summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
author/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org>2007-06-09 17:52:50 +0000
committer/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org>2007-06-09 17:52:50 +0000
commit3e093dbcb66b3bca23f603836510b1b3032d92a5 (patch)
treecf832836d620fde87ebfe27497f9374a4901e0a6
parent8004cfdaa8c8467980d4390e9c9048937831595c (diff)
- add support for `-L --src-nat' and `-L --dst-nat' to show natted connections
- update conntrack(8) manpage
-rw-r--r--ChangeLog2
-rw-r--r--conntrack.814
-rw-r--r--src/conntrack.c36
3 files changed, 43 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index c252d1a..78af5b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,8 @@ o fix segfault with conntrack --output (Krzysztof Oledzky)
o use NFCT_SOPT_SETUP_* facilities: nfct_setobjopt
o remove bogus option to get a conntrack in test.sh example file
o add aliases --sport and --dport to make it more iptables-like
+o add support for `-L --src-nat' and `-L --dst-nat' to show natted connections
+o update conntrack(8) manpage
version 0.9.3 (2006/05/22)
------------------------------
diff --git a/conntrack.8 b/conntrack.8
index 3a35613..bb9b0e0 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -107,13 +107,14 @@ This option is only required in conjunction with "-L, --dump". If this option is
.BI "-t, --timeout " "TIMEOUT"
Specify the timeout.
.TP
-.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]"
+.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET][,...]"
Specify the conntrack status.
.TP
-.BI "-i, --id " "ID"
-Specify the conntrack ID.
-.
-This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs.
+.BI "-n, --src-nat "
+Filter source NAT connections.
+.TP
+.BI "-g, --dst-nat "
+Filter destination NAT connections.
.TP
.BI "--tuple-src " IP_ADDRESS
Specify the tuple source address of an expectation.
@@ -144,6 +145,9 @@ Dump the connection tracking table in XML
.B conntrack \-L -f ipv6 -o extended
Only dump IPv6 connections in /proc/net/nf_conntrack format
.TP
+.B conntrack \-L --src-nat
+Dump source NAT connections
+.TP
.B conntrack \-E \-o timestamp
Show connection events together with the timestamp
.SH BUGS
diff --git a/src/conntrack.c b/src/conntrack.c
index 2555f2e..a14ee4b 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -94,8 +94,8 @@ static struct option original_opts[] = {
{"mark", 1, 0, 'm'},
{"id", 2, 0, 'i'}, /* deprecated */
{"family", 1, 0, 'f'},
- {"src-nat", 1, 0, 'n'},
- {"dst-nat", 1, 0, 'g'},
+ {"src-nat", 2, 0, 'n'},
+ {"dst-nat", 2, 0, 'g'},
{"output", 1, 0, 'o'},
{0, 0, 0, 0}
};
@@ -119,13 +119,13 @@ static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
/* Well, it's better than "Re: Linux vs FreeBSD" */
{
/* s d r q p t u z e [ ] { } a m i f n g o */
-/*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,0,0,2},
+/*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,2,2,2},
/*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0,2,2,0},
/*CT_UPDATE*/ {2,2,2,2,1,2,2,0,0,0,0,0,0,0,2,2,0,0,0,0},
/*CT_DELETE*/ {2,2,2,2,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0},
/*CT_GET*/ {2,2,2,2,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2},
/*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,0,0,2},
+/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2},
/*VERSION*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
/*HELP*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
/*EXP_LIST*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0},
@@ -597,6 +597,18 @@ static int event_cb(enum nf_conntrack_msg_type type,
unsigned int output_type = NFCT_O_DEFAULT;
unsigned int output_flags = 0;
+ if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) {
+ if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
+ return NFCT_CB_CONTINUE;
+ } else if (options & CT_OPT_SRC_NAT &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) {
+ return NFCT_CB_CONTINUE;
+ } else if (options & CT_OPT_DST_NAT &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
+ return NFCT_CB_CONTINUE;
+ }
+
if (options & CT_COMPARISON && !nfct_compare(obj, ct))
return NFCT_CB_CONTINUE;
@@ -626,6 +638,18 @@ static int dump_cb(enum nf_conntrack_msg_type type,
unsigned int output_type = NFCT_O_DEFAULT;
unsigned int output_flags = 0;
+ if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) {
+ if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
+ return NFCT_CB_CONTINUE;
+ } else if (options & CT_OPT_SRC_NAT &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) {
+ return NFCT_CB_CONTINUE;
+ } else if (options & CT_OPT_DST_NAT &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
+ return NFCT_CB_CONTINUE;
+ }
+
if (options & CT_COMPARISON && !nfct_compare(obj, ct))
return NFCT_CB_CONTINUE;
@@ -930,11 +954,15 @@ int main(int argc, char *argv[])
break;
case 'n':
options |= CT_OPT_SRC_NAT;
+ if (!optarg)
+ break;
set_family(&family, AF_INET);
nat_parse(optarg, 1, obj, CT_OPT_SRC_NAT);
break;
case 'g':
options |= CT_OPT_DST_NAT;
+ if (!optarg)
+ break;
set_family(&family, AF_INET);
nat_parse(optarg, 1, obj, CT_OPT_DST_NAT);
case 'm':