summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--extensions/libct_proto_icmp.c1
-rw-r--r--extensions/libct_proto_sctp.c8
-rw-r--r--extensions/libct_proto_tcp.c8
-rw-r--r--extensions/libct_proto_udp.c1
-rw-r--r--include/conntrack.h119
-rw-r--r--src/conntrack.c111
7 files changed, 128 insertions, 127 deletions
diff --git a/ChangeLog b/ChangeLog
index 51bdeb5..85a3565 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,13 @@
CAP_NET_ADMIN
<pablo@eurodev.net>
o check if --state missing when -p is passed
+ o command type is passed to final_check: checkings based on the
+ command can be done now.
+ o kill duplicated definition of IPS_* bits: Already present in
+ libnetfilter_conntrack.
+ o Move action and command enum to conntrack.h
+ o kill NIPQUAD macro
+ o make conntrack handler cth static.
o Bumped version to 0.96
2005-11-01
diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c
index d9c5cb3..6fe1e16 100644
--- a/extensions/libct_proto_icmp.c
+++ b/extensions/libct_proto_icmp.c
@@ -87,6 +87,7 @@ int parse(char c, char *argv[],
}
int final_check(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply)
{
diff --git a/extensions/libct_proto_sctp.c b/extensions/libct_proto_sctp.c
index 5e96391..6c85f56 100644
--- a/extensions/libct_proto_sctp.c
+++ b/extensions/libct_proto_sctp.c
@@ -116,6 +116,7 @@ int parse_options(char c, char *argv[],
}
int final_check(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply)
{
@@ -136,10 +137,11 @@ int final_check(unsigned int flags,
&& ((flags & (REPL_SPORT|REPL_DPORT))))
ret = 1;
- if (ret & (flags & STATE))
- return 1;
+ /* --state is missing and we are trying to create a conntrack */
+ if (ret && (command & CT_CREATE) && (!(flags & STATE)))
+ ret = 0;
- return 0;
+ return ret;
}
static struct ctproto_handler sctp = {
diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
index 7c1e605..36ef6fc 100644
--- a/extensions/libct_proto_tcp.c
+++ b/extensions/libct_proto_tcp.c
@@ -139,6 +139,7 @@ int parse_options(char c, char *argv[],
}
int final_check(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply)
{
@@ -159,10 +160,11 @@ int final_check(unsigned int flags,
&& ((flags & (REPL_SPORT|REPL_DPORT))))
ret = 1;
- if (ret && (flags & STATE))
- return 1;
+ /* --state is missing and we are trying to create a conntrack */
+ if (ret && (command & CT_CREATE) && (!(flags & STATE)))
+ ret = 0;
- return 0;
+ return ret;
}
static struct ctproto_handler tcp = {
diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c
index b33ba7d..2c812c6 100644
--- a/extensions/libct_proto_udp.c
+++ b/extensions/libct_proto_udp.c
@@ -103,6 +103,7 @@ int parse_options(char c, char *argv[],
}
int final_check(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply)
{
diff --git a/include/conntrack.h b/include/conntrack.h
index efe4417..3993f89 100644
--- a/include/conntrack.h
+++ b/include/conntrack.h
@@ -8,12 +8,112 @@
#define PROGNAME "conntrack"
#define CONNTRACK_VERSION "0.96"
-/* FIXME: These should be independent from kernel space */
-#define IPS_ASSURED (1 << 2)
-#define IPS_SEEN_REPLY (1 << 1)
-#define IPS_SRC_NAT_DONE (1 << 7)
-#define IPS_DST_NAT_DONE (1 << 8)
-#define IPS_CONFIRMED (1 << 3)
+enum action {
+ CT_NONE = 0,
+
+ CT_LIST_BIT = 0,
+ CT_LIST = (1 << CT_LIST_BIT),
+
+ CT_CREATE_BIT = 1,
+ CT_CREATE = (1 << CT_CREATE_BIT),
+
+ CT_UPDATE_BIT = 2,
+ CT_UPDATE = (1 << CT_UPDATE_BIT),
+
+ CT_DELETE_BIT = 3,
+ CT_DELETE = (1 << CT_DELETE_BIT),
+
+ CT_GET_BIT = 4,
+ CT_GET = (1 << CT_GET_BIT),
+
+ CT_FLUSH_BIT = 5,
+ CT_FLUSH = (1 << CT_FLUSH_BIT),
+
+ CT_EVENT_BIT = 6,
+ CT_EVENT = (1 << CT_EVENT_BIT),
+
+ CT_VERSION_BIT = 7,
+ CT_VERSION = (1 << CT_VERSION_BIT),
+
+ CT_HELP_BIT = 8,
+ CT_HELP = (1 << CT_HELP_BIT),
+
+ EXP_LIST_BIT = 9,
+ EXP_LIST = (1 << EXP_LIST_BIT),
+
+ EXP_CREATE_BIT = 10,
+ EXP_CREATE = (1 << EXP_CREATE_BIT),
+
+ EXP_DELETE_BIT = 11,
+ EXP_DELETE = (1 << EXP_DELETE_BIT),
+
+ EXP_GET_BIT = 12,
+ EXP_GET = (1 << EXP_GET_BIT),
+
+ EXP_FLUSH_BIT = 13,
+ EXP_FLUSH = (1 << EXP_FLUSH_BIT),
+
+ EXP_EVENT_BIT = 14,
+ EXP_EVENT = (1 << EXP_EVENT_BIT),
+};
+#define NUMBER_OF_CMD 15
+
+enum options {
+ CT_OPT_ORIG_SRC_BIT = 0,
+ CT_OPT_ORIG_SRC = (1 << CT_OPT_ORIG_SRC_BIT),
+
+ CT_OPT_ORIG_DST_BIT = 1,
+ CT_OPT_ORIG_DST = (1 << CT_OPT_ORIG_DST_BIT),
+
+ CT_OPT_ORIG = (CT_OPT_ORIG_SRC | CT_OPT_ORIG_DST),
+
+ CT_OPT_REPL_SRC_BIT = 2,
+ CT_OPT_REPL_SRC = (1 << CT_OPT_REPL_SRC_BIT),
+
+ CT_OPT_REPL_DST_BIT = 3,
+ CT_OPT_REPL_DST = (1 << CT_OPT_REPL_DST_BIT),
+
+ CT_OPT_REPL = (CT_OPT_REPL_SRC | CT_OPT_REPL_DST),
+
+ CT_OPT_PROTO_BIT = 4,
+ CT_OPT_PROTO = (1 << CT_OPT_PROTO_BIT),
+
+ CT_OPT_TIMEOUT_BIT = 5,
+ CT_OPT_TIMEOUT = (1 << CT_OPT_TIMEOUT_BIT),
+
+ CT_OPT_STATUS_BIT = 6,
+ CT_OPT_STATUS = (1 << CT_OPT_STATUS_BIT),
+
+ CT_OPT_ZERO_BIT = 7,
+ CT_OPT_ZERO = (1 << CT_OPT_ZERO_BIT),
+
+ CT_OPT_EVENT_MASK_BIT = 8,
+ CT_OPT_EVENT_MASK = (1 << CT_OPT_EVENT_MASK_BIT),
+
+ CT_OPT_EXP_SRC_BIT = 9,
+ CT_OPT_EXP_SRC = (1 << CT_OPT_EXP_SRC_BIT),
+
+ CT_OPT_EXP_DST_BIT = 10,
+ CT_OPT_EXP_DST = (1 << CT_OPT_EXP_DST_BIT),
+
+ CT_OPT_MASK_SRC_BIT = 11,
+ CT_OPT_MASK_SRC = (1 << CT_OPT_MASK_SRC_BIT),
+
+ CT_OPT_MASK_DST_BIT = 12,
+ CT_OPT_MASK_DST = (1 << CT_OPT_MASK_DST_BIT),
+
+ CT_OPT_NATRANGE_BIT = 13,
+ CT_OPT_NATRANGE = (1 << CT_OPT_NATRANGE_BIT),
+
+ CT_OPT_MARK_BIT = 14,
+ CT_OPT_MARK = (1 << CT_OPT_MARK_BIT),
+
+ CT_OPT_ID_BIT = 15,
+ CT_OPT_ID = (1 << CT_OPT_ID_BIT),
+
+ CT_OPT_MAX = CT_OPT_ID
+};
+#define NUMBER_OF_OPT CT_OPT_MAX
struct ctproto_handler {
struct list_head head;
@@ -32,6 +132,7 @@ struct ctproto_handler {
unsigned int *flags);
int (*final_check)(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply);
@@ -44,10 +145,4 @@ struct ctproto_handler {
extern void register_proto(struct ctproto_handler *h);
-#define NIPQUAD(addr) \
- ((unsigned char *)&addr)[0], \
- ((unsigned char *)&addr)[1], \
- ((unsigned char *)&addr)[2], \
- ((unsigned char *)&addr)[3]
-
#endif
diff --git a/src/conntrack.c b/src/conntrack.c
index 0823de1..1c8a849 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -52,119 +52,12 @@
#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
#endif
-enum action {
- CT_NONE = 0,
-
- CT_LIST_BIT = 0,
- CT_LIST = (1 << CT_LIST_BIT),
-
- CT_CREATE_BIT = 1,
- CT_CREATE = (1 << CT_CREATE_BIT),
-
- CT_UPDATE_BIT = 2,
- CT_UPDATE = (1 << CT_UPDATE_BIT),
-
- CT_DELETE_BIT = 3,
- CT_DELETE = (1 << CT_DELETE_BIT),
-
- CT_GET_BIT = 4,
- CT_GET = (1 << CT_GET_BIT),
-
- CT_FLUSH_BIT = 5,
- CT_FLUSH = (1 << CT_FLUSH_BIT),
-
- CT_EVENT_BIT = 6,
- CT_EVENT = (1 << CT_EVENT_BIT),
-
- CT_VERSION_BIT = 7,
- CT_VERSION = (1 << CT_VERSION_BIT),
-
- CT_HELP_BIT = 8,
- CT_HELP = (1 << CT_HELP_BIT),
-
- EXP_LIST_BIT = 9,
- EXP_LIST = (1 << EXP_LIST_BIT),
-
- EXP_CREATE_BIT = 10,
- EXP_CREATE = (1 << EXP_CREATE_BIT),
-
- EXP_DELETE_BIT = 11,
- EXP_DELETE = (1 << EXP_DELETE_BIT),
-
- EXP_GET_BIT = 12,
- EXP_GET = (1 << EXP_GET_BIT),
-
- EXP_FLUSH_BIT = 13,
- EXP_FLUSH = (1 << EXP_FLUSH_BIT),
-
- EXP_EVENT_BIT = 14,
- EXP_EVENT = (1 << EXP_EVENT_BIT),
-};
-#define NUMBER_OF_CMD 15
-
static const char cmdflags[NUMBER_OF_CMD]
= {'L','I','U','D','G','F','E','V','h','L','I','D','G','F','E'};
static const char cmd_need_param[NUMBER_OF_CMD]
= {' ','x','x','x','x',' ',' ',' ',' ',' ','x','x','x',' ',' '};
-enum options {
- CT_OPT_ORIG_SRC_BIT = 0,
- CT_OPT_ORIG_SRC = (1 << CT_OPT_ORIG_SRC_BIT),
-
- CT_OPT_ORIG_DST_BIT = 1,
- CT_OPT_ORIG_DST = (1 << CT_OPT_ORIG_DST_BIT),
-
- CT_OPT_ORIG = (CT_OPT_ORIG_SRC | CT_OPT_ORIG_DST),
-
- CT_OPT_REPL_SRC_BIT = 2,
- CT_OPT_REPL_SRC = (1 << CT_OPT_REPL_SRC_BIT),
-
- CT_OPT_REPL_DST_BIT = 3,
- CT_OPT_REPL_DST = (1 << CT_OPT_REPL_DST_BIT),
-
- CT_OPT_REPL = (CT_OPT_REPL_SRC | CT_OPT_REPL_DST),
-
- CT_OPT_PROTO_BIT = 4,
- CT_OPT_PROTO = (1 << CT_OPT_PROTO_BIT),
-
- CT_OPT_TIMEOUT_BIT = 5,
- CT_OPT_TIMEOUT = (1 << CT_OPT_TIMEOUT_BIT),
-
- CT_OPT_STATUS_BIT = 6,
- CT_OPT_STATUS = (1 << CT_OPT_STATUS_BIT),
-
- CT_OPT_ZERO_BIT = 7,
- CT_OPT_ZERO = (1 << CT_OPT_ZERO_BIT),
-
- CT_OPT_EVENT_MASK_BIT = 8,
- CT_OPT_EVENT_MASK = (1 << CT_OPT_EVENT_MASK_BIT),
-
- CT_OPT_EXP_SRC_BIT = 9,
- CT_OPT_EXP_SRC = (1 << CT_OPT_EXP_SRC_BIT),
-
- CT_OPT_EXP_DST_BIT = 10,
- CT_OPT_EXP_DST = (1 << CT_OPT_EXP_DST_BIT),
-
- CT_OPT_MASK_SRC_BIT = 11,
- CT_OPT_MASK_SRC = (1 << CT_OPT_MASK_SRC_BIT),
-
- CT_OPT_MASK_DST_BIT = 12,
- CT_OPT_MASK_DST = (1 << CT_OPT_MASK_DST_BIT),
-
- CT_OPT_NATRANGE_BIT = 13,
- CT_OPT_NATRANGE = (1 << CT_OPT_NATRANGE_BIT),
-
- CT_OPT_MARK_BIT = 14,
- CT_OPT_MARK = (1 << CT_OPT_MARK_BIT),
-
- CT_OPT_ID_BIT = 15,
- CT_OPT_ID = (1 << CT_OPT_ID_BIT),
-
- CT_OPT_MAX = CT_OPT_ID
-};
-#define NUMBER_OF_OPT CT_OPT_MAX
-
static const char optflags[NUMBER_OF_OPT]
= {'s','d','r','q','p','t','u','z','e','[',']','{','}','a','m','i'};
@@ -199,7 +92,7 @@ static struct option original_opts[] = {
#define OPTION_OFFSET 256
-struct nfct_handle *cth;
+static struct nfct_handle *cth;
static struct option *opts = original_opts;
static unsigned int global_option_offset = 0;
@@ -895,7 +788,7 @@ int main(int argc, char *argv[])
if (!(command & CT_HELP)
&& h && h->final_check
- && !h->final_check(extra_flags, &orig, &reply)) {
+ && !h->final_check(extra_flags, command, &orig, &reply)) {
usage(argv[0]);
extension_help(h);
exit_error(PARAMETER_PROBLEM, "Missing protocol arguments!\n");