From 52b80d312a3297f37e09e2802a52625dab0bbbfa Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 6 Mar 2009 19:38:53 +0100 Subject: extensions: remove use of old libnetfilter API flags This patch removes the use of the obsolete old libnetfilter protocol flags. This patch also improves error reporting in TCP and UDP. Signed-off-by: Pablo Neira Ayuso --- extensions/libct_proto_icmp.c | 13 +++++++--- extensions/libct_proto_icmpv6.c | 13 +++++++--- extensions/libct_proto_tcp.c | 57 +++++++++++++++++++++++++++++++---------- extensions/libct_proto_udp.c | 55 +++++++++++++++++++++++++++++---------- 4 files changed, 102 insertions(+), 36 deletions(-) diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c index a2c9a85..51366f1 100644 --- a/extensions/libct_proto_icmp.c +++ b/extensions/libct_proto_icmp.c @@ -17,7 +17,12 @@ #include /* For htons */ #include #include -#include + +enum { + CT_ICMP_TYPE = (1 << 0), + CT_ICMP_CODE = (1 << 1), + CT_ICMP_ID = (1 << 2), +}; static struct option opts[] = { {"icmp-type", 1, 0, '1'}, @@ -73,19 +78,19 @@ static int parse(char c, tmp = atoi(optarg); nfct_set_attr_u8(ct, ATTR_ICMP_TYPE, tmp); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP); - *flags |= ICMP_TYPE; + *flags |= CT_ICMP_TYPE; break; case '2': tmp = atoi(optarg); nfct_set_attr_u8(ct, ATTR_ICMP_CODE, tmp); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP); - *flags |= ICMP_CODE; + *flags |= CT_ICMP_CODE; break; case '3': id = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_ICMP_ID, id); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP); - *flags |= ICMP_ID; + *flags |= CT_ICMP_ID; break; } return 1; diff --git a/extensions/libct_proto_icmpv6.c b/extensions/libct_proto_icmpv6.c index 388087d..cfc5979 100644 --- a/extensions/libct_proto_icmpv6.c +++ b/extensions/libct_proto_icmpv6.c @@ -20,7 +20,12 @@ #include /* For htons */ #include #include -#include + +enum { + CT_ICMP_TYPE = (1 << 0), + CT_ICMP_CODE = (1 << 1), + CT_ICMP_ID = (1 << 2), +}; static struct option opts[] = { { "icmpv6-type", 1, 0, '1' }, @@ -76,19 +81,19 @@ static int parse(char c, tmp = atoi(optarg); nfct_set_attr_u8(ct, ATTR_ICMP_TYPE, tmp); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6); - *flags |= ICMP_TYPE; + *flags |= CT_ICMP_TYPE; break; case '2': tmp = atoi(optarg); nfct_set_attr_u8(ct, ATTR_ICMP_CODE, tmp); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6); - *flags |= ICMP_CODE; + *flags |= CT_ICMP_CODE; break; case '3': id = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_ICMP_ID, id); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6); - *flags |= ICMP_ID; + *flags |= CT_ICMP_ID; break; } return 1; diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index a08f5b3..8113e6f 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -17,6 +17,18 @@ #include "conntrack.h" +enum { + CT_TCP_ORIG_SPORT = (1 << 0), + CT_TCP_ORIG_DPORT = (1 << 1), + CT_TCP_REPL_SPORT = (1 << 2), + CT_TCP_REPL_DPORT = (1 << 3), + CT_TCP_MASK_SPORT = (1 << 4), + CT_TCP_MASK_DPORT = (1 << 5), + CT_TCP_STATE = (1 << 6), + CT_TCP_EXPTUPLE_SPORT = (1 << 7), + CT_TCP_EXPTUPLE_DPORT = (1 << 8) +}; + static struct option opts[] = { {"orig-port-src", 1, 0, '1'}, {"sport", 1, 0, '1'}, @@ -100,37 +112,37 @@ static int parse_options(char c, port = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_ORIG_PORT_SRC, port); nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_TCP); - *flags |= TCP_ORIG_SPORT; + *flags |= CT_TCP_ORIG_SPORT; break; case '2': port = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_ORIG_PORT_DST, port); nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_TCP); - *flags |= TCP_ORIG_DPORT; + *flags |= CT_TCP_ORIG_DPORT; break; case '3': port = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_REPL_PORT_SRC, port); nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_TCP); - *flags |= TCP_REPL_SPORT; + *flags |= CT_TCP_REPL_SPORT; break; case '4': port = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_REPL_PORT_DST, port); nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_TCP); - *flags |= TCP_REPL_DPORT; + *flags |= CT_TCP_REPL_DPORT; break; case '5': port = htons(atoi(optarg)); nfct_set_attr_u16(mask, ATTR_ORIG_PORT_SRC, port); nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_TCP); - *flags |= TCP_MASK_SPORT; + *flags |= CT_TCP_MASK_SPORT; break; case '6': port = htons(atoi(optarg)); nfct_set_attr_u16(mask, ATTR_ORIG_PORT_DST, port); nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_TCP); - *flags |= TCP_MASK_DPORT; + *flags |= CT_TCP_MASK_DPORT; break; case '7': for (i=0; i<10; i++) { @@ -144,19 +156,19 @@ static int parse_options(char c, if (i == 10) exit_error(PARAMETER_PROBLEM, "Unknown TCP state %s\n", optarg); - *flags |= TCP_STATE; + *flags |= CT_TCP_STATE; break; case '8': port = htons(atoi(optarg)); nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_SRC, port); nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, port); - *flags |= TCP_EXPTUPLE_SPORT; + *flags |= CT_TCP_EXPTUPLE_SPORT; break; case '9': port = htons(atoi(optarg)); nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_DST, port); nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, port); - *flags |= TCP_EXPTUPLE_DPORT; + *flags |= CT_TCP_EXPTUPLE_DPORT; break; } return 1; @@ -166,11 +178,28 @@ static void final_check(unsigned int flags, unsigned int cmd, struct nf_conntrack *ct) { - if ((1 << cmd) & (CT_CREATE|CT_GET) && - !((flags & TCP_ORIG_SPORT && flags & TCP_ORIG_DPORT) || - (flags & TCP_REPL_SPORT && flags & TCP_REPL_DPORT))) - exit_error(PARAMETER_PROBLEM, "missing ports"); - + if ((1 << cmd) & (CT_CREATE|CT_GET)) { + if (!(flags & CT_TCP_ORIG_SPORT) && + (flags & CT_TCP_ORIG_DPORT)) { + exit_error(PARAMETER_PROBLEM, + "missing `--sport'"); + } + if ((flags & CT_TCP_ORIG_SPORT) && + !(flags & CT_TCP_ORIG_DPORT)) { + exit_error(PARAMETER_PROBLEM, + "missing `--dport'"); + } + if (!(flags & CT_TCP_REPL_SPORT) && + (flags & CT_TCP_REPL_DPORT)) { + exit_error(PARAMETER_PROBLEM, + "missing `--reply-port-src'"); + } + if ((flags & CT_TCP_REPL_SPORT) && + !(flags & CT_TCP_REPL_DPORT)) { + exit_error(PARAMETER_PROBLEM, + "missing `--reply-port-dst'"); + } + } generic_opt_check(flags, TCP_NUMBER_OF_OPT, tcp_commands_v_options[cmd], diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c index 0f8bf5c..4f34e3b 100644 --- a/extensions/libct_proto_udp.c +++ b/extensions/libct_proto_udp.c @@ -12,10 +12,20 @@ #include #include /* For htons */ #include -#include #include "conntrack.h" +enum { + CT_UDP_ORIG_SPORT = (1 << 0), + CT_UDP_ORIG_DPORT = (1 << 1), + CT_UDP_REPL_SPORT = (1 << 2), + CT_UDP_REPL_DPORT = (1 << 3), + CT_UDP_MASK_SPORT = (1 << 4), + CT_UDP_MASK_DPORT = (1 << 5), + CT_UDP_EXPTUPLE_SPORT = (1 << 6), + CT_UDP_EXPTUPLE_DPORT = (1 << 7) +}; + static struct option opts[] = { {"orig-port-src", 1, 0, '1'}, {"sport", 1, 0, '1'}, @@ -82,37 +92,37 @@ static int parse_options(char c, port = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_ORIG_PORT_SRC, port); nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_UDP); - *flags |= UDP_ORIG_SPORT; + *flags |= CT_UDP_ORIG_SPORT; break; case '2': port = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_ORIG_PORT_DST, port); nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_UDP); - *flags |= UDP_ORIG_DPORT; + *flags |= CT_UDP_ORIG_DPORT; break; case '3': port = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_REPL_PORT_SRC, port); nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_UDP); - *flags |= UDP_REPL_SPORT; + *flags |= CT_UDP_REPL_SPORT; break; case '4': port = htons(atoi(optarg)); nfct_set_attr_u16(ct, ATTR_REPL_PORT_DST, port); nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_UDP); - *flags |= UDP_REPL_DPORT; + *flags |= CT_UDP_REPL_DPORT; break; case '5': port = htons(atoi(optarg)); nfct_set_attr_u16(mask, ATTR_ORIG_PORT_SRC, port); nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_UDP); - *flags |= UDP_MASK_SPORT; + *flags |= CT_UDP_MASK_SPORT; break; case '6': port = htons(atoi(optarg)); nfct_set_attr_u16(mask, ATTR_ORIG_PORT_DST, port); nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_UDP); - *flags |= UDP_MASK_DPORT; + *flags |= CT_UDP_MASK_DPORT; break; case '7': port = htons(atoi(optarg)); @@ -120,7 +130,7 @@ static int parse_options(char c, nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, IPPROTO_UDP); - *flags |= UDP_EXPTUPLE_SPORT; + *flags |= CT_UDP_EXPTUPLE_SPORT; break; case '8': port = htons(atoi(optarg)); @@ -128,7 +138,7 @@ static int parse_options(char c, nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, IPPROTO_UDP); - *flags |= UDP_EXPTUPLE_DPORT; + *flags |= CT_UDP_EXPTUPLE_DPORT; break; } return 1; @@ -138,11 +148,28 @@ static void final_check(unsigned int flags, unsigned int cmd, struct nf_conntrack *ct) { - if ((1 << cmd) & (CT_CREATE|CT_GET) && - !((flags & UDP_ORIG_SPORT && flags & UDP_ORIG_DPORT) || - (flags & UDP_REPL_SPORT && flags & UDP_REPL_DPORT))) - exit_error(PARAMETER_PROBLEM, "missing ports"); - + if ((1 << cmd) & (CT_CREATE|CT_GET)) { + if (!(flags & CT_UDP_ORIG_SPORT) && + (flags & CT_UDP_ORIG_DPORT)) { + exit_error(PARAMETER_PROBLEM, + "missing `--sport'"); + } + if ((flags & CT_UDP_ORIG_SPORT) && + !(flags & CT_UDP_ORIG_DPORT)) { + exit_error(PARAMETER_PROBLEM, + "missing `--dport'"); + } + if (!(flags & CT_UDP_REPL_SPORT) && + (flags & CT_UDP_REPL_DPORT)) { + exit_error(PARAMETER_PROBLEM, + "missing `--reply-port-src'"); + } + if ((flags & CT_UDP_REPL_SPORT) && + !(flags & CT_UDP_REPL_DPORT)) { + exit_error(PARAMETER_PROBLEM, + "missing `--reply-port-dst'"); + } + } generic_opt_check(flags, UDP_NUMBER_OF_OPT, udp_commands_v_options[cmd], -- cgit v1.2.3