From cdc8744396470397dcbb9b50dc197526c4cb834c Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org" Date: Sun, 13 Jan 2008 17:17:11 +0000 Subject: Several tree reorganizations: - move l3extensions/ and extensions/ to src/deprecated/ - don't create submodules under /usr/lib/libnetfilter_conntrack/ anymore --- Makefile.am | 2 +- configure.in | 2 +- extensions/Makefile.am | 25 ---- extensions/libnetfilter_conntrack_icmp.c | 90 ------------- extensions/libnetfilter_conntrack_sctp.c | 100 --------------- extensions/libnetfilter_conntrack_tcp.c | 142 --------------------- extensions/libnetfilter_conntrack_udp.c | 84 ------------ l3extensions/Makefile.am | 16 --- l3extensions/libnetfilter_conntrack_ipv4.c | 94 -------------- l3extensions/libnetfilter_conntrack_ipv6.c | 115 ----------------- src/Makefile.am | 11 +- src/deprecated/extensions/Makefile.am | 14 ++ .../extensions/libnetfilter_conntrack_icmp.c | 90 +++++++++++++ .../extensions/libnetfilter_conntrack_sctp.c | 100 +++++++++++++++ .../extensions/libnetfilter_conntrack_tcp.c | 142 +++++++++++++++++++++ .../extensions/libnetfilter_conntrack_udp.c | 84 ++++++++++++ src/deprecated/l3extensions/Makefile.am | 9 ++ .../l3extensions/libnetfilter_conntrack_ipv4.c | 94 ++++++++++++++ .../l3extensions/libnetfilter_conntrack_ipv6.c | 115 +++++++++++++++++ 19 files changed, 659 insertions(+), 670 deletions(-) delete mode 100644 extensions/Makefile.am delete mode 100644 extensions/libnetfilter_conntrack_icmp.c delete mode 100644 extensions/libnetfilter_conntrack_sctp.c delete mode 100644 extensions/libnetfilter_conntrack_tcp.c delete mode 100644 extensions/libnetfilter_conntrack_udp.c delete mode 100644 l3extensions/Makefile.am delete mode 100644 l3extensions/libnetfilter_conntrack_ipv4.c delete mode 100644 l3extensions/libnetfilter_conntrack_ipv6.c create mode 100644 src/deprecated/extensions/Makefile.am create mode 100644 src/deprecated/extensions/libnetfilter_conntrack_icmp.c create mode 100644 src/deprecated/extensions/libnetfilter_conntrack_sctp.c create mode 100644 src/deprecated/extensions/libnetfilter_conntrack_tcp.c create mode 100644 src/deprecated/extensions/libnetfilter_conntrack_udp.c create mode 100644 src/deprecated/l3extensions/Makefile.am create mode 100644 src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c create mode 100644 src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c diff --git a/Makefile.am b/Makefile.am index a5df5e1..262028c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2,7 +2,7 @@ include $(top_srcdir)/Make_global.am AUTOMAKE_OPTIONS = foreign dist-bzip2 1.6 -SUBDIRS = include src l3extensions extensions utils +SUBDIRS = include src utils man_MANS = #nfnetlink_conntrack.3 nfnetlink_conntrack.7 diff --git a/configure.in b/configure.in index 12981db..bcaac42 100644 --- a/configure.in +++ b/configure.in @@ -70,5 +70,5 @@ LIBNFCONNTRACK_LIBS="$LIBNFNETLINK_LIBS" AC_SUBST(LIBNFCONNTRACK_LIBS) dnl Output the makefile -AC_OUTPUT(Makefile src/Makefile include/Makefile utils/Makefile include/libnetfilter_conntrack/Makefile l3extensions/Makefile extensions/Makefile src/conntrack/Makefile src/expect/Makefile libnetfilter_conntrack.pc) +AC_OUTPUT(Makefile src/Makefile include/Makefile utils/Makefile include/libnetfilter_conntrack/Makefile src/conntrack/Makefile src/expect/Makefile src/deprecated/Makefile src/deprecated/l3extensions/Makefile src/deprecated/extensions/Makefile libnetfilter_conntrack.pc) diff --git a/extensions/Makefile.am b/extensions/Makefile.am deleted file mode 100644 index 5251581..0000000 --- a/extensions/Makefile.am +++ /dev/null @@ -1,25 +0,0 @@ -include $(top_srcdir)/Make_global.am - -AUTOMAKE_OPTIONS = no-dependencies foreign - -AM_CFLAGS=-fPIC -Wall -LIBS= - -pkglib_LTLIBRARIES = nfct_proto_tcp.la nfct_proto_udp.la \ - nfct_proto_icmp.la nfct_proto_sctp.la - -nfct_proto_tcp_la_SOURCES = libnetfilter_conntrack_tcp.c -nfct_proto_tcp_la_LDFLAGS = -module -avoid-version -release $(VERSION) -nfct_proto_tcp_la_LIBADD = ../src/libnetfilter_conntrack.la - -nfct_proto_udp_la_SOURCES = libnetfilter_conntrack_udp.c -nfct_proto_udp_la_LDFLAGS = -module -avoid-version -release $(VERSION) -nfct_proto_udp_la_LIBADD = ../src/libnetfilter_conntrack.la - -nfct_proto_icmp_la_SOURCES = libnetfilter_conntrack_icmp.c -nfct_proto_icmp_la_LDFLAGS = -module -avoid-version -release $(VERSION) -nfct_proto_icmp_la_LIBADD = ../src/libnetfilter_conntrack.la - -nfct_proto_sctp_la_SOURCES = libnetfilter_conntrack_sctp.c -nfct_proto_sctp_la_LDFLAGS = -module -avoid-version -release $(VERSION) -nfct_proto_sctp_la_LIBADD = ../src/libnetfilter_conntrack.la diff --git a/extensions/libnetfilter_conntrack_icmp.c b/extensions/libnetfilter_conntrack_icmp.c deleted file mode 100644 index 72a7eb0..0000000 --- a/extensions/libnetfilter_conntrack_icmp.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include -#include - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_PROTO_ICMP_TYPE-1]) - tuple->l4dst.icmp.type = - *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_TYPE-1]); - - if (cda[CTA_PROTO_ICMP_CODE-1]) - tuple->l4dst.icmp.code = - *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_CODE-1]); - - if (cda[CTA_PROTO_ICMP_ID-1]) - tuple->l4src.icmp.id = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_ICMP_ID-1]); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_CODE, - &t->l4dst.icmp.code, sizeof(u_int8_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_TYPE, - &t->l4dst.icmp.type, sizeof(u_int8_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_ID, - &t->l4src.icmp.id, sizeof(u_int16_t)); -} - -static int print_proto(char *buf, struct nfct_tuple *t) -{ - /* The ID only makes sense some ICMP messages but we want to - * display the same output that /proc/net/ip_conntrack does */ - return (sprintf(buf, "type=%d code=%d id=%d ",t->l4dst.icmp.type, - t->l4dst.icmp.code, - ntohs(t->l4src.icmp.id))); -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & ICMP_TYPE) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.type != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.type) - return 0; - if (flags & ICMP_CODE) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.code != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.code) - return 0; - if (flags & ICMP_ID) - if (ct1->tuple[NFCT_DIR_REPLY].l4src.icmp.id != - ct2->tuple[NFCT_DIR_REPLY].l4src.icmp.id) - return 0; - - return 1; -} - -static struct nfct_proto icmp = { - .name = "icmp", - .protonum = IPPROTO_ICMP, - .parse_proto = parse_proto, - .build_tuple_proto = build_tuple_proto, - .print_proto = print_proto, - .compare = compare, - .version = VERSION -}; - -static void __attribute__ ((constructor)) init(void); - -static void init(void) -{ - nfct_register_proto(&icmp); -} diff --git a/extensions/libnetfilter_conntrack_sctp.c b/extensions/libnetfilter_conntrack_sctp.c deleted file mode 100644 index 3785c2e..0000000 --- a/extensions/libnetfilter_conntrack_sctp.c +++ /dev/null @@ -1,100 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include -#include - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_PROTO_SRC_PORT-1]) - tuple->l4src.sctp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); - if (cda[CTA_PROTO_DST_PORT-1]) - tuple->l4dst.sctp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); -} - -static void parse_protoinfo(struct nfattr *cda[], struct nfct_conntrack *ct) -{ -/* if (cda[CTA_PROTOINFO_SCTP_STATE-1]) - ct->protoinfo.sctp.state = - *(u_int8_t *)NFA_DATA(cda[CTA_PROTOINFO_SCTP_STATE-1]); -*/ -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_SRC_PORT, - &t->l4src.sctp.port, sizeof(u_int16_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_DST_PORT, - &t->l4dst.sctp.port, sizeof(u_int16_t)); -} - -static int print_protoinfo(char *buf, union nfct_protoinfo *protoinfo) -{ -/* fprintf(stdout, "%s ", states[protoinfo->sctp.state]); */ - return 0; -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - return(sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.sctp.port), - htons(tuple->l4dst.sctp.port))); -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & SCTP_ORIG_SPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.sctp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4src.sctp.port) - return 0; - if (flags & SCTP_ORIG_DPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.sctp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.sctp.port) - return 0; - if (flags & SCTP_REPL_SPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4src.sctp.port != - ct2->tuple[NFCT_DIR_REPLY].l4src.sctp.port) - return 0; - if (flags & SCTP_REPL_DPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4dst.sctp.port != - ct2->tuple[NFCT_DIR_REPLY].l4dst.sctp.port) - return 0; - - return 1; -} - -static struct nfct_proto sctp = { - .name = "sctp", - .protonum = IPPROTO_SCTP, - .parse_proto = parse_proto, - .parse_protoinfo = parse_protoinfo, - .build_tuple_proto = build_tuple_proto, - .print_proto = print_proto, - .print_protoinfo = print_protoinfo, - .compare = compare, - .version = VERSION -}; - -static void __attribute__ ((constructor)) init(void); - -static void init(void) -{ - nfct_register_proto(&sctp); -} diff --git a/extensions/libnetfilter_conntrack_tcp.c b/extensions/libnetfilter_conntrack_tcp.c deleted file mode 100644 index 9efdbb7..0000000 --- a/extensions/libnetfilter_conntrack_tcp.c +++ /dev/null @@ -1,142 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include -#include - -static const char *states[] = { - "NONE", - "SYN_SENT", - "SYN_RECV", - "ESTABLISHED", - "FIN_WAIT", - "CLOSE_WAIT", - "LAST_ACK", - "TIME_WAIT", - "CLOSE", - "LISTEN" -}; - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_PROTO_SRC_PORT-1]) - tuple->l4src.tcp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); - if (cda[CTA_PROTO_DST_PORT-1]) - tuple->l4dst.tcp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); -} - -static void parse_protoinfo(struct nfattr *cda[], struct nfct_conntrack *ct) -{ - struct nfattr *tb[CTA_PROTOINFO_TCP_MAX]; - - /* - * Listen to me carefully: This is easy to trigger with events ;). - * The conntrack event messages don't always contain all the - * information about a conntrack, just those fields that have changed. - * So you can receive a message about a TCP connection with no bits - * talking about the private protocol information. - * - * --pablo 05/10/31 - */ - if (!cda[CTA_PROTOINFO_TCP-1]) - return; - - nfnl_parse_nested(tb,CTA_PROTOINFO_TCP_MAX, cda[CTA_PROTOINFO_TCP-1]); - - if (tb[CTA_PROTOINFO_TCP_STATE-1]) - ct->protoinfo.tcp.state = - *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_SRC_PORT, - &t->l4src.tcp.port, sizeof(u_int16_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_DST_PORT, - &t->l4dst.tcp.port, sizeof(u_int16_t)); -} - -static void build_protoinfo(struct nfnlhdr *req, int size, - struct nfct_conntrack *ct) -{ - struct nfattr *nest_proto; - - nest_proto = nfnl_nest(&req->nlh, size, CTA_PROTOINFO_TCP); - nfnl_addattr_l(&req->nlh, size, CTA_PROTOINFO_TCP_STATE, - &ct->protoinfo.tcp.state, sizeof(u_int8_t)); - nfnl_nest_end(&req->nlh, nest_proto); -} - -static int print_protoinfo(char *buf, union nfct_protoinfo *protoinfo) -{ - return(sprintf(buf, "%s ", states[protoinfo->tcp.state])); -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - return(sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.tcp.port), - htons(tuple->l4dst.tcp.port))); -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & TCP_ORIG_SPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.tcp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4src.tcp.port) - return 0; - if (flags & TCP_ORIG_DPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.tcp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.tcp.port) - return 0; - if (flags & TCP_REPL_SPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4src.tcp.port != - ct2->tuple[NFCT_DIR_REPLY].l4src.tcp.port) - return 0; - if (flags & TCP_REPL_DPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4dst.tcp.port != - ct2->tuple[NFCT_DIR_REPLY].l4dst.tcp.port) - return 0; - if (flags & TCP_STATE) - if (ct1->protoinfo.tcp.state != ct2->protoinfo.tcp.state) - return 0; - - return 1; -} - -static struct nfct_proto tcp = { - .name = "tcp", - .protonum = IPPROTO_TCP, - .parse_protoinfo = parse_protoinfo, - .parse_proto = parse_proto, - .build_tuple_proto = build_tuple_proto, - .build_protoinfo = build_protoinfo, - .print_protoinfo = print_protoinfo, - .print_proto = print_proto, - .compare = compare, - .version = VERSION -}; - -static void __attribute__ ((constructor)) init(void); - -static void init(void) -{ - nfct_register_proto(&tcp); -} diff --git a/extensions/libnetfilter_conntrack_udp.c b/extensions/libnetfilter_conntrack_udp.c deleted file mode 100644 index c1d20c3..0000000 --- a/extensions/libnetfilter_conntrack_udp.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include -#include - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_PROTO_SRC_PORT-1]) - tuple->l4src.udp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); - if (cda[CTA_PROTO_DST_PORT-1]) - tuple->l4dst.udp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - return (sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.udp.port), - htons(tuple->l4dst.udp.port))); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_SRC_PORT, - &t->l4src.udp.port, sizeof(u_int16_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_DST_PORT, - &t->l4dst.udp.port, sizeof(u_int16_t)); -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & UDP_ORIG_SPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.udp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4src.udp.port) - return 0; - if (flags & UDP_ORIG_DPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.udp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.udp.port) - return 0; - if (flags & UDP_REPL_SPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4src.udp.port != - ct2->tuple[NFCT_DIR_REPLY].l4src.udp.port) - return 0; - if (flags & UDP_REPL_DPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4dst.udp.port != - ct2->tuple[NFCT_DIR_REPLY].l4dst.udp.port) - return 0; - - return 1; -} - -static struct nfct_proto udp = { - .name = "udp", - .protonum = IPPROTO_UDP, - .build_tuple_proto = build_tuple_proto, - .parse_proto = parse_proto, - .print_proto = print_proto, - .compare = compare, - .version = VERSION, -}; - -static void __attribute__ ((constructor)) init(void); - -static void init(void) -{ - nfct_register_proto(&udp); -} diff --git a/l3extensions/Makefile.am b/l3extensions/Makefile.am deleted file mode 100644 index fa21b2d..0000000 --- a/l3extensions/Makefile.am +++ /dev/null @@ -1,16 +0,0 @@ -include $(top_srcdir)/Make_global.am - -AUTOMAKE_OPTIONS = no-dependencies foreign - -AM_CFLAGS=-fPIC -Wall -LIBS= - -pkglib_LTLIBRARIES = nfct_l3proto_ipv4.la nfct_l3proto_ipv6.la - -nfct_l3proto_ipv4_la_SOURCES = libnetfilter_conntrack_ipv4.c -nfct_l3proto_ipv4_la_LDFLAGS = -module -avoid-version -release $(VERSION) -nfct_l3proto_ipv4_la_LIBADD = ../src/libnetfilter_conntrack.la - -nfct_l3proto_ipv6_la_SOURCES = libnetfilter_conntrack_ipv6.c -nfct_l3proto_ipv6_la_LDFLAGS = -module -avoid-version -release $(VERSION) -nfct_l3proto_ipv6_la_LIBADD = ../src/libnetfilter_conntrack.la diff --git a/l3extensions/libnetfilter_conntrack_ipv4.c b/l3extensions/libnetfilter_conntrack_ipv4.c deleted file mode 100644 index 727ea01..0000000 --- a/l3extensions/libnetfilter_conntrack_ipv4.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - */ -#include -#include -#include /* For htons */ -#include -#include -#include -#include - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_IP_V4_SRC-1]) - tuple->src.v4 = *(u_int32_t *)NFA_DATA(cda[CTA_IP_V4_SRC-1]); - - if (cda[CTA_IP_V4_DST-1]) - tuple->dst.v4 = *(u_int32_t *)NFA_DATA(cda[CTA_IP_V4_DST-1]); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_IP_V4_SRC, &t->src.v4, - sizeof(u_int32_t)); - nfnl_addattr_l(&req->nlh, size, CTA_IP_V4_DST, &t->dst.v4, - sizeof(u_int32_t)); -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - struct in_addr src = { .s_addr = tuple->src.v4 }; - struct in_addr dst = { .s_addr = tuple->dst.v4 }; - int size; - - size = sprintf(buf, "src=%s ", inet_ntoa(src)); - size += sprintf(buf+size, "dst=%s ", inet_ntoa(dst)); - - return size; -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & IPV4_ORIG) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum != - ct2->tuple[NFCT_DIR_ORIGINAL].l3protonum) - return 0; - if (flags & IPV4_REPL) - if (ct1->tuple[NFCT_DIR_REPLY].l3protonum != - ct2->tuple[NFCT_DIR_REPLY].l3protonum) - return 0; - if (flags & IPV4_ORIG_SRC) - if (ct1->tuple[NFCT_DIR_ORIGINAL].src.v4 != - ct2->tuple[NFCT_DIR_ORIGINAL].src.v4) - return 0; - if (flags & IPV4_ORIG_DST) - if (ct1->tuple[NFCT_DIR_ORIGINAL].dst.v4 != - ct2->tuple[NFCT_DIR_ORIGINAL].dst.v4) - return 0; - if (flags & IPV4_REPL_SRC) - if (ct1->tuple[NFCT_DIR_REPLY].src.v4 != - ct2->tuple[NFCT_DIR_REPLY].src.v4) - return 0; - if (flags & IPV4_REPL_DST) - if (ct1->tuple[NFCT_DIR_REPLY].dst.v4 != - ct2->tuple[NFCT_DIR_REPLY].dst.v4) - return 0; - - return 1; -} - -static struct nfct_l3proto ipv4 = { - .name = "ipv4", - .protonum = AF_INET, - .parse_proto = parse_proto, - .build_tuple_proto = build_tuple_proto, - .print_proto = print_proto, - .compare = compare, - .version = VERSION -}; - -static void __attribute__ ((constructor)) init(void); - -static void init(void) -{ - nfct_register_l3proto(&ipv4); -} diff --git a/l3extensions/libnetfilter_conntrack_ipv6.c b/l3extensions/libnetfilter_conntrack_ipv6.c deleted file mode 100644 index b0c7a3f..0000000 --- a/l3extensions/libnetfilter_conntrack_ipv6.c +++ /dev/null @@ -1,115 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include -#include -#include - -#ifndef HAVE_INET_NTOP_IPV6 -#warning "inet_ntop does not support IPv6" -#endif - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_IP_V6_SRC-1]) - memcpy(tuple->src.v6, NFA_DATA(cda[CTA_IP_V6_SRC-1]), - sizeof(u_int32_t)*4); - - if (cda[CTA_IP_V6_DST-1]) - memcpy(tuple->dst.v6, NFA_DATA(cda[CTA_IP_V6_DST-1]), - sizeof(u_int32_t)*4); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_IP_V6_SRC, &t->src.v6, - sizeof(u_int32_t)*4); - nfnl_addattr_l(&req->nlh, size, CTA_IP_V6_DST, &t->dst.v6, - sizeof(u_int32_t)*4); -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - struct in6_addr src; - struct in6_addr dst; - char tmp[INET6_ADDRSTRLEN]; - int size; - - memcpy(&src.in6_u, tuple->src.v6, sizeof(struct in6_addr)); - memcpy(&dst.in6_u, tuple->dst.v6, sizeof(struct in6_addr)); - - if (!inet_ntop(AF_INET6, &src, tmp, sizeof(tmp))) - return 0; - size = sprintf(buf, "src=%s ", tmp); - if (!inet_ntop(AF_INET6, &dst, tmp, sizeof(tmp))) - return 0; - size += sprintf(buf + size, "dst=%s ", tmp); - - return size; -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & IPV6_ORIG) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum != - ct2->tuple[NFCT_DIR_ORIGINAL].l3protonum) - return 0; - if (flags & IPV6_REPL) - if (ct1->tuple[NFCT_DIR_REPLY].l3protonum != - ct2->tuple[NFCT_DIR_REPLY].l3protonum) - return 0; - if (flags & IPV6_ORIG_SRC) - if (memcmp(ct1->tuple[NFCT_DIR_ORIGINAL].src.v6, - ct2->tuple[NFCT_DIR_ORIGINAL].src.v6, - sizeof(u_int32_t)*4) == 0) - return 0; - if (flags & IPV6_ORIG_DST) - if (memcmp(ct1->tuple[NFCT_DIR_ORIGINAL].dst.v6, - ct2->tuple[NFCT_DIR_ORIGINAL].dst.v6, - sizeof(u_int32_t)*4) == 0) - return 0; - if (flags & IPV6_REPL_SRC) - if (memcmp(ct1->tuple[NFCT_DIR_REPLY].src.v6, - ct2->tuple[NFCT_DIR_REPLY].src.v6, - sizeof(u_int32_t)*4) == 0) - return 0; - if (flags & IPV6_REPL_DST) - if (memcmp(ct1->tuple[NFCT_DIR_REPLY].dst.v6, - ct2->tuple[NFCT_DIR_REPLY].dst.v6, - sizeof(u_int32_t)*4) == 0) - return 0; - - return 1; -} - -static struct nfct_l3proto ipv6 = { - .name = "ipv6", - .protonum = AF_INET6, - .parse_proto = parse_proto, - .build_tuple_proto = build_tuple_proto, - .print_proto = print_proto, - .compare = compare, - .version = VERSION -}; - -static void __attribute__ ((constructor)) init(void); - -static void init(void) -{ - nfct_register_l3proto(&ipv6); -} diff --git a/src/Makefile.am b/src/Makefile.am index d40277e..e7d1e38 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -4,7 +4,7 @@ include $(top_srcdir)/Make_global.am #EXTRA_DIST = $(man_MANS) acinclude.m4 -SUBDIRS=conntrack expect +SUBDIRS=conntrack expect deprecated AM_CFLAGS = -fPIC -Wall LIBS = @LIBNFCONNTRACK_LIBS@ @@ -12,7 +12,14 @@ LIBS = @LIBNFCONNTRACK_LIBS@ lib_LTLIBRARIES = libnetfilter_conntrack.la libnetfilter_conntrack_la_LIBADD = conntrack/libnfconntrack.la \ - expect/libnfexpect.la + expect/libnfexpect.la \ + # deprecated extensions: scheduled to be removed + deprecated/l3extensions/libnfct_l3proto_ipv4.la \ + deprecated/l3extensions/libnfct_l3proto_ipv6.la \ + deprecated/extensions/libnfct_proto_tcp.la \ + deprecated/extensions/libnfct_proto_udp.la \ + deprecated/extensions/libnfct_proto_icmp.la \ + deprecated/extensions/libnfct_proto_sctp.la libnetfilter_conntrack_la_LDFLAGS = -Wc,-nostartfiles -lnfnetlink -ldl \ -version-info $(LIBVERSION) libnetfilter_conntrack_la_SOURCES = main.c deprecated.c diff --git a/src/deprecated/extensions/Makefile.am b/src/deprecated/extensions/Makefile.am new file mode 100644 index 0000000..e44525b --- /dev/null +++ b/src/deprecated/extensions/Makefile.am @@ -0,0 +1,14 @@ +include $(top_srcdir)/Make_global.am + +AUTOMAKE_OPTIONS = no-dependencies foreign + +AM_CFLAGS=-fPIC -Wall +LIBS= @LIBNFCONNTRACK_LIBS@ + +noinst_LTLIBRARIES = libnfct_proto_tcp.la libnfct_proto_udp.la \ + libnfct_proto_icmp.la libnfct_proto_sctp.la + +libnfct_proto_tcp_la_SOURCES = libnetfilter_conntrack_tcp.c +libnfct_proto_udp_la_SOURCES = libnetfilter_conntrack_udp.c +libnfct_proto_icmp_la_SOURCES = libnetfilter_conntrack_icmp.c +libnfct_proto_sctp_la_SOURCES = libnetfilter_conntrack_sctp.c diff --git a/src/deprecated/extensions/libnetfilter_conntrack_icmp.c b/src/deprecated/extensions/libnetfilter_conntrack_icmp.c new file mode 100644 index 0000000..72a7eb0 --- /dev/null +++ b/src/deprecated/extensions/libnetfilter_conntrack_icmp.c @@ -0,0 +1,90 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + */ +#include +#include +#include +#include +#include /* For htons */ +#include +#include +#include +#include + +static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) +{ + if (cda[CTA_PROTO_ICMP_TYPE-1]) + tuple->l4dst.icmp.type = + *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_TYPE-1]); + + if (cda[CTA_PROTO_ICMP_CODE-1]) + tuple->l4dst.icmp.code = + *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_CODE-1]); + + if (cda[CTA_PROTO_ICMP_ID-1]) + tuple->l4src.icmp.id = + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_ICMP_ID-1]); +} + +static void build_tuple_proto(struct nfnlhdr *req, int size, + struct nfct_tuple *t) +{ + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_CODE, + &t->l4dst.icmp.code, sizeof(u_int8_t)); + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_TYPE, + &t->l4dst.icmp.type, sizeof(u_int8_t)); + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_ID, + &t->l4src.icmp.id, sizeof(u_int16_t)); +} + +static int print_proto(char *buf, struct nfct_tuple *t) +{ + /* The ID only makes sense some ICMP messages but we want to + * display the same output that /proc/net/ip_conntrack does */ + return (sprintf(buf, "type=%d code=%d id=%d ",t->l4dst.icmp.type, + t->l4dst.icmp.code, + ntohs(t->l4src.icmp.id))); +} + +static int compare(struct nfct_conntrack *ct1, + struct nfct_conntrack *ct2, + unsigned int flags) +{ + if (flags & ICMP_TYPE) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.type != + ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.type) + return 0; + if (flags & ICMP_CODE) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.code != + ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.code) + return 0; + if (flags & ICMP_ID) + if (ct1->tuple[NFCT_DIR_REPLY].l4src.icmp.id != + ct2->tuple[NFCT_DIR_REPLY].l4src.icmp.id) + return 0; + + return 1; +} + +static struct nfct_proto icmp = { + .name = "icmp", + .protonum = IPPROTO_ICMP, + .parse_proto = parse_proto, + .build_tuple_proto = build_tuple_proto, + .print_proto = print_proto, + .compare = compare, + .version = VERSION +}; + +static void __attribute__ ((constructor)) init(void); + +static void init(void) +{ + nfct_register_proto(&icmp); +} diff --git a/src/deprecated/extensions/libnetfilter_conntrack_sctp.c b/src/deprecated/extensions/libnetfilter_conntrack_sctp.c new file mode 100644 index 0000000..3785c2e --- /dev/null +++ b/src/deprecated/extensions/libnetfilter_conntrack_sctp.c @@ -0,0 +1,100 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + */ +#include +#include +#include +#include +#include /* For htons */ +#include +#include +#include +#include + +static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) +{ + if (cda[CTA_PROTO_SRC_PORT-1]) + tuple->l4src.sctp.port = + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); + if (cda[CTA_PROTO_DST_PORT-1]) + tuple->l4dst.sctp.port = + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); +} + +static void parse_protoinfo(struct nfattr *cda[], struct nfct_conntrack *ct) +{ +/* if (cda[CTA_PROTOINFO_SCTP_STATE-1]) + ct->protoinfo.sctp.state = + *(u_int8_t *)NFA_DATA(cda[CTA_PROTOINFO_SCTP_STATE-1]); +*/ +} + +static void build_tuple_proto(struct nfnlhdr *req, int size, + struct nfct_tuple *t) +{ + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_SRC_PORT, + &t->l4src.sctp.port, sizeof(u_int16_t)); + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_DST_PORT, + &t->l4dst.sctp.port, sizeof(u_int16_t)); +} + +static int print_protoinfo(char *buf, union nfct_protoinfo *protoinfo) +{ +/* fprintf(stdout, "%s ", states[protoinfo->sctp.state]); */ + return 0; +} + +static int print_proto(char *buf, struct nfct_tuple *tuple) +{ + return(sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.sctp.port), + htons(tuple->l4dst.sctp.port))); +} + +static int compare(struct nfct_conntrack *ct1, + struct nfct_conntrack *ct2, + unsigned int flags) +{ + if (flags & SCTP_ORIG_SPORT) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.sctp.port != + ct2->tuple[NFCT_DIR_ORIGINAL].l4src.sctp.port) + return 0; + if (flags & SCTP_ORIG_DPORT) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.sctp.port != + ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.sctp.port) + return 0; + if (flags & SCTP_REPL_SPORT) + if (ct1->tuple[NFCT_DIR_REPLY].l4src.sctp.port != + ct2->tuple[NFCT_DIR_REPLY].l4src.sctp.port) + return 0; + if (flags & SCTP_REPL_DPORT) + if (ct1->tuple[NFCT_DIR_REPLY].l4dst.sctp.port != + ct2->tuple[NFCT_DIR_REPLY].l4dst.sctp.port) + return 0; + + return 1; +} + +static struct nfct_proto sctp = { + .name = "sctp", + .protonum = IPPROTO_SCTP, + .parse_proto = parse_proto, + .parse_protoinfo = parse_protoinfo, + .build_tuple_proto = build_tuple_proto, + .print_proto = print_proto, + .print_protoinfo = print_protoinfo, + .compare = compare, + .version = VERSION +}; + +static void __attribute__ ((constructor)) init(void); + +static void init(void) +{ + nfct_register_proto(&sctp); +} diff --git a/src/deprecated/extensions/libnetfilter_conntrack_tcp.c b/src/deprecated/extensions/libnetfilter_conntrack_tcp.c new file mode 100644 index 0000000..9efdbb7 --- /dev/null +++ b/src/deprecated/extensions/libnetfilter_conntrack_tcp.c @@ -0,0 +1,142 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + */ +#include +#include +#include +#include +#include /* For htons */ +#include +#include +#include +#include + +static const char *states[] = { + "NONE", + "SYN_SENT", + "SYN_RECV", + "ESTABLISHED", + "FIN_WAIT", + "CLOSE_WAIT", + "LAST_ACK", + "TIME_WAIT", + "CLOSE", + "LISTEN" +}; + +static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) +{ + if (cda[CTA_PROTO_SRC_PORT-1]) + tuple->l4src.tcp.port = + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); + if (cda[CTA_PROTO_DST_PORT-1]) + tuple->l4dst.tcp.port = + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); +} + +static void parse_protoinfo(struct nfattr *cda[], struct nfct_conntrack *ct) +{ + struct nfattr *tb[CTA_PROTOINFO_TCP_MAX]; + + /* + * Listen to me carefully: This is easy to trigger with events ;). + * The conntrack event messages don't always contain all the + * information about a conntrack, just those fields that have changed. + * So you can receive a message about a TCP connection with no bits + * talking about the private protocol information. + * + * --pablo 05/10/31 + */ + if (!cda[CTA_PROTOINFO_TCP-1]) + return; + + nfnl_parse_nested(tb,CTA_PROTOINFO_TCP_MAX, cda[CTA_PROTOINFO_TCP-1]); + + if (tb[CTA_PROTOINFO_TCP_STATE-1]) + ct->protoinfo.tcp.state = + *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); +} + +static void build_tuple_proto(struct nfnlhdr *req, int size, + struct nfct_tuple *t) +{ + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_SRC_PORT, + &t->l4src.tcp.port, sizeof(u_int16_t)); + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_DST_PORT, + &t->l4dst.tcp.port, sizeof(u_int16_t)); +} + +static void build_protoinfo(struct nfnlhdr *req, int size, + struct nfct_conntrack *ct) +{ + struct nfattr *nest_proto; + + nest_proto = nfnl_nest(&req->nlh, size, CTA_PROTOINFO_TCP); + nfnl_addattr_l(&req->nlh, size, CTA_PROTOINFO_TCP_STATE, + &ct->protoinfo.tcp.state, sizeof(u_int8_t)); + nfnl_nest_end(&req->nlh, nest_proto); +} + +static int print_protoinfo(char *buf, union nfct_protoinfo *protoinfo) +{ + return(sprintf(buf, "%s ", states[protoinfo->tcp.state])); +} + +static int print_proto(char *buf, struct nfct_tuple *tuple) +{ + return(sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.tcp.port), + htons(tuple->l4dst.tcp.port))); +} + +static int compare(struct nfct_conntrack *ct1, + struct nfct_conntrack *ct2, + unsigned int flags) +{ + if (flags & TCP_ORIG_SPORT) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.tcp.port != + ct2->tuple[NFCT_DIR_ORIGINAL].l4src.tcp.port) + return 0; + if (flags & TCP_ORIG_DPORT) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.tcp.port != + ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.tcp.port) + return 0; + if (flags & TCP_REPL_SPORT) + if (ct1->tuple[NFCT_DIR_REPLY].l4src.tcp.port != + ct2->tuple[NFCT_DIR_REPLY].l4src.tcp.port) + return 0; + if (flags & TCP_REPL_DPORT) + if (ct1->tuple[NFCT_DIR_REPLY].l4dst.tcp.port != + ct2->tuple[NFCT_DIR_REPLY].l4dst.tcp.port) + return 0; + if (flags & TCP_STATE) + if (ct1->protoinfo.tcp.state != ct2->protoinfo.tcp.state) + return 0; + + return 1; +} + +static struct nfct_proto tcp = { + .name = "tcp", + .protonum = IPPROTO_TCP, + .parse_protoinfo = parse_protoinfo, + .parse_proto = parse_proto, + .build_tuple_proto = build_tuple_proto, + .build_protoinfo = build_protoinfo, + .print_protoinfo = print_protoinfo, + .print_proto = print_proto, + .compare = compare, + .version = VERSION +}; + +static void __attribute__ ((constructor)) init(void); + +static void init(void) +{ + nfct_register_proto(&tcp); +} diff --git a/src/deprecated/extensions/libnetfilter_conntrack_udp.c b/src/deprecated/extensions/libnetfilter_conntrack_udp.c new file mode 100644 index 0000000..c1d20c3 --- /dev/null +++ b/src/deprecated/extensions/libnetfilter_conntrack_udp.c @@ -0,0 +1,84 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + */ +#include +#include +#include +#include +#include /* For htons */ +#include +#include +#include +#include + +static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) +{ + if (cda[CTA_PROTO_SRC_PORT-1]) + tuple->l4src.udp.port = + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); + if (cda[CTA_PROTO_DST_PORT-1]) + tuple->l4dst.udp.port = + *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); +} + +static int print_proto(char *buf, struct nfct_tuple *tuple) +{ + return (sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.udp.port), + htons(tuple->l4dst.udp.port))); +} + +static void build_tuple_proto(struct nfnlhdr *req, int size, + struct nfct_tuple *t) +{ + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_SRC_PORT, + &t->l4src.udp.port, sizeof(u_int16_t)); + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_DST_PORT, + &t->l4dst.udp.port, sizeof(u_int16_t)); +} + +static int compare(struct nfct_conntrack *ct1, + struct nfct_conntrack *ct2, + unsigned int flags) +{ + if (flags & UDP_ORIG_SPORT) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.udp.port != + ct2->tuple[NFCT_DIR_ORIGINAL].l4src.udp.port) + return 0; + if (flags & UDP_ORIG_DPORT) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.udp.port != + ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.udp.port) + return 0; + if (flags & UDP_REPL_SPORT) + if (ct1->tuple[NFCT_DIR_REPLY].l4src.udp.port != + ct2->tuple[NFCT_DIR_REPLY].l4src.udp.port) + return 0; + if (flags & UDP_REPL_DPORT) + if (ct1->tuple[NFCT_DIR_REPLY].l4dst.udp.port != + ct2->tuple[NFCT_DIR_REPLY].l4dst.udp.port) + return 0; + + return 1; +} + +static struct nfct_proto udp = { + .name = "udp", + .protonum = IPPROTO_UDP, + .build_tuple_proto = build_tuple_proto, + .parse_proto = parse_proto, + .print_proto = print_proto, + .compare = compare, + .version = VERSION, +}; + +static void __attribute__ ((constructor)) init(void); + +static void init(void) +{ + nfct_register_proto(&udp); +} diff --git a/src/deprecated/l3extensions/Makefile.am b/src/deprecated/l3extensions/Makefile.am new file mode 100644 index 0000000..f8cb0a2 --- /dev/null +++ b/src/deprecated/l3extensions/Makefile.am @@ -0,0 +1,9 @@ +include $(top_srcdir)/Make_global.am + +AM_CFLAGS=-fPIC -Wall +LIBS = @LIBNFCONNTRACK_LIBS@ + +noinst_LTLIBRARIES = libnfct_l3proto_ipv4.la libnfct_l3proto_ipv6.la + +libnfct_l3proto_ipv4_la_SOURCES = libnetfilter_conntrack_ipv4.c +libnfct_l3proto_ipv6_la_SOURCES = libnetfilter_conntrack_ipv6.c diff --git a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c new file mode 100644 index 0000000..727ea01 --- /dev/null +++ b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c @@ -0,0 +1,94 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ +#include +#include +#include /* For htons */ +#include +#include +#include +#include + +static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) +{ + if (cda[CTA_IP_V4_SRC-1]) + tuple->src.v4 = *(u_int32_t *)NFA_DATA(cda[CTA_IP_V4_SRC-1]); + + if (cda[CTA_IP_V4_DST-1]) + tuple->dst.v4 = *(u_int32_t *)NFA_DATA(cda[CTA_IP_V4_DST-1]); +} + +static void build_tuple_proto(struct nfnlhdr *req, int size, + struct nfct_tuple *t) +{ + nfnl_addattr_l(&req->nlh, size, CTA_IP_V4_SRC, &t->src.v4, + sizeof(u_int32_t)); + nfnl_addattr_l(&req->nlh, size, CTA_IP_V4_DST, &t->dst.v4, + sizeof(u_int32_t)); +} + +static int print_proto(char *buf, struct nfct_tuple *tuple) +{ + struct in_addr src = { .s_addr = tuple->src.v4 }; + struct in_addr dst = { .s_addr = tuple->dst.v4 }; + int size; + + size = sprintf(buf, "src=%s ", inet_ntoa(src)); + size += sprintf(buf+size, "dst=%s ", inet_ntoa(dst)); + + return size; +} + +static int compare(struct nfct_conntrack *ct1, + struct nfct_conntrack *ct2, + unsigned int flags) +{ + if (flags & IPV4_ORIG) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum != + ct2->tuple[NFCT_DIR_ORIGINAL].l3protonum) + return 0; + if (flags & IPV4_REPL) + if (ct1->tuple[NFCT_DIR_REPLY].l3protonum != + ct2->tuple[NFCT_DIR_REPLY].l3protonum) + return 0; + if (flags & IPV4_ORIG_SRC) + if (ct1->tuple[NFCT_DIR_ORIGINAL].src.v4 != + ct2->tuple[NFCT_DIR_ORIGINAL].src.v4) + return 0; + if (flags & IPV4_ORIG_DST) + if (ct1->tuple[NFCT_DIR_ORIGINAL].dst.v4 != + ct2->tuple[NFCT_DIR_ORIGINAL].dst.v4) + return 0; + if (flags & IPV4_REPL_SRC) + if (ct1->tuple[NFCT_DIR_REPLY].src.v4 != + ct2->tuple[NFCT_DIR_REPLY].src.v4) + return 0; + if (flags & IPV4_REPL_DST) + if (ct1->tuple[NFCT_DIR_REPLY].dst.v4 != + ct2->tuple[NFCT_DIR_REPLY].dst.v4) + return 0; + + return 1; +} + +static struct nfct_l3proto ipv4 = { + .name = "ipv4", + .protonum = AF_INET, + .parse_proto = parse_proto, + .build_tuple_proto = build_tuple_proto, + .print_proto = print_proto, + .compare = compare, + .version = VERSION +}; + +static void __attribute__ ((constructor)) init(void); + +static void init(void) +{ + nfct_register_l3proto(&ipv4); +} diff --git a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c new file mode 100644 index 0000000..b0c7a3f --- /dev/null +++ b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c @@ -0,0 +1,115 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ +#include +#include +#include +#include +#include /* For htons */ +#include +#include +#include +#include +#include + +#ifndef HAVE_INET_NTOP_IPV6 +#warning "inet_ntop does not support IPv6" +#endif + +static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) +{ + if (cda[CTA_IP_V6_SRC-1]) + memcpy(tuple->src.v6, NFA_DATA(cda[CTA_IP_V6_SRC-1]), + sizeof(u_int32_t)*4); + + if (cda[CTA_IP_V6_DST-1]) + memcpy(tuple->dst.v6, NFA_DATA(cda[CTA_IP_V6_DST-1]), + sizeof(u_int32_t)*4); +} + +static void build_tuple_proto(struct nfnlhdr *req, int size, + struct nfct_tuple *t) +{ + nfnl_addattr_l(&req->nlh, size, CTA_IP_V6_SRC, &t->src.v6, + sizeof(u_int32_t)*4); + nfnl_addattr_l(&req->nlh, size, CTA_IP_V6_DST, &t->dst.v6, + sizeof(u_int32_t)*4); +} + +static int print_proto(char *buf, struct nfct_tuple *tuple) +{ + struct in6_addr src; + struct in6_addr dst; + char tmp[INET6_ADDRSTRLEN]; + int size; + + memcpy(&src.in6_u, tuple->src.v6, sizeof(struct in6_addr)); + memcpy(&dst.in6_u, tuple->dst.v6, sizeof(struct in6_addr)); + + if (!inet_ntop(AF_INET6, &src, tmp, sizeof(tmp))) + return 0; + size = sprintf(buf, "src=%s ", tmp); + if (!inet_ntop(AF_INET6, &dst, tmp, sizeof(tmp))) + return 0; + size += sprintf(buf + size, "dst=%s ", tmp); + + return size; +} + +static int compare(struct nfct_conntrack *ct1, + struct nfct_conntrack *ct2, + unsigned int flags) +{ + if (flags & IPV6_ORIG) + if (ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum != + ct2->tuple[NFCT_DIR_ORIGINAL].l3protonum) + return 0; + if (flags & IPV6_REPL) + if (ct1->tuple[NFCT_DIR_REPLY].l3protonum != + ct2->tuple[NFCT_DIR_REPLY].l3protonum) + return 0; + if (flags & IPV6_ORIG_SRC) + if (memcmp(ct1->tuple[NFCT_DIR_ORIGINAL].src.v6, + ct2->tuple[NFCT_DIR_ORIGINAL].src.v6, + sizeof(u_int32_t)*4) == 0) + return 0; + if (flags & IPV6_ORIG_DST) + if (memcmp(ct1->tuple[NFCT_DIR_ORIGINAL].dst.v6, + ct2->tuple[NFCT_DIR_ORIGINAL].dst.v6, + sizeof(u_int32_t)*4) == 0) + return 0; + if (flags & IPV6_REPL_SRC) + if (memcmp(ct1->tuple[NFCT_DIR_REPLY].src.v6, + ct2->tuple[NFCT_DIR_REPLY].src.v6, + sizeof(u_int32_t)*4) == 0) + return 0; + if (flags & IPV6_REPL_DST) + if (memcmp(ct1->tuple[NFCT_DIR_REPLY].dst.v6, + ct2->tuple[NFCT_DIR_REPLY].dst.v6, + sizeof(u_int32_t)*4) == 0) + return 0; + + return 1; +} + +static struct nfct_l3proto ipv6 = { + .name = "ipv6", + .protonum = AF_INET6, + .parse_proto = parse_proto, + .build_tuple_proto = build_tuple_proto, + .print_proto = print_proto, + .compare = compare, + .version = VERSION +}; + +static void __attribute__ ((constructor)) init(void); + +static void init(void) +{ + nfct_register_l3proto(&ipv6); +} -- cgit v1.2.3