From 8ee6d3dd791e01872695f708e73d734219b8fea9 Mon Sep 17 00:00:00 2001
From: "/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org"
 </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org>
Date: Wed, 16 Apr 2008 14:46:17 +0000
Subject: - bump version to 0.0.92 - recover the ID support - add support for
 timeout comparison - ignore set operation for counters and use attributes -
 fix broken status comparison - statify several __snprintf functions

---
 src/conntrack/api.c              | 12 ++++++++++--
 src/conntrack/compare.c          | 42 ++++++++++++++++++++++++++++++++--------
 src/conntrack/setter.c           | 15 +++++++++++++-
 src/conntrack/snprintf_default.c | 23 ++++++++++++++--------
 src/conntrack/snprintf_xml.c     |  6 ++++++
 5 files changed, 79 insertions(+), 19 deletions(-)

(limited to 'src/conntrack')

diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index bd6a154..7d82d4d 100644
--- a/src/conntrack/api.c
+++ b/src/conntrack/api.c
@@ -697,10 +697,18 @@ int nfct_compare(const struct nf_conntrack *ct1,
  *
  * 	- NFCT_CMP_ALL: full comparison of both objects
  * 	- NFCT_CMP_ORIG: it only compares the source and destination address;
- * 	source and destination ports; and the layer 3 and 4 protocol numbers
- * 	of the original direction.
+ * 	source and destination ports; the layer 3 and 4 protocol numbers
+ * 	of the original direction; and the id (if present).
  * 	- NFCT_CMP_REPL: like NFCT_CMP_REPL but it compares the flow
  * 	information that goes in the reply direction.
+ * 	- NFCT_CMP_TIMEOUT_EQ: timeout(ct1) == timeout(ct2)
+ * 	- NFCT_CMP_TIMEOUT_GT: timeout(ct1) > timeout(ct2)
+ * 	- NFCT_CMP_TIMEOUT_LT: timeout(ct1) < timeout(ct2)
+ * 	- NFCT_CMP_TIMEOUT_GE: timeout(ct1) >= timeout(ct2)
+ * 	- NFCT_CMP_TIMEOUT_LE: timeout(ct1) <= timeout(ct2)
+ *
+ * The default status bits comparison consists of the following operation:
+ * status(ct1) & status(ct2) == status(ct1).
  *
  * If both conntrack object are equal, this function returns 1, otherwise
  * 0 is returned.
diff --git a/src/conntrack/compare.c b/src/conntrack/compare.c
index 0280638..06afbe6 100644
--- a/src/conntrack/compare.c
+++ b/src/conntrack/compare.c
@@ -100,21 +100,47 @@ static int cmp_repl(const struct nf_conntrack *ct1,
 }
 
 static int cmp_meta(const struct nf_conntrack *ct1,
-		    const struct nf_conntrack *ct2)
+		    const struct nf_conntrack *ct2,
+		    unsigned int flags)
 {
+	if (test_bit(ATTR_ID, ct1->set) &&
+	    test_bit(ATTR_ID, ct2->set) &&
+	    ct1->id != ct2->id)
+		return 0;
+
 	if (test_bit(ATTR_MARK, ct1->set) && 
 	    test_bit(ATTR_MARK, ct2->set) &&
 	    ct1->mark != ct2->mark)
 	    	return 0;
 
 	if (test_bit(ATTR_TIMEOUT, ct1->set) &&
-	    test_bit(ATTR_TIMEOUT, ct2->set) &&
-	    ct1->timeout != ct2->timeout)
-	    	return 0;
+	    test_bit(ATTR_TIMEOUT, ct2->set)) {
+	    	int ret = 0;
+
+#define __NFCT_CMP_TIMEOUT (NFCT_CMP_TIMEOUT_LE | NFCT_CMP_TIMEOUT_GT)
+
+		if (!(flags & __NFCT_CMP_TIMEOUT) &&
+		    ct1->timeout != ct2->timeout)
+		    	return 0;
+		else {
+			if (flags & NFCT_CMP_TIMEOUT_GT &&
+			    ct1->timeout > ct2->timeout)
+				ret = 1;
+			else if (flags & NFCT_CMP_TIMEOUT_LT &&
+				 ct1->timeout < ct2->timeout)
+			    	ret = 1;
+			else if (flags & NFCT_CMP_TIMEOUT_EQ &&
+				 ct1->timeout == ct2->timeout)
+				ret = 1;
+
+		    	if (ret == 0)
+				return 0;
+		}
+	}
 
 	if (test_bit(ATTR_STATUS, ct1->set) &&
 	    test_bit(ATTR_STATUS, ct2->set) &&
-	    ct1->status == ct2->status)
+	    !((ct1->status & ct2->status) == ct1->status))
 	    	return 0;
 
 	if (test_bit(ATTR_TCP_STATE, ct1->set) &&
@@ -130,9 +156,9 @@ int __compare(const struct nf_conntrack *ct1,
 	      unsigned int flags)
 {
 	if (flags == NFCT_CMP_ALL)
-		return cmp_orig(ct1, ct2) &&
-		       cmp_repl(ct1, ct2) &&
-		       cmp_meta(ct1, ct2);
+		return cmp_meta(ct1, ct2, flags) &&
+		       cmp_orig(ct1, ct2) &&
+		       cmp_repl(ct1, ct2);
 
 	if (flags & NFCT_CMP_ORIG && !cmp_orig(ct1, ct2))
 		return 0;
diff --git a/src/conntrack/setter.c b/src/conntrack/setter.c
index 62be3e6..52a2aab 100644
--- a/src/conntrack/setter.c
+++ b/src/conntrack/setter.c
@@ -1,5 +1,5 @@
 /*
- * (C) 2006 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2006-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
  *
  * This software may be used and distributed according to the terms
  * of the GNU General Public License, incorporated herein by reference.
@@ -210,6 +210,11 @@ static void set_attr_status(struct nf_conntrack *ct, const void *value)
 	ct->status = *((u_int32_t *) value);
 }
 
+static void set_attr_id(struct nf_conntrack *ct, const void *value)
+{
+	ct->id = *((u_int32_t *) value);
+}
+
 static void set_attr_master_ipv4_src(struct nf_conntrack *ct, const void *value)
 {
 	ct->tuple[__DIR_MASTER].src.v4 = *((u_int32_t *) value);
@@ -280,6 +285,8 @@ static void set_attr_repl_off_aft(struct nf_conntrack *ct, const void *value)
 	ct->tuple[__DIR_REPL].natseq.offset_after = *((u_int32_t *) value);
 }
 
+static void set_attr_do_nothing(struct nf_conntrack *ct, const void *value) {}
+
 set_attr set_attr_array[] = {
 	[ATTR_ORIG_IPV4_SRC]	= set_attr_orig_ipv4_src,
 	[ATTR_ORIG_IPV4_DST] 	= set_attr_orig_ipv4_dst,
@@ -307,6 +314,12 @@ set_attr set_attr_array[] = {
 	[ATTR_DNAT_PORT]	= set_attr_dnat_port,
 	[ATTR_TIMEOUT]		= set_attr_timeout,
 	[ATTR_MARK]		= set_attr_mark,
+	[ATTR_ORIG_COUNTER_PACKETS]	= set_attr_do_nothing,
+	[ATTR_REPL_COUNTER_PACKETS]	= set_attr_do_nothing,
+	[ATTR_ORIG_COUNTER_BYTES]	= set_attr_do_nothing,
+	[ATTR_REPL_COUNTER_BYTES]	= set_attr_do_nothing,
+	[ATTR_USE]		= set_attr_do_nothing,
+	[ATTR_ID]		= set_attr_id,
 	[ATTR_STATUS]		= set_attr_status,
 	[ATTR_TCP_FLAGS_ORIG]	= set_attr_tcp_flags_orig,
 	[ATTR_TCP_FLAGS_REPL]	= set_attr_tcp_flags_repl,
diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c
index 5811290..e2573df 100644
--- a/src/conntrack/snprintf_default.c
+++ b/src/conntrack/snprintf_default.c
@@ -1,5 +1,5 @@
 /*
- * (C) 2006 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2006-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
  *
  * This software may be used and distributed according to the terms
  * of the GNU General Public License, incorporated herein by reference.
@@ -194,26 +194,28 @@ int __snprintf_counters(char *buf,
 			 (unsigned long long) ct->counters[dir].bytes));
 }
 
-int __snprintf_mark(char *buf, unsigned int len, const struct nf_conntrack *ct)
+static int
+__snprintf_mark(char *buf, unsigned int len, const struct nf_conntrack *ct)
 {
 	return (snprintf(buf, len, "mark=%u ", ct->mark));
 }
 
-int __snprintf_secmark(char *buf, 
-		       unsigned int len, 
-		       const struct nf_conntrack *ct)
+static int
+__snprintf_secmark(char *buf, unsigned int len, const struct nf_conntrack *ct)
 {
 	return (snprintf(buf, len, "secmark=%u ", ct->secmark));
 }
 
-int __snprintf_use(char *buf, unsigned int len, const struct nf_conntrack *ct)
+static int
+__snprintf_use(char *buf, unsigned int len, const struct nf_conntrack *ct)
 {
 	return (snprintf(buf, len, "use=%u ", ct->use));
 }
 
-int __snprintf_id(char *buf, unsigned int len, u_int32_t id)
+static int
+__snprintf_id(char *buf, unsigned int len, const struct nf_conntrack *ct)
 {
-	return (snprintf(buf, len, "id=%u ", id));
+	return (snprintf(buf, len, "id=%u ", ct->id));
 }
 
 int __snprintf_conntrack_default(char *buf, 
@@ -307,6 +309,11 @@ int __snprintf_conntrack_default(char *buf,
 		BUFFER_SIZE(ret, size, len, offset);
 	}
 
+	if (flags & NFCT_OF_ID && test_bit(ATTR_ID, ct->set)) {
+		ret = __snprintf_id(buf+offset, len, ct);
+		BUFFER_SIZE(ret, size, len, offset);
+	}
+
 	/* Delete the last blank space */
 	size--;
 
diff --git a/src/conntrack/snprintf_xml.c b/src/conntrack/snprintf_xml.c
index 8b6d0cf..bb9bdef 100644
--- a/src/conntrack/snprintf_xml.c
+++ b/src/conntrack/snprintf_xml.c
@@ -46,6 +46,7 @@
  * 		<timeout>100</timeout>
  * 		<mark>1</mark>
  * 		<secmark>0</secmark>
+ * 		<id>453281439</id>
  * 		<use>1</use>
  * 		<assured/>
  * 	</meta>
@@ -322,6 +323,11 @@ int __snprintf_conntrack_xml(char *buf,
 		BUFFER_SIZE(ret, size, len, offset);
 	}
 
+	if (test_bit(ATTR_ID, ct->set)) {
+		ret = snprintf(buf+offset, len, "<id>%u</id>", ct->id);
+		BUFFER_SIZE(ret, size, len, offset);
+	}
+
 	if (test_bit(ATTR_STATUS, ct->set)
 	    && ct->status & IPS_ASSURED) {
 		ret = snprintf(buf+offset, len, "<assured/>");
-- 
cgit v1.2.3