From 837747610f4c8046889aacd3f29f1f63049015cc Mon Sep 17 00:00:00 2001 From: "/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org" Date: Mon, 31 Oct 2005 04:20:58 +0000 Subject: Special thanks to Deti Fiegl from the Leibniz Supercomputing Centre in Munich, Germany for providing the "fast" hardware to reproduce spurious bugs ;) List of changes: o Replace misleading flag NFCT_ANY_GROUP by NFCT_ALL_GROUPS o Update test file to use NFCT_ALL_GROUPS o Add missing check of CTA_PROTOINFO_TCP that resulted in a segfault in conjuction with events. o Fix ICMP conntracks output o Add missing prototype definition of nfct_default_expect_display_id in libnetfilter_conntrack.h --- extensions/libnetfilter_conntrack_icmp.c | 2 +- extensions/libnetfilter_conntrack_tcp.c | 12 ++++++++++++ include/libnetfilter_conntrack/libnetfilter_conntrack.h | 11 +++++++---- utils/ctnl_test.c | 14 +++++++++++++- 4 files changed, 33 insertions(+), 6 deletions(-) diff --git a/extensions/libnetfilter_conntrack_icmp.c b/extensions/libnetfilter_conntrack_icmp.c index 07997d1..d1ae1b4 100644 --- a/extensions/libnetfilter_conntrack_icmp.c +++ b/extensions/libnetfilter_conntrack_icmp.c @@ -52,7 +52,7 @@ static int print_proto(char *buf, struct nfct_tuple *t) t->l4dst.icmp.code); /* ID only makes sense with ECHO */ if (t->l4dst.icmp.type == 8) - size += sprintf(buf, "id=%d ", t->l4src.icmp.id); + size += sprintf(buf+size, "id=%d ", ntohs(t->l4src.icmp.id)); return size; } diff --git a/extensions/libnetfilter_conntrack_tcp.c b/extensions/libnetfilter_conntrack_tcp.c index 32a0971..bb96698 100644 --- a/extensions/libnetfilter_conntrack_tcp.c +++ b/extensions/libnetfilter_conntrack_tcp.c @@ -42,6 +42,18 @@ static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) static void parse_protoinfo(struct nfattr *cda[], struct nfct_conntrack *ct) { struct nfattr *tb[CTA_PROTOINFO_TCP_MAX]; + + /* + * Listen to me carefully: This is easy to trigger with events ;). + * The conntrack event messages don't always contain all the + * information about a conntrack, just those fields that have changed. + * So you can receive a message about a TCP connection with no bits + * talking about the private protocol information. + * + * --pablo 05/10/31 + */ + if (!cda[CTA_PROTOINFO_TCP-1]) + return; nfnl_parse_nested(tb,CTA_PROTOINFO_TCP_MAX, cda[CTA_PROTOINFO_TCP-1]); diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 71afa03..0c06fa6 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -13,7 +13,7 @@ #include #include -#define LIBNETFILTER_CONNTRACK_VERSION "0.2.2" +#define LIBNETFILTER_CONNTRACK_VERSION "0.2.3" enum { CONNTRACK = NFNL_SUBSYS_CTNETLINK, @@ -27,10 +27,12 @@ enum { #define NFCT_ANY_ID 0 /* - * Default flag that is passed to nfct_open(), subscribe - * to all possible groups + * Subscribe to all possible netlink groups. Use this + * flag in case that you want to catch up all the possible + * events. Do not use this flag for dumping or any other + * similar operation. */ -#define NFCT_ANY_GROUP ~0U +#define NFCT_ALL_GROUPS ~0U union nfct_l4 { /* Add other protocols here. */ @@ -237,6 +239,7 @@ extern void nfct_unregister_callback(struct nfct_handle *cth); extern int nfct_default_conntrack_display(void *arg, unsigned int, int); extern int nfct_default_conntrack_display_id(void *arg, unsigned int, int); extern int nfct_default_expect_display(void *arg, unsigned int, int); +extern int nfct_default_expect_display_id(void *arg, unsigned int, int); /* * [Create|update|get|destroy] conntracks diff --git a/utils/ctnl_test.c b/utils/ctnl_test.c index 360e118..a1462af 100644 --- a/utils/ctnl_test.c +++ b/utils/ctnl_test.c @@ -73,7 +73,7 @@ int main(int argc, char **argv) goto end; } - cth = nfct_open(CONNTRACK, NFCT_ANY_GROUP); + cth = nfct_open(CONNTRACK, 0); if (!cth) { fprintf(stderr, "Can't open handler\n"); errors++; @@ -118,6 +118,18 @@ int main(int argc, char **argv) if (ret < 0) errors++; + nfct_close(cth); + + /* Now open a handler that is subscribed to all possible events */ + cth = nfct_open(CONNTRACK, NFCT_ALL_GROUPS); + if (!cth) { + fprintf(stderr, "Can't open handler\n"); + errors++; + ret = -ENOENT; + nfct_conntrack_free(ct); + goto end; + } + fprintf(stdout, "TEST 7: Waiting for 10 conntrack events\n"); signal(SIGINT, event_sighandler); nfct_register_callback(cth, event_counter); -- cgit v1.2.3