summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog10
-rw-r--r--TODO13
-rw-r--r--extensions/libct_proto_tcp.c14
-rw-r--r--extensions/libct_proto_udp.c14
-rw-r--r--src/conntrack.c37
-rw-r--r--src/libct.c105
-rw-r--r--test.sh8
7 files changed, 121 insertions, 80 deletions
diff --git a/ChangeLog b/ChangeLog
index 147f8d6..a1c11e3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,3 +21,13 @@
<azez@ufomechanic.net>
o Autoconf stuff for conntrack + some pablo's modifications.
o Fixed packet counters formatting (use %llu instead of %lu)
+
+2005-05-16
+<pablo@eurodev.net>
+ o Implemented ICMP proto helper
+ o Added help() and final_check() functions for proto helpers.
+
+2005-05-17
+<pablo@eurodev.net>
+ o Added descriptive error messages.
+ o Fix wrong flags check in [tcp|udp] proto helpers.
diff --git a/TODO b/TODO
index 4b1654f..f94fb9c 100644
--- a/TODO
+++ b/TODO
@@ -1,12 +1,15 @@
+X = done
+N = forget it
+
user space tool
---------------
[X] Proper Makefiles
[X] Modify Event Display (-E conntrack).
Extensions:
-[ ] ICMP library
+[X] ICMP library
[X] finish TCP: protocol specific stuff: --state, etc...
-[ ] finish UDP, TCP, ICMP: help
+[X] finish UDP, TCP, ICMP: help
nfnetlink_conntrack:
--------------------
@@ -15,11 +18,11 @@ Now:
[X] Error handling (nlerrmsg)
[X] Use id's to identify conntracks
[ ] Split NEW and CHANGE
-[ ] Split DUMP and GET
-[ ] Kill Change API. Move locks to ip_conntrack_[protocol|helper].
+[N] Split DUMP and GET
+[N] Kill Change API. Move locks to ip_conntrack_[protocol|helper].
[X] implement conntrack FLUSH
Later:
-[ ] convert CTA_SOMETHING-1 to CTA_SOMETHING, annoying!
+[N] convert CTA_SOMETHING-1 to CTA_SOMETHING, annoying!
[ ] NAT handlings
[ ] Expectations
diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
index a2243dc..4cddf53 100644
--- a/extensions/libct_proto_tcp.c
+++ b/extensions/libct_proto_tcp.c
@@ -115,16 +115,12 @@ int parse(char c, char *argv[],
int final_check(unsigned int flags)
{
- if (!(flags & ORIG_SPORT))
- return 0;
- else if (!(flags & ORIG_DPORT))
- return 0;
- else if (!(flags & REPL_SPORT))
- return 0;
- else if (!(flags & REPL_DPORT))
- return 0;
+ if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT))
+ return 1;
+ else if ((flags & REPL_SPORT) && (flags & REPL_DPORT))
+ return 1;
- return 1;
+ return 0;
}
void print_tuple(struct ip_conntrack_tuple *t)
diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c
index 8e20bd5..0088cc5 100644
--- a/extensions/libct_proto_udp.c
+++ b/extensions/libct_proto_udp.c
@@ -82,16 +82,12 @@ int parse(char c, char *argv[],
int final_check(unsigned int flags)
{
- if (!(flags & ORIG_SPORT))
- return 0;
- else if (!(flags & ORIG_DPORT))
- return 0;
- else if (!(flags & REPL_SPORT))
- return 0;
- else if (!(flags & REPL_DPORT))
- return 0;
+ if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT))
+ return 1;
+ else if ((flags & REPL_SPORT) && (flags & REPL_DPORT))
+ return 1;
- return 1;
+ return 0;
}
void print_tuple(struct ip_conntrack_tuple *t)
diff --git a/src/conntrack.c b/src/conntrack.c
index 676049e..11a6b54 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -38,6 +38,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
+#include <string.h>
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>
#include "libctnetlink.h"
@@ -46,7 +47,7 @@
#include "libct_proto.h"
#define PROGNAME "conntrack"
-#define VERSION "0.60"
+#define VERSION "0.62"
#if 0
#define DEBUGP printf
@@ -299,6 +300,36 @@ merge_options(struct option *oldopts, const struct option *newopts,
return merge;
}
+/* From linux/errno.h */
+#define ENOTSUPP 524 /* Operation is not supported */
+
+/* Translates errno numbers into more human-readable form than strerror. */
+const char *
+err2str(int err, enum action command)
+{
+ unsigned int i;
+ struct table_struct {
+ enum action act;
+ int err;
+ const char *message;
+ } table [] =
+ { { CT_LIST, -ENOTSUPP, "function not implemented" },
+ { 0xFFFF, -EINVAL, "invalid parameters" },
+ { CT_CREATE|CT_GET|CT_DELETE, -ENOENT,
+ "such conntrack doesn't exist" },
+ { CT_CREATE|CT_GET, -ENOMEM, "not enough memory" },
+ { CT_GET, -EAFNOSUPPORT, "protocol not supported" },
+ { CT_CREATE, -ETIME, "conntrack has expired" },
+ };
+
+ for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
+ if ((table[i].act & command) && table[i].err == err)
+ return table[i].message;
+ }
+
+ return strerror(err);
+}
+
static void dump_tuple(struct ip_conntrack_tuple *tp)
{
fprintf(stdout, "tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n",
@@ -732,6 +763,6 @@ int main(int argc, char *argv[])
global_option_offset = 0;
}
- if (res == -1)
- fprintf(stderr, "Operation failed\n");
+ if (res < 0)
+ fprintf(stderr, "Operation failed: %s\n", err2str(res, command));
}
diff --git a/src/libct.c b/src/libct.c
index cb0fabb..b40b818 100644
--- a/src/libct.c
+++ b/src/libct.c
@@ -216,18 +216,19 @@ int create_conntrack(struct ip_conntrack_tuple *orig,
struct cta_proto cta;
struct nfattr *cda[CTA_MAX];
struct ctnl_handle cth;
+ int ret;
cta.num_proto = orig->dst.protonum;
memcpy(&cta.proto, proto, sizeof(*proto));
- if (ctnl_open(&cth, 0) < 0)
- return -1;
+ if ((ret = ctnl_open(&cth, 0)) < 0)
+ return ret;
- /* FIXME: please unify returns values... */
- if (ctnl_new_conntrack(&cth, orig, reply, timeout, &cta, status) < 0)
- return -1;
+ if ((ret = ctnl_new_conntrack(&cth, orig, reply, timeout, &cta,
+ status)) < 0)
+ return ret;
- if (ctnl_close(&cth) < 0)
- return -1;
+ if ((ret = ctnl_close(&cth)) < 0)
+ return ret;
return 0;
}
@@ -237,16 +238,16 @@ int delete_conntrack(struct ip_conntrack_tuple *tuple,
{
struct nfattr *cda[CTA_MAX];
struct ctnl_handle cth;
+ int ret;
- if (ctnl_open(&cth, 0) < 0)
- return -1;
+ if ((ret = ctnl_open(&cth, 0)) < 0)
+ return ret;
- /* FIXME: please unify returns values... */
- if (ctnl_del_conntrack(&cth, tuple, t) < 0)
- return -1;
+ if ((ret = ctnl_del_conntrack(&cth, tuple, t)) < 0)
+ return ret;
- if (ctnl_close(&cth) < 0)
- return -1;
+ if ((ret = ctnl_close(&cth)) < 0)
+ return ret;
return 0;
}
@@ -262,18 +263,19 @@ int get_conntrack(struct ip_conntrack_tuple *tuple,
.type = 0,
.handler = handler
};
+ int ret;
- if (ctnl_open(&cth, 0) < 0)
- return -1;
+ if ((ret = ctnl_open(&cth, 0)) < 0)
+ return ret;
ctnl_register_handler(&cth, &h);
/* FIXME!!!! get_conntrack_handler returns -100 */
- if (ctnl_get_conntrack(&cth, tuple, t) != -100)
- return -1;
+ if ((ret = ctnl_get_conntrack(&cth, tuple, t)) != -100)
+ return ret;
- if (ctnl_close(&cth) < 0)
- return -1;
+ if ((ret = ctnl_close(&cth)) < 0)
+ return ret;
return 0;
}
@@ -287,8 +289,8 @@ int dump_conntrack_table(int zero)
.handler = handler
};
- if (ctnl_open(&cth, 0) < 0)
- return -1;
+ if ((ret = ctnl_open(&cth, 0)) < 0)
+ return ret;
ctnl_register_handler(&cth, &h);
@@ -298,10 +300,10 @@ int dump_conntrack_table(int zero)
ret = ctnl_list_conntrack(&cth, AF_INET);
if (ret != -100)
- return -1;
+ return ret;
- if (ctnl_close(&cth) < 0)
- return -1;
+ if ((ret = ctnl_close(&cth)) < 0)
+ return ret;
return 0;
}
@@ -317,17 +319,18 @@ int event_conntrack(unsigned int event_mask)
.type = 2, /* destroy */
.handler = event_handler
};
+ int ret;
- if (ctnl_open(&cth, event_mask) < 0)
- return -1;
+ if ((ret = ctnl_open(&cth, event_mask)) < 0)
+ return ret;
ctnl_register_handler(&cth, &hnew);
ctnl_register_handler(&cth, &hdestroy);
- if (ctnl_event_conntrack(&cth, AF_INET) < 0)
- return -1;
+ if ((ret = ctnl_event_conntrack(&cth, AF_INET)) < 0)
+ return ret;
- if (ctnl_close(&cth) < 0)
- return -1;
+ if ((ret = ctnl_close(&cth)) < 0)
+ return ret;
return 0;
}
@@ -383,17 +386,18 @@ int dump_expect_list()
.type = 0, /* Hm... really? */
.handler = expect_handler
};
+ int ret;
- if (ctnl_open(&cth, 0) < 0)
- return -1;
+ if ((ret = ctnl_open(&cth, 0)) < 0)
+ return ret;
ctnl_register_handler(&cth, &h);
- if (ctnl_list_expect(&cth, AF_INET) != -100)
- return -1;
+ if ((ret = ctnl_list_expect(&cth, AF_INET)) != -100)
+ return ret;
- if (ctnl_close(&cth) < 0)
- return -1;
+ if ((ret = ctnl_close(&cth)) < 0)
+ return ret;
return 0;
}
@@ -402,6 +406,7 @@ int set_mask(unsigned int mask, int type)
{
struct ctnl_handle cth;
enum ctattr_type_t cta_type;
+ int ret;
switch(type) {
case 0:
@@ -411,17 +416,18 @@ int set_mask(unsigned int mask, int type)
cta_type = CTA_EVENTMASK;
break;
default:
+ /* Shouldn't happen */
return -1;
}
- if (ctnl_open(&cth, 0) < 0)
- return -1;
+ if ((ret = ctnl_open(&cth, 0)) < 0)
+ return ret;
- if (ctnl_set_mask(&cth, mask, cta_type) < 0)
- return -1;
+ if ((ret = ctnl_set_mask(&cth, mask, cta_type)) < 0)
+ return ret;
- if (ctnl_close(&cth) < 0)
- return -1;
+ if ((ret = ctnl_close(&cth)) < 0)
+ return ret;
return 0;
}
@@ -429,15 +435,16 @@ int set_mask(unsigned int mask, int type)
int flush_conntrack()
{
struct ctnl_handle cth;
+ int ret;
- if (ctnl_open(&cth, 0) < 0)
- return -1;
+ if ((ret = ctnl_open(&cth, 0)) < 0)
+ return ret;
- if (ctnl_flush_conntrack(&cth) < 0)
- return -1;
+ if ((ret = ctnl_flush_conntrack(&cth)) < 0)
+ return ret;
- if (ctnl_close(&cth) < 0)
- return -1;
+ if ((ret = ctnl_close(&cth)) < 0)
+ return ret;
return 0;
}
diff --git a/test.sh b/test.sh
index 379f950..5999a8f 100644
--- a/test.sh
+++ b/test.sh
@@ -44,13 +44,11 @@ case $1 in
--reply-src $DST --reply-dst $SRC -p tcp \
--orig-port-src $SPORT --orig-port-dst $DPORT \
--reply-port-src $DPORT --reply-port-dst $SPORT \
- --state TIME_WAIT -u ASSURED -t 500
+ --state TIME_WAIT -u ASSURED,SEEN_REPLY -t 500
;;
delete)
- # 66.111.58.52 dst=85.136.125.64 sport=22 dport=60239
- $CONNTRACK -D conntrack --orig-src 66.111.58.1 \
- --orig-dst 85.136.125.64 -p tcp --orig-port-src 22 \
- --orig-port-dst 60239
+ $CONNTRACK -D --orig-src $SRC --orig-dst $DST \
+ -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT
;;
output)
proc=$(cat /proc/net/ip_conntrack | wc -l)