diff options
author | Patrick McHardy <kaber@trash.net> | 2009-03-18 04:55:00 +0100 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2009-03-18 04:55:00 +0100 |
commit | fac10ea799fe9b6158d74f66d6ad46536d38a545 (patch) | |
tree | 8c093bcbb2144aab54c70103e6ed438456ae0d48 /src/ct.c |
Initial commitv0.01-alpha1
Diffstat (limited to 'src/ct.c')
-rw-r--r-- | src/ct.c | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/src/ct.c b/src/ct.c new file mode 100644 index 00000000..00895394 --- /dev/null +++ b/src/ct.c @@ -0,0 +1,149 @@ +/* + * Conntrack expression related definitions and types. + * + * Copyright (c) 2008 Patrick McHardy <kaber@trash.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * Development of this code funded by Astaro AG (http://www.astaro.com/) + */ + +#include <stddef.h> +#include <stdlib.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> + +#include <linux/netfilter/nf_tables.h> +#include <linux/netfilter/nf_conntrack_common.h> +#include <linux/netfilter/nf_conntrack_tuple_common.h> + +#include <expression.h> +#include <datatype.h> +#include <ct.h> +#include <utils.h> + +static const struct symbol_table ct_state_tbl = { + .byteorder = BYTEORDER_HOST_ENDIAN, + .size = 4 * BITS_PER_BYTE, + .symbols = { + SYMBOL("invalid", NF_CT_STATE_INVALID_BIT), + SYMBOL("new", NF_CT_STATE_BIT(IP_CT_NEW)), + SYMBOL("established", NF_CT_STATE_BIT(IP_CT_ESTABLISHED)), + SYMBOL("related", NF_CT_STATE_BIT(IP_CT_RELATED)), + SYMBOL("untracked", NF_CT_STATE_UNTRACKED_BIT), + SYMBOL_LIST_END + } +}; + +static const struct datatype ct_state_type = { + .type = TYPE_CT_STATE, + .name = "conntrack state", + .basetype = &bitmask_type, + .sym_tbl = &ct_state_tbl, +}; + +static const struct symbol_table ct_dir_tbl = { + .byteorder = BYTEORDER_INVALID, + .size = BITS_PER_BYTE, + .symbols = { + SYMBOL("original", IP_CT_DIR_ORIGINAL), + SYMBOL("reply", IP_CT_DIR_REPLY), + SYMBOL_LIST_END + } +}; + +static const struct datatype ct_dir_type = { + .type = TYPE_CT_DIR, + .name = "conntrack direction", + .basetype = &bitmask_type, + .sym_tbl = &ct_dir_tbl, +}; + +static const struct symbol_table ct_status_tbl = { + .byteorder = BYTEORDER_HOST_ENDIAN, + .size = 4 * BITS_PER_BYTE, + /* + * There are more, but most of them don't make sense for filtering. + */ + .symbols = { + SYMBOL("expected", IPS_EXPECTED), + SYMBOL("seen-reply", IPS_SEEN_REPLY), + SYMBOL("assured", IPS_ASSURED), + SYMBOL("confirmed", IPS_CONFIRMED), + SYMBOL("snat", IPS_SRC_NAT), + SYMBOL("dnat", IPS_DST_NAT), + SYMBOL("dying", IPS_DYING), + SYMBOL_LIST_END + }, +}; + +static const struct datatype ct_status_type = { + .type = TYPE_CT_STATUS, + .name = "conntrack status", + .basetype = &bitmask_type, + .sym_tbl = &ct_status_tbl, +}; + +static const struct ct_template ct_templates[] = { + [NFT_CT_STATE] = CT_TEMPLATE("state", &ct_state_type, + BYTEORDER_HOST_ENDIAN, + 4 * BITS_PER_BYTE), + [NFT_CT_DIRECTION] = CT_TEMPLATE("direction", &ct_dir_type, + BYTEORDER_HOST_ENDIAN, + BITS_PER_BYTE), + [NFT_CT_STATUS] = CT_TEMPLATE("status", &ct_status_type, + BYTEORDER_HOST_ENDIAN, + 4 * BITS_PER_BYTE), + [NFT_CT_MARK] = CT_TEMPLATE("mark", &mark_type, + BYTEORDER_HOST_ENDIAN, + 4 * BITS_PER_BYTE), + [NFT_CT_SECMARK] = CT_TEMPLATE("secmark", &integer_type, + BYTEORDER_HOST_ENDIAN, + 4 * BITS_PER_BYTE), + [NFT_CT_EXPIRATION] = CT_TEMPLATE("expiration", &time_type, + BYTEORDER_HOST_ENDIAN, + 4 * BITS_PER_BYTE), + [NFT_CT_HELPER] = CT_TEMPLATE("helper", &string_type, + BYTEORDER_INVALID, 0), + [NFT_CT_L3PROTO] = CT_TEMPLATE("l3proto", &invalid_type, + BYTEORDER_INVALID, + BITS_PER_BYTE), + [NFT_CT_SADDR] = CT_TEMPLATE("saddr", &invalid_type, + BYTEORDER_BIG_ENDIAN, 0), + [NFT_CT_DADDR] = CT_TEMPLATE("daddr", &invalid_type, + BYTEORDER_BIG_ENDIAN, 0), + [NFT_CT_PROTOCOL] = CT_TEMPLATE("protocol", &inet_protocol_type, + BYTEORDER_BIG_ENDIAN, + BITS_PER_BYTE), + [NFT_CT_PROTO_SRC] = CT_TEMPLATE("proto-src", &invalid_type, + BYTEORDER_BIG_ENDIAN, + 2 * BITS_PER_BYTE), + [NFT_CT_PROTO_DST] = CT_TEMPLATE("proto-dst", &invalid_type, + BYTEORDER_BIG_ENDIAN, + 2 * BITS_PER_BYTE), +}; + +static void ct_expr_print(const struct expr *expr) +{ + printf("ct %s", ct_templates[expr->ct.key].token); +} + +static const struct expr_ops ct_expr_ops = { + .type = EXPR_CT, + .name = "ct", + .print = ct_expr_print, +}; + +struct expr *ct_expr_alloc(const struct location *loc, enum nft_ct_keys key) +{ + const struct ct_template *tmpl = &ct_templates[key]; + struct expr *expr; + + expr = expr_alloc(loc, &ct_expr_ops, tmpl->dtype, + tmpl->byteorder, tmpl->len); + expr->ct.key = key; + return expr; +} |