From 3e093dbcb66b3bca23f603836510b1b3032d92a5 Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org" Date: Sat, 9 Jun 2007 17:52:50 +0000 Subject: - add support for `-L --src-nat' and `-L --dst-nat' to show natted connections - update conntrack(8) manpage --- ChangeLog | 2 ++ conntrack.8 | 14 +++++++++----- src/conntrack.c | 36 ++++++++++++++++++++++++++++++++---- 3 files changed, 43 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index c252d1a..78af5b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,8 @@ o fix segfault with conntrack --output (Krzysztof Oledzky) o use NFCT_SOPT_SETUP_* facilities: nfct_setobjopt o remove bogus option to get a conntrack in test.sh example file o add aliases --sport and --dport to make it more iptables-like +o add support for `-L --src-nat' and `-L --dst-nat' to show natted connections +o update conntrack(8) manpage version 0.9.3 (2006/05/22) ------------------------------ diff --git a/conntrack.8 b/conntrack.8 index 3a35613..bb9b0e0 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -107,13 +107,14 @@ This option is only required in conjunction with "-L, --dump". If this option is .BI "-t, --timeout " "TIMEOUT" Specify the timeout. .TP -.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]" +.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET][,...]" Specify the conntrack status. .TP -.BI "-i, --id " "ID" -Specify the conntrack ID. -. -This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs. +.BI "-n, --src-nat " +Filter source NAT connections. +.TP +.BI "-g, --dst-nat " +Filter destination NAT connections. .TP .BI "--tuple-src " IP_ADDRESS Specify the tuple source address of an expectation. @@ -144,6 +145,9 @@ Dump the connection tracking table in XML .B conntrack \-L -f ipv6 -o extended Only dump IPv6 connections in /proc/net/nf_conntrack format .TP +.B conntrack \-L --src-nat +Dump source NAT connections +.TP .B conntrack \-E \-o timestamp Show connection events together with the timestamp .SH BUGS diff --git a/src/conntrack.c b/src/conntrack.c index 2555f2e..a14ee4b 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -94,8 +94,8 @@ static struct option original_opts[] = { {"mark", 1, 0, 'm'}, {"id", 2, 0, 'i'}, /* deprecated */ {"family", 1, 0, 'f'}, - {"src-nat", 1, 0, 'n'}, - {"dst-nat", 1, 0, 'g'}, + {"src-nat", 2, 0, 'n'}, + {"dst-nat", 2, 0, 'g'}, {"output", 1, 0, 'o'}, {0, 0, 0, 0} }; @@ -119,13 +119,13 @@ static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = /* Well, it's better than "Re: Linux vs FreeBSD" */ { /* s d r q p t u z e [ ] { } a m i f n g o */ -/*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,0,0,2}, +/*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,2,2,2}, /*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0,2,2,0}, /*CT_UPDATE*/ {2,2,2,2,1,2,2,0,0,0,0,0,0,0,2,2,0,0,0,0}, /*CT_DELETE*/ {2,2,2,2,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0}, /*CT_GET*/ {2,2,2,2,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2}, /*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}, -/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,0,0,2}, +/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2}, /*VERSION*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}, /*HELP*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}, /*EXP_LIST*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0}, @@ -597,6 +597,18 @@ static int event_cb(enum nf_conntrack_msg_type type, unsigned int output_type = NFCT_O_DEFAULT; unsigned int output_flags = 0; + if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) { + if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) && + !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) + return NFCT_CB_CONTINUE; + } else if (options & CT_OPT_SRC_NAT && + !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) { + return NFCT_CB_CONTINUE; + } else if (options & CT_OPT_DST_NAT && + !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) { + return NFCT_CB_CONTINUE; + } + if (options & CT_COMPARISON && !nfct_compare(obj, ct)) return NFCT_CB_CONTINUE; @@ -626,6 +638,18 @@ static int dump_cb(enum nf_conntrack_msg_type type, unsigned int output_type = NFCT_O_DEFAULT; unsigned int output_flags = 0; + if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) { + if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) && + !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) + return NFCT_CB_CONTINUE; + } else if (options & CT_OPT_SRC_NAT && + !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) { + return NFCT_CB_CONTINUE; + } else if (options & CT_OPT_DST_NAT && + !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) { + return NFCT_CB_CONTINUE; + } + if (options & CT_COMPARISON && !nfct_compare(obj, ct)) return NFCT_CB_CONTINUE; @@ -930,11 +954,15 @@ int main(int argc, char *argv[]) break; case 'n': options |= CT_OPT_SRC_NAT; + if (!optarg) + break; set_family(&family, AF_INET); nat_parse(optarg, 1, obj, CT_OPT_SRC_NAT); break; case 'g': options |= CT_OPT_DST_NAT; + if (!optarg) + break; set_family(&family, AF_INET); nat_parse(optarg, 1, obj, CT_OPT_DST_NAT); case 'm': -- cgit v1.2.3