From 5891b45e0eee0307a29ed5103fe6d596f6a37ebd Mon Sep 17 00:00:00 2001 From: "/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org" Date: Sat, 3 Dec 2005 22:33:53 +0000 Subject: o Add support to filter events. ie: -p tcp --orig-port-dst 80 in conjuction with -E to get all the requests to HTTP servers o Update manpage o Missing static function declaration in the protocol handlers o Use protocol flags defined in libnetfilter_conntrack o Kill leftover #include "conntrack.h" in the ICMP helper o Bumped version to 0.991 --- ChangeLog | 11 ++++++ configure.in | 2 +- conntrack.8 | 14 +++----- extensions/libct_proto_icmp.c | 39 ++++++++-------------- extensions/libct_proto_sctp.c | 44 ++++++++---------------- extensions/libct_proto_tcp.c | 78 ++++++++++++++++--------------------------- extensions/libct_proto_udp.c | 71 +++++++++++++++------------------------ src/conntrack.c | 39 +++++++++++++--------- 8 files changed, 123 insertions(+), 175 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7909f74..befb699 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2005-13-03 + + o Add support to filter events. ie: -p tcp --orig-port-dst 80 in + conjuction with -E to get all the requests to HTTP servers + o Update manpage + o Missing static function declaration in the protocol handlers + o Use protocol flags defined in libnetfilter_conntrack + o Kill leftover #include "conntrack.h" in the ICMP helper + o Bumped version to 0.991 + 2005-11-22 o Fix oversized number of options @@ -10,6 +20,7 @@ o move plugins into pkglibdir o remove 'lib' prefix of plugins, they're not really libraries o remove version information from plugin filenames + o Bumped version to 0.99 2005-11-09 o set status to zero, libnetfilter_conntrack now activate diff --git a/configure.in b/configure.in index a31646f..4dd09c6 100644 --- a/configure.in +++ b/configure.in @@ -2,7 +2,7 @@ AC_INIT AC_CANONICAL_SYSTEM -AM_INIT_AUTOMAKE(conntrack, 0.99) +AM_INIT_AUTOMAKE(conntrack, 0.991) #AM_CONFIG_HEADER(config.h) AC_PROG_CC diff --git a/conntrack.8 b/conntrack.8 index 8c9d963..8dbecb5 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -74,17 +74,11 @@ Flush the whole given table Atomically zero counters after reading them. This option is only valid in combination with the "-L, --dump" command options. .TP -.BI "-e, --event-mask " "[ALL|NEW|RELATED|DESTROY|REFRESH|STATUS|PROTOINFO|HELPER|HELPINFO|NATINFO][,...]" +.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]" Set the bitmask of events that are to be generated by the in-kernel ctnetlink event code. Using this parameter, you can reduce the event messages generated by the kernel to those types to those that you are actually interested in. . -Please note that this is a system-wide setting, so make sure to not disable some events that other ctnetlink-using processes might need! -This option can only be used in conjunction with "-E, --event". -.TP -.BI "-g, --group-mask " "[ALL|TCP|UDP|ICMP][,...]" -Set the group bitmask to those netlink groups (resembling layer 4 protocols) -that you're actually interested in. This option can only be used in conjunction with "-E, --event". .SS FILTER PARAMETERS .TP @@ -106,11 +100,13 @@ Specify layer four (TCP, UDP, ...) protocol. .BI "-t, --timeout " "TIMEOUT" Specify the timeout. .TP -.BI "-u, --status " "[EXPECTED|ASSURED|SEEN_REPLY|CONFIRMED|SNAT|DNAT|SEQ_ADJUST|UNSET][,...]" +.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]" Specify the conntrack status. .TP .BI "-i, --id " "ID" -Specify the conntrack ID. +Specify the conntrack ID. +. +This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs. .TP .BI "--tuple-src " IP_ADDRESS Specify the tuple source address of an expectation. diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c index dc7374e..afae25e 100644 --- a/extensions/libct_proto_icmp.c +++ b/extensions/libct_proto_icmp.c @@ -14,7 +14,7 @@ #include /* For htons */ #include #include -#include "conntrack.h" +#include static struct option opts[] = { {"icmp-type", 1, 0, '1'}, @@ -23,18 +23,7 @@ static struct option opts[] = { {0, 0, 0, 0} }; -enum icmp_param_flags { - ICMP_TYPE_BIT = 0, - ICMP_TYPE = (1 << ICMP_TYPE_BIT), - - ICMP_CODE_BIT = 1, - ICMP_CODE = (1 << ICMP_CODE_BIT), - - ICMP_ID_BIT = 2, - ICMP_ID = (1 << ICMP_ID_BIT) -}; - -void help() +static void help() { fprintf(stdout, "--icmp-type icmp type\n"); fprintf(stdout, "--icmp-code icmp code\n"); @@ -52,12 +41,12 @@ static u_int8_t invmap[] [ICMP_ADDRESS] = ICMP_ADDRESSREPLY + 1, [ICMP_ADDRESSREPLY] = ICMP_ADDRESS + 1}; -int parse(char c, char *argv[], - struct nfct_tuple *orig, - struct nfct_tuple *reply, - struct nfct_tuple *mask, - union nfct_protoinfo *proto, - unsigned int *flags) +static int parse(char c, char *argv[], + struct nfct_tuple *orig, + struct nfct_tuple *reply, + struct nfct_tuple *mask, + union nfct_protoinfo *proto, + unsigned int *flags) { switch(c) { case '1': @@ -86,10 +75,10 @@ int parse(char c, char *argv[], return 1; } -int final_check(unsigned int flags, - unsigned int command, - struct nfct_tuple *orig, - struct nfct_tuple *reply) +static int final_check(unsigned int flags, + unsigned int command, + struct nfct_tuple *orig, + struct nfct_tuple *reply) { if (!(flags & ICMP_TYPE)) return 0; @@ -109,9 +98,9 @@ static struct ctproto_handler icmp = { .version = VERSION, }; -void __attribute__ ((constructor)) init(void); +static void __attribute__ ((constructor)) init(void); -void init(void) +static void init(void) { register_proto(&icmp); } diff --git a/extensions/libct_proto_sctp.c b/extensions/libct_proto_sctp.c index 64cfd23..7ff1dcf 100644 --- a/extensions/libct_proto_sctp.c +++ b/extensions/libct_proto_sctp.c @@ -14,6 +14,7 @@ #include /* For htons */ #include "conntrack.h" #include +#include static struct option opts[] = { {"orig-port-src", 1, 0, '1'}, @@ -24,23 +25,6 @@ static struct option opts[] = { {0, 0, 0, 0} }; -enum sctp_param_flags { - ORIG_SPORT_BIT = 0, - ORIG_SPORT = (1 << ORIG_SPORT_BIT), - - ORIG_DPORT_BIT = 1, - ORIG_DPORT = (1 << ORIG_DPORT_BIT), - - REPL_SPORT_BIT = 2, - REPL_SPORT = (1 << REPL_SPORT_BIT), - - REPL_DPORT_BIT = 3, - REPL_DPORT = (1 << REPL_DPORT_BIT), - - STATE_BIT = 4, - STATE = (1 << STATE_BIT) -}; - static const char *states[] = { "NONE", "CLOSED", @@ -52,7 +36,7 @@ static const char *states[] = { "SHUTDOWN_ACK_SENT", }; -void help() +static void help() { fprintf(stdout, "--orig-port-src original source port\n"); fprintf(stdout, "--orig-port-dst original destination port\n"); @@ -61,12 +45,12 @@ void help() fprintf(stdout, "--state SCTP state, fe. ESTABLISHED\n"); } -int parse_options(char c, char *argv[], - struct nfct_tuple *orig, - struct nfct_tuple *reply, - struct nfct_tuple *mask, - union nfct_protoinfo *proto, - unsigned int *flags) +static int parse_options(char c, char *argv[], + struct nfct_tuple *orig, + struct nfct_tuple *reply, + struct nfct_tuple *mask, + union nfct_protoinfo *proto, + unsigned int *flags) { switch(c) { case '1': @@ -115,10 +99,10 @@ int parse_options(char c, char *argv[], return 1; } -int final_check(unsigned int flags, - unsigned int command, - struct nfct_tuple *orig, - struct nfct_tuple *reply) +static int final_check(unsigned int flags, + unsigned int command, + struct nfct_tuple *orig, + struct nfct_tuple *reply) { int ret = 0; @@ -154,9 +138,9 @@ static struct ctproto_handler sctp = { .version = VERSION, }; -void __attribute__ ((constructor)) init(void); +static void __attribute__ ((constructor)) init(void); -void init(void) +static void init(void) { register_proto(&sctp); } diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c index 3a01c0a..35fa292 100644 --- a/extensions/libct_proto_tcp.c +++ b/extensions/libct_proto_tcp.c @@ -13,6 +13,7 @@ #include #include /* For htons */ #include +#include #include "conntrack.h" @@ -27,29 +28,6 @@ static struct option opts[] = { {0, 0, 0, 0} }; -enum tcp_param_flags { - ORIG_SPORT_BIT = 0, - ORIG_SPORT = (1 << ORIG_SPORT_BIT), - - ORIG_DPORT_BIT = 1, - ORIG_DPORT = (1 << ORIG_DPORT_BIT), - - REPL_SPORT_BIT = 2, - REPL_SPORT = (1 << REPL_SPORT_BIT), - - REPL_DPORT_BIT = 3, - REPL_DPORT = (1 << REPL_DPORT_BIT), - - MASK_SPORT_BIT = 4, - MASK_SPORT = (1 << MASK_SPORT_BIT), - - MASK_DPORT_BIT = 5, - MASK_DPORT = (1 << MASK_DPORT_BIT), - - STATE_BIT = 6, - STATE = (1 << STATE_BIT) -}; - static const char *states[] = { "NONE", "SYN_SENT", @@ -63,7 +41,7 @@ static const char *states[] = { "LISTEN" }; -void help() +static void help() { fprintf(stdout, "--orig-port-src original source port\n"); fprintf(stdout, "--orig-port-dst original destination port\n"); @@ -74,48 +52,48 @@ void help() fprintf(stdout, "--state TCP state, fe. ESTABLISHED\n"); } -int parse_options(char c, char *argv[], - struct nfct_tuple *orig, - struct nfct_tuple *reply, - struct nfct_tuple *mask, - union nfct_protoinfo *proto, - unsigned int *flags) +static int parse_options(char c, char *argv[], + struct nfct_tuple *orig, + struct nfct_tuple *reply, + struct nfct_tuple *mask, + union nfct_protoinfo *proto, + unsigned int *flags) { switch(c) { case '1': if (optarg) { orig->l4src.tcp.port = htons(atoi(optarg)); - *flags |= ORIG_SPORT; + *flags |= TCP_ORIG_SPORT; } break; case '2': if (optarg) { orig->l4dst.tcp.port = htons(atoi(optarg)); - *flags |= ORIG_DPORT; + *flags |= TCP_ORIG_DPORT; } break; case '3': if (optarg) { reply->l4src.tcp.port = htons(atoi(optarg)); - *flags |= REPL_SPORT; + *flags |= TCP_REPL_SPORT; } break; case '4': if (optarg) { reply->l4dst.tcp.port = htons(atoi(optarg)); - *flags |= REPL_DPORT; + *flags |= TCP_REPL_DPORT; } break; case '5': if (optarg) { mask->l4src.tcp.port = htons(atoi(optarg)); - *flags |= MASK_SPORT; + *flags |= TCP_MASK_SPORT; } break; case '6': if (optarg) { mask->l4dst.tcp.port = htons(atoi(optarg)); - *flags |= MASK_DPORT; + *flags |= TCP_MASK_DPORT; } break; case '7': @@ -131,37 +109,37 @@ int parse_options(char c, char *argv[], printf("doh?\n"); return 0; } - *flags |= STATE; + *flags |= TCP_STATE; } break; } return 1; } -int final_check(unsigned int flags, - unsigned int command, - struct nfct_tuple *orig, - struct nfct_tuple *reply) +static int final_check(unsigned int flags, + unsigned int command, + struct nfct_tuple *orig, + struct nfct_tuple *reply) { int ret = 0; - if ((flags & (ORIG_SPORT|ORIG_DPORT)) - && !(flags & (REPL_SPORT|REPL_DPORT))) { + if ((flags & (TCP_ORIG_SPORT|TCP_ORIG_DPORT)) + && !(flags & (TCP_REPL_SPORT|TCP_REPL_DPORT))) { reply->l4src.tcp.port = orig->l4dst.tcp.port; reply->l4dst.tcp.port = orig->l4src.tcp.port; ret = 1; - } else if (!(flags & (ORIG_SPORT|ORIG_DPORT)) - && (flags & (REPL_SPORT|REPL_DPORT))) { + } else if (!(flags & (TCP_ORIG_SPORT|TCP_ORIG_DPORT)) + && (flags & (TCP_REPL_SPORT|TCP_REPL_DPORT))) { orig->l4src.tcp.port = reply->l4dst.tcp.port; orig->l4dst.tcp.port = reply->l4src.tcp.port; ret = 1; } - if ((flags & (ORIG_SPORT|ORIG_DPORT)) - && ((flags & (REPL_SPORT|REPL_DPORT)))) + if ((flags & (TCP_ORIG_SPORT|TCP_ORIG_DPORT)) + && ((flags & (TCP_REPL_SPORT|TCP_REPL_DPORT)))) ret = 1; /* --state is missing and we are trying to create a conntrack */ - if (ret && (command & CT_CREATE) && (!(flags & STATE))) + if (ret && (command & CT_CREATE) && (!(flags & TCP_STATE))) ret = 0; return ret; @@ -177,9 +155,9 @@ static struct ctproto_handler tcp = { .version = VERSION, }; -void __attribute__ ((constructor)) init(void); +static void __attribute__ ((constructor)) init(void); -void init(void) +static void init(void) { register_proto(&tcp); } diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c index 958d464..974e455 100644 --- a/extensions/libct_proto_udp.c +++ b/extensions/libct_proto_udp.c @@ -13,6 +13,7 @@ #include /* For htons */ #include "conntrack.h" #include +#include static struct option opts[] = { {"orig-port-src", 1, 0, '1'}, @@ -24,27 +25,7 @@ static struct option opts[] = { {0, 0, 0, 0} }; -enum udp_param_flags { - ORIG_SPORT_BIT = 0, - ORIG_SPORT = (1 << ORIG_SPORT_BIT), - - ORIG_DPORT_BIT = 1, - ORIG_DPORT = (1 << ORIG_DPORT_BIT), - - REPL_SPORT_BIT = 2, - REPL_SPORT = (1 << REPL_SPORT_BIT), - - REPL_DPORT_BIT = 3, - REPL_DPORT = (1 << REPL_DPORT_BIT), - - MASK_SPORT_BIT = 4, - MASK_SPORT = (1 << MASK_SPORT_BIT), - - MASK_DPORT_BIT = 5, - MASK_DPORT = (1 << MASK_DPORT_BIT), -}; - -void help() +static void help() { fprintf(stdout, "--orig-port-src original source port\n"); fprintf(stdout, "--orig-port-dst original destination port\n"); @@ -54,72 +35,72 @@ void help() fprintf(stdout, "--mask-port-dst mask destination port\n"); } -int parse_options(char c, char *argv[], - struct nfct_tuple *orig, - struct nfct_tuple *reply, - struct nfct_tuple *mask, - union nfct_protoinfo *proto, - unsigned int *flags) +static int parse_options(char c, char *argv[], + struct nfct_tuple *orig, + struct nfct_tuple *reply, + struct nfct_tuple *mask, + union nfct_protoinfo *proto, + unsigned int *flags) { switch(c) { case '1': if (optarg) { orig->l4src.udp.port = htons(atoi(optarg)); - *flags |= ORIG_SPORT; + *flags |= UDP_ORIG_SPORT; } break; case '2': if (optarg) { orig->l4dst.udp.port = htons(atoi(optarg)); - *flags |= ORIG_DPORT; + *flags |= UDP_ORIG_DPORT; } break; case '3': if (optarg) { reply->l4src.udp.port = htons(atoi(optarg)); - *flags |= REPL_SPORT; + *flags |= UDP_REPL_SPORT; } break; case '4': if (optarg) { reply->l4dst.udp.port = htons(atoi(optarg)); - *flags |= REPL_DPORT; + *flags |= UDP_REPL_DPORT; } break; case '5': if (optarg) { mask->l4src.udp.port = htons(atoi(optarg)); - *flags |= MASK_SPORT; + *flags |= UDP_MASK_SPORT; } break; case '6': if (optarg) { mask->l4dst.udp.port = htons(atoi(optarg)); - *flags |= MASK_DPORT; + *flags |= UDP_MASK_DPORT; } break; } return 1; } -int final_check(unsigned int flags, - unsigned int command, - struct nfct_tuple *orig, - struct nfct_tuple *reply) +static int final_check(unsigned int flags, + unsigned int command, + struct nfct_tuple *orig, + struct nfct_tuple *reply) { - if ((flags & (ORIG_SPORT|ORIG_DPORT)) - && !(flags & (REPL_SPORT|REPL_DPORT))) { + if ((flags & (UDP_ORIG_SPORT|UDP_ORIG_DPORT)) + && !(flags & (UDP_REPL_SPORT|UDP_REPL_DPORT))) { reply->l4src.udp.port = orig->l4dst.udp.port; reply->l4dst.udp.port = orig->l4src.udp.port; return 1; - } else if (!(flags & (ORIG_SPORT|ORIG_DPORT)) - && (flags & (REPL_SPORT|REPL_DPORT))) { + } else if (!(flags & (UDP_ORIG_SPORT|UDP_ORIG_DPORT)) + && (flags & (UDP_REPL_SPORT|UDP_REPL_DPORT))) { orig->l4src.udp.port = reply->l4dst.udp.port; orig->l4dst.udp.port = reply->l4src.udp.port; return 1; } - if ((flags & (ORIG_SPORT|ORIG_DPORT)) - && ((flags & (REPL_SPORT|REPL_DPORT)))) + if ((flags & (UDP_ORIG_SPORT|UDP_ORIG_DPORT)) + && ((flags & (UDP_REPL_SPORT|UDP_REPL_DPORT)))) return 1; return 0; @@ -135,9 +116,9 @@ static struct ctproto_handler udp = { .version = VERSION, }; -void __attribute__ ((constructor)) init(void); +static void __attribute__ ((constructor)) init(void); -void init(void) +static void init(void) { register_proto(&udp); } diff --git a/src/conntrack.c b/src/conntrack.c index 59b95a4..eb9064d 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -120,7 +120,7 @@ static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = /*CT_DELETE*/ {' ',' ',' ',' ',' ','x','x','x','x','x','x','x','x','x','x',' '}, /*CT_GET*/ {' ',' ',' ',' ','+','x','x','x','x','x','x','x','x','x','x',' '}, /*CT_FLUSH*/ {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x','x'}, -/*CT_EVENT*/ {'x','x','x','x','x','x','x','x',' ','x','x','x','x','x','x','x'}, +/*CT_EVENT*/ {'x','x','x','x',' ','x','x','x',' ','x','x','x','x','x','x','x'}, /*VERSION*/ {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x','x'}, /*HELP*/ {'x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x'}, /*EXP_LIST*/ {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x',' '}, @@ -1014,24 +1014,33 @@ int main(int argc, char *argv[]) break; case CT_EVENT: - if (options & CT_OPT_EVENT_MASK) { + ct = nfct_conntrack_alloc(&orig, &reply, timeout, + &proto, status, mark, id, NULL); + if (!ct) + exit_error(OTHER_PROBLEM, "Not enough memory"); + + if (options & CT_OPT_EVENT_MASK) cth = nfct_open(CONNTRACK, event_mask); - if (!cth) - exit_error(OTHER_PROBLEM, "Can't open handler"); - signal(SIGINT, event_sighandler); - nfct_register_callback(cth, - nfct_default_conntrack_display, NULL); - res = nfct_event_conntrack(cth); - } else { + else cth = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS); - if (!cth) - exit_error(OTHER_PROBLEM, "Can't open handler"); - signal(SIGINT, event_sighandler); + + if (!cth) + exit_error(OTHER_PROBLEM, "Can't open handler"); + signal(SIGINT, event_sighandler); + + if (options & CT_OPT_PROTO) { + struct nfct_conntrack_compare cmp = { + .ct = ct, + .flag = 0, + .protoflag = extra_flags + }; nfct_register_callback(cth, - nfct_default_conntrack_display, - NULL); - res = nfct_event_conntrack(cth); + nfct_default_conntrack_display, (void *)&cmp); + } else { + nfct_register_callback(cth, + nfct_default_conntrack_display, NULL); } + res = nfct_event_conntrack(cth); nfct_close(cth); break; -- cgit v1.2.3