From cdf0d6c32f5c6c7c3071d35fa770eaf62fbad312 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 17 Feb 2009 21:36:43 +0100 Subject: src: remove old deprecated API This patch removes the first API version which was scheduled in 2007. That API had several major limitations that the new one solved. I don't know of any known existing client of this old API. Signed-off-by: Pablo Neira Ayuso --- src/Makefile.am | 12 +- src/deprecated.c | 1204 -------------------- src/deprecated/Makefile.am | 3 - src/deprecated/extensions/Makefile.am | 14 - .../extensions/libnetfilter_conntrack_icmp.c | 84 -- .../extensions/libnetfilter_conntrack_sctp.c | 94 -- .../extensions/libnetfilter_conntrack_tcp.c | 136 --- .../extensions/libnetfilter_conntrack_udp.c | 78 -- src/deprecated/l3extensions/Makefile.am | 9 - .../l3extensions/libnetfilter_conntrack_ipv4.c | 88 -- .../l3extensions/libnetfilter_conntrack_ipv6.c | 109 -- src/main.c | 2 - 12 files changed, 3 insertions(+), 1830 deletions(-) delete mode 100644 src/deprecated.c delete mode 100644 src/deprecated/Makefile.am delete mode 100644 src/deprecated/extensions/Makefile.am delete mode 100644 src/deprecated/extensions/libnetfilter_conntrack_icmp.c delete mode 100644 src/deprecated/extensions/libnetfilter_conntrack_sctp.c delete mode 100644 src/deprecated/extensions/libnetfilter_conntrack_tcp.c delete mode 100644 src/deprecated/extensions/libnetfilter_conntrack_udp.c delete mode 100644 src/deprecated/l3extensions/Makefile.am delete mode 100644 src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c delete mode 100644 src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c (limited to 'src') diff --git a/src/Makefile.am b/src/Makefile.am index 22ba2bc..96446fb 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -4,7 +4,7 @@ include $(top_srcdir)/Make_global.am #EXTRA_DIST = $(man_MANS) acinclude.m4 -SUBDIRS=conntrack expect deprecated +SUBDIRS=conntrack expect AM_CFLAGS = -fPIC -Wall LIBS = @LIBNFCONNTRACK_LIBS@ @@ -12,13 +12,7 @@ LIBS = @LIBNFCONNTRACK_LIBS@ lib_LTLIBRARIES = libnetfilter_conntrack.la libnetfilter_conntrack_la_LIBADD = conntrack/libnfconntrack.la \ - expect/libnfexpect.la \ - deprecated/l3extensions/libnfct_l3proto_ipv4.la \ - deprecated/l3extensions/libnfct_l3proto_ipv6.la \ - deprecated/extensions/libnfct_proto_tcp.la \ - deprecated/extensions/libnfct_proto_udp.la \ - deprecated/extensions/libnfct_proto_icmp.la \ - deprecated/extensions/libnfct_proto_sctp.la + expect/libnfexpect.la libnetfilter_conntrack_la_LDFLAGS = -Wc,-nostartfiles -lnfnetlink -ldl \ -version-info $(LIBVERSION) -libnetfilter_conntrack_la_SOURCES = main.c deprecated.c +libnetfilter_conntrack_la_SOURCES = main.c diff --git a/src/deprecated.c b/src/deprecated.c deleted file mode 100644 index 84de04b..0000000 --- a/src/deprecated.c +++ /dev/null @@ -1,1204 +0,0 @@ -/* - * (C) 2005-2006 by Pablo Neira Ayuso - * Harald Welte - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * Warning: This file contains the old API that is deprecated! - */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "internal/linux_list.h" -#include "internal/internal.h" - -#define NFCT_BUFSIZE 4096 - -static LIST_HEAD(proto_list); -static LIST_HEAD(l3proto_list); -static char *proto2str[IPPROTO_MAX] = { - [IPPROTO_TCP] = "tcp", - [IPPROTO_UDP] = "udp", - [IPPROTO_ICMP] = "icmp", - [IPPROTO_SCTP] = "sctp" -}; -static char *l3proto2str[AF_MAX] = { - [AF_INET] = "ipv4", - [AF_INET6] = "ipv6" -}; -static struct nfct_proto *findproto(char *name); -static struct nfct_l3proto *findl3proto(char *name); - -void deprecated_backward_support() -{ - nfct_register_l3proto(&ipv4); - nfct_register_l3proto(&ipv6); - - nfct_register_proto(&tcp); - nfct_register_proto(&udp); - nfct_register_proto(&icmp); - nfct_register_proto(&sctp); -} - -/* handler used for nfnl_listen */ -static int callback_handler(struct sockaddr_nl *nladdr, - struct nlmsghdr *n, void *arg) -{ - struct nfct_handle *cth = (struct nfct_handle *) arg; - int ret; - - if (NFNL_SUBSYS_ID(n->nlmsg_type) != NFNL_SUBSYS_CTNETLINK && - NFNL_SUBSYS_ID(n->nlmsg_type) != NFNL_SUBSYS_CTNETLINK_EXP) { - nfnl_dump_packet(n, n->nlmsg_len, "callback_handler"); - return 0; - } - - if (!cth) - return -ENODEV; - - if (!cth->handler) - return -ENODEV; - - ret = cth->handler(cth, n, NULL); - - return ret; -} - -void nfct_register_callback(struct nfct_handle *cth, nfct_callback callback, - void *data) -{ - cth->callback = callback; - cth->callback_data = data; -} - -void nfct_unregister_callback(struct nfct_handle *cth) -{ - cth->callback = NULL; - cth->callback_data = NULL; -} - -static void nfct_build_tuple_ip(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - struct nfattr *nest; - struct nfct_l3proto *h; - - nest = nfnl_nest(&req->nlh, size, CTA_TUPLE_IP); - - h = findl3proto(l3proto2str[t->l3protonum]); - if (h && h->build_tuple_proto) - h->build_tuple_proto(req, size, t); - - nfnl_nest_end(&req->nlh, nest); -} - -static void nfct_build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - struct nfct_proto *h; - struct nfattr *nest; - - nest = nfnl_nest(&req->nlh, size, CTA_TUPLE_PROTO); - - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_NUM, &t->protonum, - sizeof(u_int8_t)); - - h = findproto(proto2str[t->protonum]); - - if (h && h->build_tuple_proto) - h->build_tuple_proto(req, size, t); - - nfnl_nest_end(&req->nlh, nest); -} - -void nfct_build_tuple(struct nfnlhdr *req, int size, - struct nfct_tuple *t, int type) -{ - struct nfattr *nest; - - nest = nfnl_nest(&req->nlh, size, type); - - nfct_build_tuple_ip(req, size, t); - nfct_build_tuple_proto(req, size, t); - - nfnl_nest_end(&req->nlh, nest); -} - -static void nfct_build_protoinfo(struct nfnlhdr *req, int size, - struct nfct_conntrack *ct) -{ - struct nfattr *nest; - struct nfct_proto *h; - - h = findproto(proto2str[ct->tuple[NFCT_DIR_ORIGINAL].protonum]); - if (h && h->build_protoinfo) { - nest = nfnl_nest(&req->nlh, size, CTA_PROTOINFO); - h->build_protoinfo(req, size, ct); - nfnl_nest_end(&req->nlh, nest); - } -} - -static void nfct_build_protonat(struct nfnlhdr *req, int size, - struct nfct_conntrack *ct) -{ - struct nfattr *nest; - - nest = nfnl_nest(&req->nlh, size, CTA_NAT_PROTO); - - switch (ct->tuple[NFCT_DIR_ORIGINAL].protonum) { -#if 0 - case IPPROTO_TCP: - nfnl_addattr_l(&req->nlh, size, CTA_PROTONAT_TCP_MIN, - &ct->nat.l4min.tcp.port, sizeof(u_int16_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTONAT_TCP_MAX, - &ct->nat.l4max.tcp.port, sizeof(u_int16_t)); - break; - case IPPROTO_UDP: - nfnl_addattr_l(&req->nlh, size, CTA_PROTONAT_UDP_MIN, - &ct->nat.l4min.udp.port, sizeof(u_int16_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTONAT_UDP_MAX, - &ct->nat.l4max.udp.port, sizeof(u_int16_t)); - break; -#endif - } - nfnl_nest_end(&req->nlh, nest); -} - -static void nfct_build_nat(struct nfnlhdr *req, int size, - struct nfct_conntrack *ct) -{ - struct nfattr *nest; - - nest = nfnl_nest(&req->nlh, size, CTA_NAT); - - nfnl_addattr_l(&req->nlh, size, CTA_NAT_MINIP, - &ct->nat.min_ip, sizeof(u_int32_t)); - - if (ct->nat.min_ip != ct->nat.max_ip) - nfnl_addattr_l(&req->nlh, size, CTA_NAT_MAXIP, - &ct->nat.max_ip, sizeof(u_int32_t)); - - if (ct->nat.l4min.all != ct->nat.l4max.all) - nfct_build_protonat(req, size, ct); - - nfnl_nest_end(&req->nlh, nest); -} - -void nfct_dump_tuple(struct nfct_tuple *tp) -{ - struct in_addr src = { .s_addr = tp->src.v4 }; - struct in_addr dst = { .s_addr = tp->dst.v4 }; - - fprintf(stdout, "tuple %p: %u %s:%hu -> ", tp, tp->protonum, - inet_ntoa(src), - ntohs(tp->l4src.all)); - - fprintf(stdout, "%s:%hu\n", inet_ntoa(dst), ntohs(tp->l4dst.all)); -} - -static struct nfct_proto *findproto(char *name) -{ - struct list_head *i; - struct nfct_proto *cur = NULL, *handler = NULL; - - if (!name) - return handler; - - list_for_each(i, &proto_list) { - cur = (struct nfct_proto *) i; - if (strcmp(cur->name, name) == 0) { - handler = cur; - break; - } - } - - if (!handler) - fprintf(stderr, "libnetfilter_conntrack: " - "cannot find %s handler\n", name); - - return handler; -} - -static struct nfct_l3proto *findl3proto(char *name) -{ - struct list_head *i; - struct nfct_l3proto *cur = NULL, *handler = NULL; - - if (!name) - return handler; - - list_for_each(i, &l3proto_list) { - cur = (struct nfct_l3proto *) i; - if (strcmp(cur->name, name) == 0) { - handler = cur; - break; - } - } - - if (!handler) - fprintf(stderr, "libnetfilter_conntrack: " - "cannot find %s handler\n", name); - - return handler; -} - -int nfct_sprintf_status_assured(char *buf, struct nfct_conntrack *ct) -{ - int size = 0; - - if (ct->status & IPS_ASSURED) - size = sprintf(buf, "[ASSURED] "); - - return size; -} - -int nfct_sprintf_status_seen_reply(char *buf, struct nfct_conntrack *ct) -{ - int size = 0; - - if (!(ct->status & IPS_SEEN_REPLY)) - size = sprintf(buf, "[UNREPLIED] "); - - return size; -} - -static void parse_ip(struct nfattr *attr, struct nfct_tuple *tuple) -{ - struct nfattr *tb[CTA_IP_MAX]; - struct nfct_l3proto *h; - - nfnl_parse_nested(tb, CTA_IP_MAX, attr); - h = findl3proto(l3proto2str[tuple->l3protonum]); - if (h && h->parse_proto) - h->parse_proto(tb, tuple); -} - -static void parse_proto(struct nfattr *attr, struct nfct_tuple *tuple) -{ - struct nfattr *tb[CTA_PROTO_MAX]; - struct nfct_proto *h; - - nfnl_parse_nested(tb, CTA_PROTO_MAX, attr); - if (tb[CTA_PROTO_NUM-1]) - tuple->protonum = *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]); - - h = findproto(proto2str[tuple->protonum]); - if (h && h->parse_proto) - h->parse_proto(tb, tuple); -} - -static void parse_tuple(struct nfattr *attr, struct nfct_tuple *tuple) -{ - struct nfattr *tb[CTA_TUPLE_MAX]; - - nfnl_parse_nested(tb, CTA_TUPLE_MAX, attr); - - if (tb[CTA_TUPLE_IP-1]) - parse_ip(tb[CTA_TUPLE_IP-1], tuple); - if (tb[CTA_TUPLE_PROTO-1]) - parse_proto(tb[CTA_TUPLE_PROTO-1], tuple); -} - -static void parse_mask(struct nfattr *attr, struct nfct_tuple *tuple, - u_int8_t l3protonum, u_int16_t protonum) -{ - struct nfattr *cda[CTA_TUPLE_MAX]; - - nfnl_parse_nested(cda, CTA_TUPLE_MAX, attr); - - if (cda[CTA_TUPLE_IP-1]) { - struct nfattr *tb[CTA_IP_MAX]; - struct nfct_l3proto *h; - - nfnl_parse_nested(tb, CTA_IP_MAX, cda[CTA_TUPLE_IP-1]); - h = findl3proto(l3proto2str[l3protonum]); - if (h && h->parse_proto) - h->parse_proto(tb, tuple); - } - if (cda[CTA_TUPLE_PROTO-1]) { - struct nfattr *tb[CTA_PROTO_MAX]; - struct nfct_proto *h; - - nfnl_parse_nested(tb, CTA_PROTO_MAX, cda[CTA_TUPLE_PROTO-1]); - if (tb[CTA_PROTO_NUM-1]) - tuple->protonum = - *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]); - - h = findproto(proto2str[protonum]); - if (h && h->parse_proto) - h->parse_proto(tb, tuple); - } -} - -static void parse_protoinfo(struct nfattr *attr, struct nfct_conntrack *ct) -{ - struct nfattr *tb[CTA_PROTOINFO_MAX]; - struct nfct_proto *h; - - nfnl_parse_nested(tb,CTA_PROTOINFO_MAX, attr); - - h = findproto(proto2str[ct->tuple[NFCT_DIR_ORIGINAL].protonum]); - if (h && h->parse_protoinfo) - h->parse_protoinfo(tb, ct); -} - -static void nfct_parse_counters(struct nfattr *attr, - struct nfct_conntrack *ct, - enum ctattr_type parent) -{ - struct nfattr *tb[CTA_COUNTERS_MAX]; - int dir = (parent == CTA_COUNTERS_ORIG ? NFCT_DIR_REPLY - : NFCT_DIR_ORIGINAL); - - nfnl_parse_nested(tb, CTA_COUNTERS_MAX, attr); - if (tb[CTA_COUNTERS_PACKETS-1]) - ct->counters[dir].packets - = __be64_to_cpu(*(u_int64_t *) - NFA_DATA(tb[CTA_COUNTERS_PACKETS-1])); - if (tb[CTA_COUNTERS_BYTES-1]) - ct->counters[dir].bytes - = __be64_to_cpu(*(u_int64_t *) - NFA_DATA(tb[CTA_COUNTERS_BYTES-1])); - if (tb[CTA_COUNTERS32_PACKETS-1]) - ct->counters[dir].packets - = ntohl(*(u_int32_t *) - NFA_DATA(tb[CTA_COUNTERS32_PACKETS-1])); - if (tb[CTA_COUNTERS32_BYTES-1]) - ct->counters[dir].bytes - = ntohl(*(u_int32_t *) - NFA_DATA(tb[CTA_COUNTERS32_BYTES-1])); -} - -static char *msgtype[] = {"[UNKNOWN]", "[NEW]", "[UPDATE]", "[DESTROY]"}; - -static int typemsg2enum(u_int16_t type, u_int16_t flags) -{ - int ret = NFCT_MSG_UNKNOWN; - - if (type == IPCTNL_MSG_CT_NEW) { - if (flags & (NLM_F_CREATE|NLM_F_EXCL)) - ret = NFCT_MSG_NEW; - else - ret = NFCT_MSG_UPDATE; - } else if (type == IPCTNL_MSG_CT_DELETE) - ret = NFCT_MSG_DESTROY; - - return ret; -} - -static int nfct_conntrack_netlink_handler(struct nfct_handle *cth, - struct nlmsghdr *nlh, void *arg) -{ - struct nfct_conntrack ct; - unsigned int flags = 0; - struct nfgenmsg *nfhdr = NLMSG_DATA(nlh); - int type = NFNL_MSG_TYPE(nlh->nlmsg_type), ret = 0; - int len = nlh->nlmsg_len; - struct nfattr *cda[CTA_MAX]; - - len -= NLMSG_LENGTH(sizeof(struct nfgenmsg)); - if (len < 0) - return -EINVAL; - - memset(&ct, 0, sizeof(struct nfct_conntrack)); - - ct.tuple[NFCT_DIR_ORIGINAL].l3protonum = nfhdr->nfgen_family; - ct.tuple[NFCT_DIR_REPLY].l3protonum = nfhdr->nfgen_family; - - nfnl_parse_attr(cda, CTA_MAX, NFA_DATA(nfhdr), len); - - if (cda[CTA_TUPLE_ORIG-1]) - parse_tuple(cda[CTA_TUPLE_ORIG-1], - &ct.tuple[NFCT_DIR_ORIGINAL]); - - if (cda[CTA_TUPLE_REPLY-1]) - parse_tuple(cda[CTA_TUPLE_REPLY-1], - &ct.tuple[NFCT_DIR_REPLY]); - - if (cda[CTA_STATUS-1]) { - ct.status = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1])); - flags |= NFCT_STATUS; - } - - if (cda[CTA_PROTOINFO-1]) { - parse_protoinfo(cda[CTA_PROTOINFO-1], &ct); - flags |= NFCT_PROTOINFO; - } - - if (cda[CTA_TIMEOUT-1]) { - ct.timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1])); - flags |= NFCT_TIMEOUT; - } - - if (cda[CTA_MARK-1]) { - ct.mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1])); - flags |= NFCT_MARK; - } - - if (cda[CTA_COUNTERS_ORIG-1]) { - nfct_parse_counters(cda[CTA_COUNTERS_ORIG-1], &ct, - NFA_TYPE(cda[CTA_COUNTERS_ORIG-1])-1); - flags |= NFCT_COUNTERS_ORIG; - } - - if (cda[CTA_COUNTERS_REPLY-1]) { - nfct_parse_counters(cda[CTA_COUNTERS_REPLY-1], &ct, - NFA_TYPE(cda[CTA_COUNTERS_REPLY-1])-1); - flags |= NFCT_COUNTERS_RPLY; - } - - if (cda[CTA_USE-1]) { - ct.use = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_USE-1])); - flags |= NFCT_USE; - } - - if (cda[CTA_ID-1]) { - ct.id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_ID-1])); - flags |= NFCT_ID; - } - - if (cth->callback) - ret = cth->callback((void *) &ct, flags, - typemsg2enum(type, nlh->nlmsg_flags), - cth->callback_data); - - return ret; -} - -int nfct_sprintf_protocol(char *buf, struct nfct_conntrack *ct) -{ - return (sprintf(buf, "%-8s %u ", - proto2str[ct->tuple[NFCT_DIR_ORIGINAL].protonum] == NULL ? - "unknown" : proto2str[ct->tuple[NFCT_DIR_ORIGINAL].protonum], - ct->tuple[NFCT_DIR_ORIGINAL].protonum)); -} - -int nfct_sprintf_timeout(char *buf, struct nfct_conntrack *ct) -{ - return sprintf(buf, "%u ", ct->timeout); -} - -int nfct_sprintf_protoinfo(char *buf, struct nfct_conntrack *ct) -{ - int size = 0; - struct nfct_proto *h = NULL; - - h = findproto(proto2str[ct->tuple[NFCT_DIR_ORIGINAL].protonum]); - if (h && h->print_protoinfo) - size += h->print_protoinfo(buf+size, &ct->protoinfo); - - return size; -} - -int nfct_sprintf_address(char *buf, struct nfct_tuple *t) -{ - int size = 0; - struct nfct_l3proto *h; - - h = findl3proto(l3proto2str[t->l3protonum]); - if (h && h->print_proto) - size += h->print_proto(buf, t); - - return size; -} - -int nfct_sprintf_proto(char *buf, struct nfct_tuple *t) -{ - int size = 0; - struct nfct_proto *h = NULL; - - h = findproto(proto2str[t->protonum]); - if (h && h->print_proto) - size += h->print_proto(buf, t); - - return size; -} - -int nfct_sprintf_counters(char *buf, struct nfct_conntrack *ct, int dir) -{ - return (sprintf(buf, "packets=%llu bytes=%llu ", - (unsigned long long) ct->counters[dir].packets, - (unsigned long long) ct->counters[dir].bytes)); -} - -int nfct_sprintf_mark(char *buf, struct nfct_conntrack *ct) -{ - return (sprintf(buf, "mark=%u ", ct->mark)); -} - -int nfct_sprintf_use(char *buf, struct nfct_conntrack *ct) -{ - return (sprintf(buf, "use=%u ", ct->use)); -} - -int nfct_sprintf_id(char *buf, u_int32_t id) -{ - return (sprintf(buf, "id=%u ", id)); -} - -int nfct_sprintf_conntrack(char *buf, struct nfct_conntrack *ct, - unsigned int flags) -{ - int size = 0; - - size += nfct_sprintf_protocol(buf, ct); - - if (flags & NFCT_TIMEOUT) - size += nfct_sprintf_timeout(buf+size, ct); - - if (flags & NFCT_PROTOINFO) - size += nfct_sprintf_protoinfo(buf+size, ct); - - size += nfct_sprintf_address(buf+size, &ct->tuple[NFCT_DIR_ORIGINAL]); - size += nfct_sprintf_proto(buf+size, &ct->tuple[NFCT_DIR_ORIGINAL]); - - if (flags & NFCT_COUNTERS_ORIG) - size += nfct_sprintf_counters(buf+size, ct, NFCT_DIR_ORIGINAL); - - if (flags & NFCT_STATUS) - size += nfct_sprintf_status_seen_reply(buf+size, ct); - - size += nfct_sprintf_address(buf+size, &ct->tuple[NFCT_DIR_REPLY]); - size += nfct_sprintf_proto(buf+size, &ct->tuple[NFCT_DIR_REPLY]); - - if (flags & NFCT_COUNTERS_RPLY) - size += nfct_sprintf_counters(buf+size, ct, NFCT_DIR_REPLY); - - if (flags & NFCT_STATUS) - size += nfct_sprintf_status_assured(buf+size, ct); - - if (flags & NFCT_MARK) - size += nfct_sprintf_mark(buf+size, ct); - - if (flags & NFCT_USE) - size += nfct_sprintf_use(buf+size, ct); - - /* Delete the last blank space */ - size--; - - return size; -} - -int nfct_sprintf_conntrack_id(char *buf, struct nfct_conntrack *ct, - unsigned int flags) -{ - int size; - - /* add a blank space, that's why the add 1 to the size */ - size = nfct_sprintf_conntrack(buf, ct, flags) + 1; - if (flags & NFCT_ID) - size += nfct_sprintf_id(buf+size, ct->id); - - /* Delete the last blank space */ - return --size; -} - -int nfct_default_conntrack_display(void *arg, unsigned int flags, int type, - void *data) -{ - char buf[512]; - int size; - struct nfct_conntrack_compare *cmp = data; - - if (cmp && !nfct_conntrack_compare(cmp->ct, arg, cmp)) - return 0; - - memset(buf, 0, sizeof(buf)); - size = nfct_sprintf_conntrack(buf, arg, flags); - sprintf(buf+size, "\n"); - fprintf(stdout, buf); - - return 0; -} - -int nfct_default_conntrack_display_id(void *arg, unsigned int flags, int type, - void *data) -{ - char buf[512]; - int size; - struct nfct_conntrack_compare *cmp = data; - - if (cmp && !nfct_conntrack_compare(cmp->ct, arg, cmp)) - return 0; - - memset(buf, 0, sizeof(buf)); - size = nfct_sprintf_conntrack_id(buf, arg, flags); - sprintf(buf+size, "\n"); - fprintf(stdout, buf); - - return 0; -} - -int nfct_default_conntrack_event_display(void *arg, unsigned int flags, - int type, void *data) -{ - char buf[512]; - int size; - struct nfct_conntrack_compare *cmp = data; - - if (cmp && !nfct_conntrack_compare(cmp->ct, arg, cmp)) - return 0; - - memset(buf, 0, sizeof(buf)); - size = sprintf(buf, "%9s ", msgtype[type]); - size += nfct_sprintf_conntrack_id(buf + size, arg, flags); - sprintf(buf+size, "\n"); - fprintf(stdout, buf); - fflush(stdout); - - return 0; -} - -int nfct_sprintf_expect_proto(char *buf, struct nfct_expect *exp) -{ - return(sprintf(buf, "%u proto=%d ", exp->timeout, - exp->tuple.protonum)); -} - -int nfct_sprintf_expect(char *buf, struct nfct_expect *exp) -{ - int size = 0; - - size = nfct_sprintf_expect_proto(buf, exp); - size += nfct_sprintf_address(buf+size, &exp->tuple); - size += nfct_sprintf_proto(buf+size, &exp->tuple); - - /* remove last blank space */ - return --size; -} - -int nfct_sprintf_expect_id(char *buf, struct nfct_expect *exp) -{ - int size = 0; - - /* add a blank space, that's why the add 1 to the size */ - size = nfct_sprintf_expect(buf, exp) + 1; - size += nfct_sprintf_id(buf+size, exp->id); - - /* remove last blank space */ - return --size; -} - -int nfct_default_expect_display(void *arg, unsigned int flags, int type, - void *data) -{ - char buf[256]; - int size = 0; - - memset(buf, 0, sizeof(buf)); - size = nfct_sprintf_expect(buf, arg); - sprintf(buf+size, "\n"); - fprintf(stdout, buf); - - return 0; -} - -int nfct_default_expect_display_id(void *arg, unsigned int flags, int type, - void *data) -{ - char buf[256]; - int size = 0; - - size = nfct_sprintf_expect_id(buf, arg); - sprintf(buf+size, "\n"); - fprintf(stdout, buf); - - return 0; -} - -static int nfct_expect_netlink_handler(struct nfct_handle *cth, - struct nlmsghdr *nlh, void *arg) -{ - struct nfgenmsg *nfhdr = NLMSG_DATA(nlh); - struct nfct_expect exp; - int type = NFNL_MSG_TYPE(nlh->nlmsg_type), ret = 0; - int len = nlh->nlmsg_len; - struct nfattr *cda[CTA_EXPECT_MAX]; - - len -= NLMSG_LENGTH(sizeof(struct nfgenmsg)); - if (len < 0) - return -EINVAL; - - memset(&exp, 0, sizeof(struct nfct_expect)); - - exp.tuple.l3protonum = nfhdr->nfgen_family; - - nfnl_parse_attr(cda, CTA_EXPECT_MAX, NFA_DATA(nfhdr), len); - - if (cda[CTA_EXPECT_TUPLE-1]) - parse_tuple(cda[CTA_EXPECT_TUPLE-1], &exp.tuple); - - if (cda[CTA_EXPECT_MASK-1]) - parse_mask(cda[CTA_EXPECT_MASK-1], &exp.mask, - exp.tuple.l3protonum, exp.tuple.protonum); - - if (cda[CTA_EXPECT_TIMEOUT-1]) - exp.timeout = ntohl(*(u_int32_t *) - NFA_DATA(cda[CTA_EXPECT_TIMEOUT-1])); - - if (cda[CTA_EXPECT_ID-1]) - exp.id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1])); - - if (cth->callback) - ret = cth->callback((void *)&exp, 0, - typemsg2enum(type, nlh->nlmsg_flags), - cth->callback_data); - - return 0; -} - -struct nfct_conntrack * -nfct_conntrack_alloc(struct nfct_tuple *orig, struct nfct_tuple *reply, - u_int32_t timeout, union nfct_protoinfo *proto, - u_int32_t status, u_int32_t mark, - u_int32_t id, struct nfct_nat *range) -{ - struct nfct_conntrack *ct; - - ct = malloc(sizeof(struct nfct_conntrack)); - if (!ct) - return NULL; - memset(ct, 0, sizeof(struct nfct_conntrack)); - - ct->tuple[NFCT_DIR_ORIGINAL] = *orig; - ct->tuple[NFCT_DIR_REPLY] = *reply; - ct->timeout = timeout; - ct->status = status; - ct->protoinfo = *proto; - ct->mark = mark; - if (id != NFCT_ANY_ID) - ct->id = id; - if (range) - ct->nat = *range; - - return ct; -} - -void nfct_conntrack_free(struct nfct_conntrack *ct) -{ - free(ct); -} - -#define L3PROTONUM(ct) ct->tuple[NFCT_DIR_ORIGINAL].l3protonum -#define L4PROTONUM(ct) ct->tuple[NFCT_DIR_ORIGINAL].protonum - -int nfct_conntrack_compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - struct nfct_conntrack_compare *cmp) -{ - struct nfct_l3proto *l3proto; - struct nfct_proto *proto; - unsigned int l3flags = cmp->l3flags; - unsigned int l4flags = cmp->l4flags; - unsigned int flags = cmp->flags; - - if ((flags & NFCT_MARK) && (ct1->mark != ct2->mark)) - return 0; - - if (l3flags) { - if (ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum != AF_UNSPEC && - ct2->tuple[NFCT_DIR_ORIGINAL].l3protonum != AF_UNSPEC && - ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum != - ct2->tuple[NFCT_DIR_ORIGINAL].l3protonum) - return 0; - if (ct1->tuple[NFCT_DIR_REPLY].l3protonum != AF_UNSPEC && - ct2->tuple[NFCT_DIR_REPLY].l3protonum != AF_UNSPEC && - ct1->tuple[NFCT_DIR_REPLY].l3protonum != - ct2->tuple[NFCT_DIR_REPLY].l3protonum) - return 0; - l3proto = findl3proto(l3proto2str[L3PROTONUM(ct1)]); - if (l3proto && !l3proto->compare(ct1, ct2, l3flags)) - return 0; - } - - if (l4flags) { - if (ct1->tuple[NFCT_DIR_ORIGINAL].protonum != 0 && - ct2->tuple[NFCT_DIR_ORIGINAL].protonum != 0 && - ct1->tuple[NFCT_DIR_ORIGINAL].protonum != - ct2->tuple[NFCT_DIR_ORIGINAL].protonum) - return 0; - if (ct1->tuple[NFCT_DIR_REPLY].protonum != 0 && - ct2->tuple[NFCT_DIR_REPLY].protonum != 0 && - ct1->tuple[NFCT_DIR_REPLY].protonum != - ct2->tuple[NFCT_DIR_REPLY].protonum) - return 0; - proto = findproto(proto2str[L4PROTONUM(ct1)]); - if (proto && !proto->compare(ct1, ct2, l4flags)) - return 0; - } - - return 1; -} - -int nfct_create_conntrack(struct nfct_handle *cth, struct nfct_conntrack *ct) -{ - struct nfnlhdr *req; - char buf[NFCT_BUFSIZE]; - u_int32_t status = htonl(ct->status | IPS_CONFIRMED); - u_int32_t timeout = htonl(ct->timeout); - u_int32_t mark = htonl(ct->mark); - u_int8_t l3num = ct->tuple[NFCT_DIR_ORIGINAL].l3protonum; - - req = (void *) buf; - - memset(buf, 0, sizeof(buf)); - - nfnl_fill_hdr(cth->nfnlssh_ct, &req->nlh, 0, l3num, 0, - IPCTNL_MSG_CT_NEW, - NLM_F_REQUEST|NLM_F_CREATE|NLM_F_ACK|NLM_F_EXCL); - - nfct_build_tuple(req, sizeof(buf), &ct->tuple[NFCT_DIR_ORIGINAL], - CTA_TUPLE_ORIG); - nfct_build_tuple(req, sizeof(buf), &ct->tuple[NFCT_DIR_REPLY], - CTA_TUPLE_REPLY); - - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_STATUS, &status, - sizeof(u_int32_t)); - - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_TIMEOUT, &timeout, - sizeof(u_int32_t)); - - if (ct->mark != 0) - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_MARK, &mark, - sizeof(u_int32_t)); - - nfct_build_protoinfo(req, sizeof(buf), ct); - if (ct->nat.min_ip != 0) - nfct_build_nat(req, sizeof(buf), ct); - - return nfnl_talk(cth->nfnlh, &req->nlh, 0, 0, NULL, NULL, NULL); -} - -int nfct_update_conntrack(struct nfct_handle *cth, struct nfct_conntrack *ct) -{ - struct nfnlhdr *req; - char buf[NFCT_BUFSIZE]; - u_int32_t status = htonl(ct->status | IPS_CONFIRMED); - u_int32_t timeout = htonl(ct->timeout); - u_int32_t id = htonl(ct->id); - u_int32_t mark = htonl(ct->mark); - u_int8_t l3num = ct->tuple[NFCT_DIR_ORIGINAL].l3protonum; - - req = (void *) &buf; - memset(&buf, 0, sizeof(buf)); - - nfnl_fill_hdr(cth->nfnlssh_ct, &req->nlh, 0, l3num, 0, - IPCTNL_MSG_CT_NEW, NLM_F_REQUEST|NLM_F_ACK); - - nfct_build_tuple(req, sizeof(buf), &ct->tuple[NFCT_DIR_ORIGINAL], - CTA_TUPLE_ORIG); - nfct_build_tuple(req, sizeof(buf), &ct->tuple[NFCT_DIR_REPLY], - CTA_TUPLE_REPLY); - - if (ct->status != 0) - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_STATUS, &status, - sizeof(u_int32_t)); - - if (ct->timeout != 0) - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_TIMEOUT, &timeout, - sizeof(u_int32_t)); - - if (ct->mark != 0) - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_MARK, &mark, - sizeof(u_int32_t)); - - if (ct->id != NFCT_ANY_ID) - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_ID, &id, - sizeof(u_int32_t)); - - nfct_build_protoinfo(req, sizeof(buf), ct); - - return nfnl_talk(cth->nfnlh, &req->nlh, 0, 0, NULL, NULL, NULL); -} - -int nfct_delete_conntrack(struct nfct_handle *cth, struct nfct_tuple *tuple, - int dir, u_int32_t id) -{ - struct nfnlhdr *req; - char buf[NFCT_BUFSIZE]; - int type = dir ? CTA_TUPLE_REPLY : CTA_TUPLE_ORIG; - u_int8_t l3num = tuple->l3protonum; - - req = (void *) &buf; - memset(&buf, 0, sizeof(buf)); - - nfnl_fill_hdr(cth->nfnlssh_ct, &req->nlh, 0, - l3num, 0, IPCTNL_MSG_CT_DELETE, - NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST|NLM_F_ACK); - - nfct_build_tuple(req, sizeof(buf), tuple, type); - - if (id != NFCT_ANY_ID) { - id = htonl(id); /* to network byte order */ - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_ID, &id, - sizeof(u_int32_t)); - } - - return nfnl_talk(cth->nfnlh, &req->nlh, 0, 0, NULL, NULL, NULL); -} - -int nfct_get_conntrack(struct nfct_handle *cth, struct nfct_tuple *tuple, - int dir, u_int32_t id) -{ - int err; - struct nfnlhdr *req; - char buf[NFCT_BUFSIZE]; - int type = dir ? CTA_TUPLE_REPLY : CTA_TUPLE_ORIG; - u_int8_t l3num = tuple->l3protonum; - - cth->handler = nfct_conntrack_netlink_handler; - - memset(&buf, 0, sizeof(buf)); - req = (void *) &buf; - - nfnl_fill_hdr(cth->nfnlssh_ct, &req->nlh, 0, - l3num, 0, IPCTNL_MSG_CT_GET, - NLM_F_REQUEST|NLM_F_ACK); - - nfct_build_tuple(req, sizeof(buf), tuple, type); - - if (id != NFCT_ANY_ID) { - id = htonl(id); /* to network byte order */ - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_ID, &id, - sizeof(u_int32_t)); - } - - err = nfnl_send(cth->nfnlh, &req->nlh); - if (err < 0) - return err; - - return nfnl_listen(cth->nfnlh, &callback_handler, cth); -} - -static int __nfct_dump_conntrack_table(struct nfct_handle *cth, int zero, - int family) -{ - int err, msg; - struct nfnlhdr req; - - memset(&req, 0, sizeof(req)); - cth->handler = nfct_conntrack_netlink_handler; - - if (zero) - msg = IPCTNL_MSG_CT_GET_CTRZERO; - else - msg = IPCTNL_MSG_CT_GET; - - nfnl_fill_hdr(cth->nfnlssh_ct, &req.nlh, 0, family, 0, - msg, NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST|NLM_F_DUMP); - - err = nfnl_send(cth->nfnlh, &req.nlh); - if (err < 0) - return err; - - return nfnl_listen(cth->nfnlh, &callback_handler, cth); -} - -int nfct_dump_conntrack_table(struct nfct_handle *cth, int family) -{ - return(__nfct_dump_conntrack_table(cth, 0, family)); -} - -int nfct_dump_conntrack_table_reset_counters(struct nfct_handle *cth, - int family) -{ - return(__nfct_dump_conntrack_table(cth, 1, family)); -} - -int nfct_event_conntrack(struct nfct_handle *cth) -{ - cth->handler = nfct_conntrack_netlink_handler; - return nfnl_listen(cth->nfnlh, &callback_handler, cth); -} - -void nfct_register_proto(struct nfct_proto *h) -{ - if (strcmp(h->version, VERSION) != 0) { - fprintf(stderr, "plugin `%s': version %s (I'm %s)\n", - h->name, h->version, VERSION); - exit(1); - } - list_add(&h->head, &proto_list); -} - -void nfct_register_l3proto(struct nfct_l3proto *h) -{ - if (strcmp(h->version, VERSION) != 0) { - fprintf(stderr, "plugin `%s': version %s (I'm %s)\n", - h->name, h->version, VERSION); - exit(1); - } - list_add(&h->head, &l3proto_list); -} - -int nfct_dump_expect_list(struct nfct_handle *cth, int family) -{ - int err; - struct nfnlhdr req; - - memset(&req, 0, sizeof(req)); - - cth->handler = nfct_expect_netlink_handler; - nfnl_fill_hdr(cth->nfnlssh_exp, &req.nlh, 0, family, 0, - IPCTNL_MSG_EXP_GET, NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST); - - err = nfnl_send(cth->nfnlh, &req.nlh); - if (err < 0) - return err; - - return nfnl_listen(cth->nfnlh, &callback_handler, cth); -} - -int nfct_flush_conntrack_table(struct nfct_handle *cth, int family) -{ - struct nfnlhdr req; - - memset(&req, 0, sizeof(req)); - - nfnl_fill_hdr(cth->nfnlssh_ct, (struct nlmsghdr *) &req, - 0, family, 0, IPCTNL_MSG_CT_DELETE, - NLM_F_REQUEST|NLM_F_ACK); - - return nfnl_talk(cth->nfnlh, &req.nlh, 0, 0, NULL, NULL, NULL); -} - -int nfct_get_expectation(struct nfct_handle *cth, struct nfct_tuple *tuple, - u_int32_t id) -{ - int err; - struct nfnlhdr *req; - char buf[NFCT_BUFSIZE]; - u_int8_t l3num = tuple->l3protonum; - - memset(&buf, 0, sizeof(buf)); - req = (void *) &buf; - - nfnl_fill_hdr(cth->nfnlssh_exp, &req->nlh, 0, l3num, 0, - IPCTNL_MSG_EXP_GET, - NLM_F_REQUEST|NLM_F_ACK); - - cth->handler = nfct_expect_netlink_handler; - nfct_build_tuple(req, sizeof(buf), tuple, CTA_EXPECT_MASTER); - - if (id != NFCT_ANY_ID) - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_EXPECT_ID, &id, - sizeof(u_int32_t)); - - err = nfnl_send(cth->nfnlh, &req->nlh); - if (err < 0) - return err; - - return nfnl_listen(cth->nfnlh, &callback_handler, cth); -} - -struct nfct_expect * -nfct_expect_alloc(struct nfct_tuple *master, struct nfct_tuple *tuple, - struct nfct_tuple *mask, u_int32_t timeout, - u_int32_t id) -{ - struct nfct_expect *exp; - - exp = malloc(sizeof(struct nfct_expect)); - if (!exp) - return NULL; - memset(exp, 0, sizeof(struct nfct_expect)); - - exp->master = *master; - exp->tuple = *tuple; - exp->mask = *mask; - exp->timeout = timeout; - if (id != NFCT_ANY_ID) - exp->id = htonl(id); - - return exp; -} - -void nfct_expect_free(struct nfct_expect *exp) -{ - free(exp); -} - -int nfct_create_expectation(struct nfct_handle *cth, struct nfct_expect *exp) -{ - struct nfnlhdr *req; - char buf[NFCT_BUFSIZE]; - req = (void *) &buf; - u_int8_t l3num = exp->tuple.l3protonum; - u_int32_t timeout; - u_int16_t queuenr; - - memset(&buf, 0, sizeof(buf)); - - nfnl_fill_hdr(cth->nfnlssh_exp, &req->nlh, 0, l3num, 0, - IPCTNL_MSG_EXP_NEW, - NLM_F_REQUEST|NLM_F_CREATE|NLM_F_ACK); - - nfct_build_tuple(req, sizeof(buf), &exp->master, CTA_EXPECT_MASTER); - nfct_build_tuple(req, sizeof(buf), &exp->tuple, CTA_EXPECT_TUPLE); - nfct_build_tuple(req, sizeof(buf), &exp->mask, CTA_EXPECT_MASK); - - timeout = htonl(exp->timeout); - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_EXPECT_TIMEOUT, - &timeout, sizeof(u_int32_t)); - - queuenr = htons(exp->expectfn_queue_id); - if (queuenr) - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_EXPECT_QUEUENR, - &queuenr, sizeof(u_int16_t)); - - return nfnl_talk(cth->nfnlh, &req->nlh, 0, 0, NULL, NULL, NULL); -} - -int nfct_delete_expectation(struct nfct_handle *cth, struct nfct_tuple *tuple, - u_int32_t id) -{ - struct nfnlhdr *req; - char buf[NFCT_BUFSIZE]; - u_int8_t l3num = tuple->l3protonum; - - memset(&buf, 0, sizeof(buf)); - req = (void *) &buf; - - nfnl_fill_hdr(cth->nfnlssh_exp, &req->nlh, 0, l3num, - 0, IPCTNL_MSG_EXP_DELETE, - NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST|NLM_F_ACK); - - nfct_build_tuple(req, sizeof(buf), tuple, CTA_EXPECT_MASTER); - - if (id != NFCT_ANY_ID) - nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_EXPECT_ID, &id, - sizeof(u_int32_t)); - - return nfnl_talk(cth->nfnlh, &req->nlh, 0, 0, NULL, NULL, NULL); -} - -int nfct_event_expectation(struct nfct_handle *cth) -{ - cth->handler = nfct_expect_netlink_handler; - return nfnl_listen(cth->nfnlh, &callback_handler, cth); -} - -int nfct_flush_expectation_table(struct nfct_handle *cth, int family) -{ - struct nfnlhdr req; - - memset(&req, 0, sizeof(req)); - - nfnl_fill_hdr(cth->nfnlssh_exp, (struct nlmsghdr *) &req, - 0, family, 0, IPCTNL_MSG_EXP_DELETE, - NLM_F_REQUEST|NLM_F_ACK); - - return nfnl_talk(cth->nfnlh, &req.nlh, 0, 0, NULL, NULL, NULL); -} - diff --git a/src/deprecated/Makefile.am b/src/deprecated/Makefile.am deleted file mode 100644 index eedaefd..0000000 --- a/src/deprecated/Makefile.am +++ /dev/null @@ -1,3 +0,0 @@ -include $(top_srcdir)/Make_global.am - -SUBDIRS=extensions l3extensions diff --git a/src/deprecated/extensions/Makefile.am b/src/deprecated/extensions/Makefile.am deleted file mode 100644 index e44525b..0000000 --- a/src/deprecated/extensions/Makefile.am +++ /dev/null @@ -1,14 +0,0 @@ -include $(top_srcdir)/Make_global.am - -AUTOMAKE_OPTIONS = no-dependencies foreign - -AM_CFLAGS=-fPIC -Wall -LIBS= @LIBNFCONNTRACK_LIBS@ - -noinst_LTLIBRARIES = libnfct_proto_tcp.la libnfct_proto_udp.la \ - libnfct_proto_icmp.la libnfct_proto_sctp.la - -libnfct_proto_tcp_la_SOURCES = libnetfilter_conntrack_tcp.c -libnfct_proto_udp_la_SOURCES = libnetfilter_conntrack_udp.c -libnfct_proto_icmp_la_SOURCES = libnetfilter_conntrack_icmp.c -libnfct_proto_sctp_la_SOURCES = libnetfilter_conntrack_sctp.c diff --git a/src/deprecated/extensions/libnetfilter_conntrack_icmp.c b/src/deprecated/extensions/libnetfilter_conntrack_icmp.c deleted file mode 100644 index d15d7a1..0000000 --- a/src/deprecated/extensions/libnetfilter_conntrack_icmp.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include - -#include "internal/deprecated.h" - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_PROTO_ICMP_TYPE-1]) - tuple->l4dst.icmp.type = - *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_TYPE-1]); - - if (cda[CTA_PROTO_ICMP_CODE-1]) - tuple->l4dst.icmp.code = - *(u_int8_t *)NFA_DATA(cda[CTA_PROTO_ICMP_CODE-1]); - - if (cda[CTA_PROTO_ICMP_ID-1]) - tuple->l4src.icmp.id = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_ICMP_ID-1]); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_CODE, - &t->l4dst.icmp.code, sizeof(u_int8_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_TYPE, - &t->l4dst.icmp.type, sizeof(u_int8_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_ID, - &t->l4src.icmp.id, sizeof(u_int16_t)); -} - -static int print_proto(char *buf, struct nfct_tuple *t) -{ - /* The ID only makes sense some ICMP messages but we want to - * display the same output that /proc/net/ip_conntrack does */ - return (sprintf(buf, "type=%d code=%d id=%d ",t->l4dst.icmp.type, - t->l4dst.icmp.code, - ntohs(t->l4src.icmp.id))); -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & ICMP_TYPE) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.type != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.type) - return 0; - if (flags & ICMP_CODE) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.code != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.icmp.code) - return 0; - if (flags & ICMP_ID) - if (ct1->tuple[NFCT_DIR_REPLY].l4src.icmp.id != - ct2->tuple[NFCT_DIR_REPLY].l4src.icmp.id) - return 0; - - return 1; -} - -struct nfct_proto icmp = { - .name = "icmp", - .protonum = IPPROTO_ICMP, - .parse_proto = parse_proto, - .build_tuple_proto = build_tuple_proto, - .print_proto = print_proto, - .compare = compare, - .version = VERSION -}; diff --git a/src/deprecated/extensions/libnetfilter_conntrack_sctp.c b/src/deprecated/extensions/libnetfilter_conntrack_sctp.c deleted file mode 100644 index 1fa63a5..0000000 --- a/src/deprecated/extensions/libnetfilter_conntrack_sctp.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include - -#include "internal/deprecated.h" - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_PROTO_SRC_PORT-1]) - tuple->l4src.sctp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); - if (cda[CTA_PROTO_DST_PORT-1]) - tuple->l4dst.sctp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); -} - -static void parse_protoinfo(struct nfattr *cda[], struct nfct_conntrack *ct) -{ -/* if (cda[CTA_PROTOINFO_SCTP_STATE-1]) - ct->protoinfo.sctp.state = - *(u_int8_t *)NFA_DATA(cda[CTA_PROTOINFO_SCTP_STATE-1]); -*/ -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_SRC_PORT, - &t->l4src.sctp.port, sizeof(u_int16_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_DST_PORT, - &t->l4dst.sctp.port, sizeof(u_int16_t)); -} - -static int print_protoinfo(char *buf, union nfct_protoinfo *protoinfo) -{ -/* fprintf(stdout, "%s ", states[protoinfo->sctp.state]); */ - return 0; -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - return(sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.sctp.port), - htons(tuple->l4dst.sctp.port))); -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & SCTP_ORIG_SPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.sctp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4src.sctp.port) - return 0; - if (flags & SCTP_ORIG_DPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.sctp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.sctp.port) - return 0; - if (flags & SCTP_REPL_SPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4src.sctp.port != - ct2->tuple[NFCT_DIR_REPLY].l4src.sctp.port) - return 0; - if (flags & SCTP_REPL_DPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4dst.sctp.port != - ct2->tuple[NFCT_DIR_REPLY].l4dst.sctp.port) - return 0; - - return 1; -} - -struct nfct_proto sctp = { - .name = "sctp", - .protonum = IPPROTO_SCTP, - .parse_proto = parse_proto, - .parse_protoinfo = parse_protoinfo, - .build_tuple_proto = build_tuple_proto, - .print_proto = print_proto, - .print_protoinfo = print_protoinfo, - .compare = compare, - .version = VERSION -}; diff --git a/src/deprecated/extensions/libnetfilter_conntrack_tcp.c b/src/deprecated/extensions/libnetfilter_conntrack_tcp.c deleted file mode 100644 index 60447fe..0000000 --- a/src/deprecated/extensions/libnetfilter_conntrack_tcp.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include - -#include "internal/deprecated.h" - -static const char *states[] = { - "NONE", - "SYN_SENT", - "SYN_RECV", - "ESTABLISHED", - "FIN_WAIT", - "CLOSE_WAIT", - "LAST_ACK", - "TIME_WAIT", - "CLOSE", - "LISTEN" -}; - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_PROTO_SRC_PORT-1]) - tuple->l4src.tcp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); - if (cda[CTA_PROTO_DST_PORT-1]) - tuple->l4dst.tcp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); -} - -static void parse_protoinfo(struct nfattr *cda[], struct nfct_conntrack *ct) -{ - struct nfattr *tb[CTA_PROTOINFO_TCP_MAX]; - - /* - * Listen to me carefully: This is easy to trigger with events ;). - * The conntrack event messages don't always contain all the - * information about a conntrack, just those fields that have changed. - * So you can receive a message about a TCP connection with no bits - * talking about the private protocol information. - * - * --pablo 05/10/31 - */ - if (!cda[CTA_PROTOINFO_TCP-1]) - return; - - nfnl_parse_nested(tb,CTA_PROTOINFO_TCP_MAX, cda[CTA_PROTOINFO_TCP-1]); - - if (tb[CTA_PROTOINFO_TCP_STATE-1]) - ct->protoinfo.tcp.state = - *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_SRC_PORT, - &t->l4src.tcp.port, sizeof(u_int16_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_DST_PORT, - &t->l4dst.tcp.port, sizeof(u_int16_t)); -} - -static void build_protoinfo(struct nfnlhdr *req, int size, - struct nfct_conntrack *ct) -{ - struct nfattr *nest_proto; - - nest_proto = nfnl_nest(&req->nlh, size, CTA_PROTOINFO_TCP); - nfnl_addattr_l(&req->nlh, size, CTA_PROTOINFO_TCP_STATE, - &ct->protoinfo.tcp.state, sizeof(u_int8_t)); - nfnl_nest_end(&req->nlh, nest_proto); -} - -static int print_protoinfo(char *buf, union nfct_protoinfo *protoinfo) -{ - return(sprintf(buf, "%s ", states[protoinfo->tcp.state])); -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - return(sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.tcp.port), - htons(tuple->l4dst.tcp.port))); -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & TCP_ORIG_SPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.tcp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4src.tcp.port) - return 0; - if (flags & TCP_ORIG_DPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.tcp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.tcp.port) - return 0; - if (flags & TCP_REPL_SPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4src.tcp.port != - ct2->tuple[NFCT_DIR_REPLY].l4src.tcp.port) - return 0; - if (flags & TCP_REPL_DPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4dst.tcp.port != - ct2->tuple[NFCT_DIR_REPLY].l4dst.tcp.port) - return 0; - if (flags & TCP_STATE) - if (ct1->protoinfo.tcp.state != ct2->protoinfo.tcp.state) - return 0; - - return 1; -} - -struct nfct_proto tcp = { - .name = "tcp", - .protonum = IPPROTO_TCP, - .parse_protoinfo = parse_protoinfo, - .parse_proto = parse_proto, - .build_tuple_proto = build_tuple_proto, - .build_protoinfo = build_protoinfo, - .print_protoinfo = print_protoinfo, - .print_proto = print_proto, - .compare = compare, - .version = VERSION -}; diff --git a/src/deprecated/extensions/libnetfilter_conntrack_udp.c b/src/deprecated/extensions/libnetfilter_conntrack_udp.c deleted file mode 100644 index 522c0ae..0000000 --- a/src/deprecated/extensions/libnetfilter_conntrack_udp.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include - -#include "internal/deprecated.h" - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_PROTO_SRC_PORT-1]) - tuple->l4src.udp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_SRC_PORT-1]); - if (cda[CTA_PROTO_DST_PORT-1]) - tuple->l4dst.udp.port = - *(u_int16_t *)NFA_DATA(cda[CTA_PROTO_DST_PORT-1]); -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - return (sprintf(buf, "sport=%u dport=%u ", htons(tuple->l4src.udp.port), - htons(tuple->l4dst.udp.port))); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_SRC_PORT, - &t->l4src.udp.port, sizeof(u_int16_t)); - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_DST_PORT, - &t->l4dst.udp.port, sizeof(u_int16_t)); -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & UDP_ORIG_SPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4src.udp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4src.udp.port) - return 0; - if (flags & UDP_ORIG_DPORT) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l4dst.udp.port != - ct2->tuple[NFCT_DIR_ORIGINAL].l4dst.udp.port) - return 0; - if (flags & UDP_REPL_SPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4src.udp.port != - ct2->tuple[NFCT_DIR_REPLY].l4src.udp.port) - return 0; - if (flags & UDP_REPL_DPORT) - if (ct1->tuple[NFCT_DIR_REPLY].l4dst.udp.port != - ct2->tuple[NFCT_DIR_REPLY].l4dst.udp.port) - return 0; - - return 1; -} - -struct nfct_proto udp = { - .name = "udp", - .protonum = IPPROTO_UDP, - .build_tuple_proto = build_tuple_proto, - .parse_proto = parse_proto, - .print_proto = print_proto, - .compare = compare, - .version = VERSION, -}; diff --git a/src/deprecated/l3extensions/Makefile.am b/src/deprecated/l3extensions/Makefile.am deleted file mode 100644 index f8cb0a2..0000000 --- a/src/deprecated/l3extensions/Makefile.am +++ /dev/null @@ -1,9 +0,0 @@ -include $(top_srcdir)/Make_global.am - -AM_CFLAGS=-fPIC -Wall -LIBS = @LIBNFCONNTRACK_LIBS@ - -noinst_LTLIBRARIES = libnfct_l3proto_ipv4.la libnfct_l3proto_ipv6.la - -libnfct_l3proto_ipv4_la_SOURCES = libnetfilter_conntrack_ipv4.c -libnfct_l3proto_ipv6_la_SOURCES = libnetfilter_conntrack_ipv6.c diff --git a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c deleted file mode 100644 index fb84a6f..0000000 --- a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv4.c +++ /dev/null @@ -1,88 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - */ -#include -#include -#include /* For htons */ -#include -#include -#include - -#include "internal/deprecated.h" - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_IP_V4_SRC-1]) - tuple->src.v4 = *(u_int32_t *)NFA_DATA(cda[CTA_IP_V4_SRC-1]); - - if (cda[CTA_IP_V4_DST-1]) - tuple->dst.v4 = *(u_int32_t *)NFA_DATA(cda[CTA_IP_V4_DST-1]); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_IP_V4_SRC, &t->src.v4, - sizeof(u_int32_t)); - nfnl_addattr_l(&req->nlh, size, CTA_IP_V4_DST, &t->dst.v4, - sizeof(u_int32_t)); -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - struct in_addr src = { .s_addr = tuple->src.v4 }; - struct in_addr dst = { .s_addr = tuple->dst.v4 }; - int size; - - size = sprintf(buf, "src=%s ", inet_ntoa(src)); - size += sprintf(buf+size, "dst=%s ", inet_ntoa(dst)); - - return size; -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & IPV4_ORIG) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum != - ct2->tuple[NFCT_DIR_ORIGINAL].l3protonum) - return 0; - if (flags & IPV4_REPL) - if (ct1->tuple[NFCT_DIR_REPLY].l3protonum != - ct2->tuple[NFCT_DIR_REPLY].l3protonum) - return 0; - if (flags & IPV4_ORIG_SRC) - if (ct1->tuple[NFCT_DIR_ORIGINAL].src.v4 != - ct2->tuple[NFCT_DIR_ORIGINAL].src.v4) - return 0; - if (flags & IPV4_ORIG_DST) - if (ct1->tuple[NFCT_DIR_ORIGINAL].dst.v4 != - ct2->tuple[NFCT_DIR_ORIGINAL].dst.v4) - return 0; - if (flags & IPV4_REPL_SRC) - if (ct1->tuple[NFCT_DIR_REPLY].src.v4 != - ct2->tuple[NFCT_DIR_REPLY].src.v4) - return 0; - if (flags & IPV4_REPL_DST) - if (ct1->tuple[NFCT_DIR_REPLY].dst.v4 != - ct2->tuple[NFCT_DIR_REPLY].dst.v4) - return 0; - - return 1; -} - -struct nfct_l3proto ipv4 = { - .name = "ipv4", - .protonum = AF_INET, - .parse_proto = parse_proto, - .build_tuple_proto = build_tuple_proto, - .print_proto = print_proto, - .compare = compare, - .version = VERSION -}; diff --git a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c b/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c deleted file mode 100644 index dc13395..0000000 --- a/src/deprecated/l3extensions/libnetfilter_conntrack_ipv6.c +++ /dev/null @@ -1,109 +0,0 @@ -/* - * (C) 2005 by Pablo Neira Ayuso - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - */ -#include -#include -#include -#include -#include /* For htons */ -#include -#include -#include -#include - -#include "internal/deprecated.h" - -#ifndef HAVE_INET_NTOP_IPV6 -#warning "inet_ntop does not support IPv6" -#endif - -static void parse_proto(struct nfattr *cda[], struct nfct_tuple *tuple) -{ - if (cda[CTA_IP_V6_SRC-1]) - memcpy(tuple->src.v6, NFA_DATA(cda[CTA_IP_V6_SRC-1]), - sizeof(u_int32_t)*4); - - if (cda[CTA_IP_V6_DST-1]) - memcpy(tuple->dst.v6, NFA_DATA(cda[CTA_IP_V6_DST-1]), - sizeof(u_int32_t)*4); -} - -static void build_tuple_proto(struct nfnlhdr *req, int size, - struct nfct_tuple *t) -{ - nfnl_addattr_l(&req->nlh, size, CTA_IP_V6_SRC, &t->src.v6, - sizeof(u_int32_t)*4); - nfnl_addattr_l(&req->nlh, size, CTA_IP_V6_DST, &t->dst.v6, - sizeof(u_int32_t)*4); -} - -static int print_proto(char *buf, struct nfct_tuple *tuple) -{ - struct in6_addr src; - struct in6_addr dst; - char tmp[INET6_ADDRSTRLEN]; - int size; - - memcpy(&src, tuple->src.v6, sizeof(struct in6_addr)); - memcpy(&dst, tuple->dst.v6, sizeof(struct in6_addr)); - - if (!inet_ntop(AF_INET6, &src, tmp, sizeof(tmp))) - return 0; - size = sprintf(buf, "src=%s ", tmp); - if (!inet_ntop(AF_INET6, &dst, tmp, sizeof(tmp))) - return 0; - size += sprintf(buf + size, "dst=%s ", tmp); - - return size; -} - -static int compare(struct nfct_conntrack *ct1, - struct nfct_conntrack *ct2, - unsigned int flags) -{ - if (flags & IPV6_ORIG) - if (ct1->tuple[NFCT_DIR_ORIGINAL].l3protonum != - ct2->tuple[NFCT_DIR_ORIGINAL].l3protonum) - return 0; - if (flags & IPV6_REPL) - if (ct1->tuple[NFCT_DIR_REPLY].l3protonum != - ct2->tuple[NFCT_DIR_REPLY].l3protonum) - return 0; - if (flags & IPV6_ORIG_SRC) - if (memcmp(ct1->tuple[NFCT_DIR_ORIGINAL].src.v6, - ct2->tuple[NFCT_DIR_ORIGINAL].src.v6, - sizeof(u_int32_t)*4) == 0) - return 0; - if (flags & IPV6_ORIG_DST) - if (memcmp(ct1->tuple[NFCT_DIR_ORIGINAL].dst.v6, - ct2->tuple[NFCT_DIR_ORIGINAL].dst.v6, - sizeof(u_int32_t)*4) == 0) - return 0; - if (flags & IPV6_REPL_SRC) - if (memcmp(ct1->tuple[NFCT_DIR_REPLY].src.v6, - ct2->tuple[NFCT_DIR_REPLY].src.v6, - sizeof(u_int32_t)*4) == 0) - return 0; - if (flags & IPV6_REPL_DST) - if (memcmp(ct1->tuple[NFCT_DIR_REPLY].dst.v6, - ct2->tuple[NFCT_DIR_REPLY].dst.v6, - sizeof(u_int32_t)*4) == 0) - return 0; - - return 1; -} - -struct nfct_l3proto ipv6 = { - .name = "ipv6", - .protonum = AF_INET6, - .parse_proto = parse_proto, - .build_tuple_proto = build_tuple_proto, - .print_proto = print_proto, - .compare = compare, - .version = VERSION -}; diff --git a/src/main.c b/src/main.c index 41e4f26..d0ed9c0 100644 --- a/src/main.c +++ b/src/main.c @@ -18,8 +18,6 @@ struct nfct_handle *nfct_open_nfnl(struct nfnl_handle *nfnlh, { struct nfct_handle *cth; - deprecated_backward_support(); - cth = (struct nfct_handle *) malloc(sizeof(struct nfct_handle)); if (!cth) return NULL; -- cgit v1.2.3