map); + protonum = *(int *)value; + if (protonum >= IPPROTO_MAX) + return; + + set_bit(protonum, filter->l4proto_map); filter->l4proto_len++; } -static void +#ifndef BITS_PER_BYTE +#define BITS_PER_BYTE 8 +#endif + +static void filter_attr_l4proto_state(struct nfct_filter *filter, const void *value) { const struct nfct_filter_proto *this = value; + if (this->state >= sizeof(filter->l4proto_state[0].map) * BITS_PER_BYTE) + return; + set_bit_u16(this->state, &filter->l4proto_state[this->proto].map); filter->l4proto_state[this->proto].len++; } diff --git a/src/conntrack/filter_dump.c b/src/conntrack/filter_dump.c index 3894d06..fd2d002 100644 --- a/src/conntrack/filter_dump.c +++ b/src/conntrack/filter_dump.c @@ -8,6 +8,7 @@ */ #include "internal/internal.h" +#include <libmnl/libmnl.h> static void set_filter_dump_attr_mark(struct nfct_filter_dump *filter_dump, @@ -36,29 +37,40 @@ set_filter_dump_attr_family(struct nfct_filter_dump *filter_dump, filter_dump->l3num = *((uint8_t *)value); } +static void +set_filter_dump_attr_zone(struct nfct_filter_dump *filter_dump, + const void *value) +{ + filter_dump->zone = *((uint16_t *)value); +} + +static void +set_filter_dump_attr_tuple(struct nfct_filter_dump *filter_dump, + const void *value) +{ + memcpy(&filter_dump->ct, value, sizeof(struct nf_conntrack)); +} + const set_filter_dump_attr set_filter_dump_attr_array[NFCT_FILTER_DUMP_MAX] = { [NFCT_FILTER_DUMP_MARK] = set_filter_dump_attr_mark, [NFCT_FILTER_DUMP_L3NUM] = set_filter_dump_attr_family, [NFCT_FILTER_DUMP_STATUS] = set_filter_dump_attr_status, + [NFCT_FILTER_DUMP_ZONE] = set_filter_dump_attr_zone, + [NFCT_FILTER_DUMP_TUPLE] = set_filter_dump_attr_tuple, }; -void __build_filter_dump(struct nfnlhdr *req, size_t size, - const struct nfct_filter_dump *filter_dump) +int __build_filter_dump(struct nfnlhdr *req, size_t size, + const struct nfct_filter_dump *filter_dump) { - if (filter_dump->set & (1 << NFCT_FILTER_DUMP_MARK)) { - nfnl_addattr32(&req->nlh, size, CTA_MARK, - htonl(filter_dump->mark.val)); - nfnl_addattr32(&req->nlh, size, CTA_MARK_MASK, - htonl(filter_dump->mark.mask)); - } - if (filter_dump->set & (1 << NFCT_FILTER_DUMP_L3NUM)) { - struct nfgenmsg *nfg = NLMSG_DATA(&req->nlh); - nfg->nfgen_family = filter_dump->l3num; - } - if (filter_dump->set & (1 << NFCT_FILTER_DUMP_STATUS)) { - nfnl_addattr32(&req->nlh, size, CTA_STATUS, - htonl(filter_dump->status.val)); - nfnl_addattr32(&req->nlh, size, CTA_STATUS_MASK, - htonl(filter_dump->status.mask)); + return nfct_nlmsg_build_filter(&req->nlh, filter_dump); +} + +int __build_filter_flush(struct nfnlhdr *req, size_t size, + const struct nfct_filter_dump *filter_dump) +{ + if (filter_dump->set & (1 << NFCT_FILTER_DUMP_TUPLE)) { + errno = ENOTSUP; + return -1; } + return nfct_nlmsg_build_filter(&req->nlh, filter_dump); } diff --git a/src/conntrack/labels.c b/src/conntrack/labels.c index ef85b6e..5f50194 100644 --- a/src/conntrack/labels.c +++ b/src/conntrack/labels.c @@ -268,7 +268,7 @@ struct nfct_labelmap *__labelmap_new(const char *name) if (added) { map->namecount = maxbit + 1; - map->bit_to_name = calloc(sizeof(char *), map->namecount); + map->bit_to_name = calloc(map->namecount, sizeof(char *)); if (!map->bit_to_name) goto err; make_name_table(map); diff --git a/src/conntrack/stack.c b/src/conntrack/stack.c index ac3f437..66ccf1f 100644 --- a/src/conntrack/stack.c +++ b/src/conntrack/stack.c @@ -25,11 +25,11 @@ struct stack *stack_create(size_t elem_size, int max_elems) { struct stack *s; - s = calloc(sizeof(struct stack), 1); + s = calloc(1, sizeof(struct stack)); if (s == NULL) return NULL; - s->data = calloc(elem_size * max_elems, 1); + s->data = calloc(max_elems, elem_size); if (s->data == NULL) { free(s); return NULL; diff --git a/src/expect/api.c b/src/expect/api.c index 39cd092..b100c72 100644 --- a/src/expect/api.c +++ b/src/expect/api.c @@ -513,6 +513,8 @@ int nfexp_build_expect(struct nfnl_subsys_handle *ssh, assert(req != NULL); assert(exp != NULL); + memset(req, 0, size); + return __build_expect(ssh, req, size, type, flags, exp); } @@ -546,7 +548,7 @@ __build_query_exp(struct nfnl_subsys_handle *ssh, assert(data != NULL); assert(req != NULL); - memset(req, 0, size); + memset(buffer, 0, size); switch(qt) { case NFCT_Q_CREATE: diff --git a/src/expect/build.c b/src/expect/build.c index 2e0f968..1807adc 100644 --- a/src/expect/build.c +++ b/src/expect/build.c @@ -29,8 +29,6 @@ int __build_expect(struct nfnl_subsys_handle *ssh, else return -1; - memset(req, 0, size); - buf = (char *)&req->nlh; nlh = mnl_nlmsg_put_header(buf); nlh->nlmsg_type = (NFNL_SUBSYS_CTNETLINK_EXP << 8) | type; |