diff options
-rw-r--r-- | extensions/libipt_conntrack.man | 49 | ||||
-rw-r--r-- | extensions/libxt_conntrack.c (renamed from extensions/libipt_conntrack.c) | 231 | ||||
-rw-r--r-- | extensions/libxt_conntrack.man | 71 | ||||
-rw-r--r-- | include/linux/netfilter/xt_conntrack.h | 83 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ipt_conntrack.h | 77 |
5 files changed, 271 insertions, 240 deletions
diff --git a/extensions/libipt_conntrack.man b/extensions/libipt_conntrack.man deleted file mode 100644 index b732b28..0000000 --- a/extensions/libipt_conntrack.man +++ /dev/null @@ -1,49 +0,0 @@ -This module, when combined with connection tracking, allows access to -more connection tracking information than the "state" match. -(this module is present only if iptables was compiled under a kernel -supporting this feature) -.TP -.BI "--ctstate " "state" -Where state is a comma separated list of the connection states to -match. Possible states are -.B INVALID -meaning that the packet is associated with no known connection, -.B ESTABLISHED -meaning that the packet is associated with a connection which has seen -packets in both directions, -.B NEW -meaning that the packet has started a new connection, or otherwise -associated with a connection which has not seen packets in both -directions, and -.B RELATED -meaning that the packet is starting a new connection, but is -associated with an existing connection, such as an FTP data transfer, -or an ICMP error. -.B SNAT -A virtual state, matching if the original source address differs from -the reply destination. -.B DNAT -A virtual state, matching if the original destination differs from the -reply source. -.TP -.BI "--ctproto " "proto" -Protocol to match (by number or name) -.TP -.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]" -Match against original source address -.TP -.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]" -Match against original destination address -.TP -.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]" -Match against reply source address -.TP -.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]" -Match against reply destination address -.TP -.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]" -Match against internal conntrack states -.TP -.BI "--ctexpire " "\fItime\fP[\fI:time\fP]" -Match remaining lifetime in seconds against given value -or range of values (inclusive) diff --git a/extensions/libipt_conntrack.c b/extensions/libxt_conntrack.c index b0d444a..a4f9e12 100644 --- a/extensions/libipt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -2,80 +2,73 @@ * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). */ -#include <stdio.h> +#include <ctype.h> +#include <getopt.h> #include <netdb.h> -#include <string.h> +#include <stdio.h> #include <stdlib.h> -#include <getopt.h> -#include <ctype.h> +#include <string.h> #include <iptables.h> +#include <linux/netfilter.h> +#include <linux/netfilter/xt_conntrack.h> #include <linux/netfilter/nf_conntrack_common.h> -/* For 64bit kernel / 32bit userspace */ -#include "../include/linux/netfilter_ipv4/ipt_conntrack.h" - -#ifndef IPT_CONNTRACK_STATE_UNTRACKED -#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) -#endif /* Function which prints out usage message. */ -static void conntrack_help(void) +static void conntrack_mt_help(void) { printf( -"conntrack match v%s options:\n" -" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]\n" -" State(s) to match\n" -" [!] --ctproto proto Protocol to match; by number or name, eg. `tcp'\n" -" --ctorigsrc [!] address[/mask]\n" -" Original source specification\n" -" --ctorigdst [!] address[/mask]\n" -" Original destination specification\n" -" --ctreplsrc [!] address[/mask]\n" -" Reply source specification\n" -" --ctrepldst [!] address[/mask]\n" -" Reply destination specification\n" -" [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]\n" -" Status(es) to match\n" -" [!] --ctexpire time[:time] Match remaining lifetime in seconds against\n" -" value or range of values (inclusive)\n" -"\n", IPTABLES_VERSION); +"conntrack match options:\n" +"[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n" +" State(s) to match\n" +"[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n" +"[!] --ctorigsrc address[/mask]\n" +"[!] --ctorigdst address[/mask]\n" +"[!] --ctreplsrc address[/mask]\n" +"[!] --ctrepldst address[/mask]\n" +" Original/Reply source/destination address\n" +"[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n" +" Status(es) to match\n" +"[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n" +" value or range of values (inclusive)\n" +"\n"); } -static const struct option conntrack_opts[] = { - { "ctstate", 1, NULL, '1' }, - { "ctproto", 1, NULL, '2' }, - { "ctorigsrc", 1, NULL, '3' }, - { "ctorigdst", 1, NULL, '4' }, - { "ctreplsrc", 1, NULL, '5' }, - { "ctrepldst", 1, NULL, '6' }, - { "ctstatus", 1, NULL, '7' }, - { "ctexpire", 1, NULL, '8' }, - { } +static const struct option conntrack_mt_opts[] = { + {.name = "ctstate", .has_arg = true, .val = '1'}, + {.name = "ctproto", .has_arg = true, .val = '2'}, + {.name = "ctorigsrc", .has_arg = true, .val = '3'}, + {.name = "ctorigdst", .has_arg = true, .val = '4'}, + {.name = "ctreplsrc", .has_arg = true, .val = '5'}, + {.name = "ctrepldst", .has_arg = true, .val = '6'}, + {.name = "ctstatus", .has_arg = true, .val = '7'}, + {.name = "ctexpire", .has_arg = true, .val = '8'}, + {}, }; static int -parse_state(const char *state, size_t strlen, struct ipt_conntrack_info *sinfo) +parse_state(const char *state, size_t strlen, struct xt_conntrack_info *sinfo) { if (strncasecmp(state, "INVALID", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_INVALID; + sinfo->statemask |= XT_CONNTRACK_STATE_INVALID; else if (strncasecmp(state, "NEW", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_NEW); + sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW); else if (strncasecmp(state, "ESTABLISHED", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED); + sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED); else if (strncasecmp(state, "RELATED", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_RELATED); + sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED); else if (strncasecmp(state, "UNTRACKED", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_UNTRACKED; + sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED; else if (strncasecmp(state, "SNAT", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_SNAT; + sinfo->statemask |= XT_CONNTRACK_STATE_SNAT; else if (strncasecmp(state, "DNAT", strlen) == 0) - sinfo->statemask |= IPT_CONNTRACK_STATE_DNAT; + sinfo->statemask |= XT_CONNTRACK_STATE_DNAT; else return 0; return 1; } static void -parse_states(const char *arg, struct ipt_conntrack_info *sinfo) +parse_states(const char *arg, struct xt_conntrack_info *sinfo) { const char *comma; @@ -90,7 +83,7 @@ parse_states(const char *arg, struct ipt_conntrack_info *sinfo) } static int -parse_status(const char *status, size_t strlen, struct ipt_conntrack_info *sinfo) +parse_status(const char *status, size_t strlen, struct xt_conntrack_info *sinfo) { if (strncasecmp(status, "NONE", strlen) == 0) sinfo->statusmask |= 0; @@ -110,7 +103,7 @@ parse_status(const char *status, size_t strlen, struct ipt_conntrack_info *sinfo } static void -parse_statuses(const char *arg, struct ipt_conntrack_info *sinfo) +parse_statuses(const char *arg, struct xt_conntrack_info *sinfo) { const char *comma; @@ -128,7 +121,7 @@ static unsigned long parse_expire(const char *s) { unsigned int len; - + if (string_to_number(s, 0, 0, &len) == -1) exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s); else @@ -137,7 +130,7 @@ parse_expire(const char *s) /* If a single value is provided, min and max are both set to the value */ static void -parse_expires(const char *s, struct ipt_conntrack_info *sinfo) +parse_expires(const char *s, struct xt_conntrack_info *sinfo) { char *buffer; char *cp; @@ -153,7 +146,7 @@ parse_expires(const char *s, struct ipt_conntrack_info *sinfo) sinfo->expires_max = cp[0] ? parse_expire(cp) : -1; } free(buffer); - + if (sinfo->expires_min > sinfo->expires_max) exit_error(PARAMETER_PROBLEM, "expire min. range value `%lu' greater than max. " @@ -165,7 +158,7 @@ parse_expires(const char *s, struct ipt_conntrack_info *sinfo) static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match) { - struct ipt_conntrack_info *sinfo = (struct ipt_conntrack_info *)(*match)->data; + struct xt_conntrack_info *sinfo = (void *)(*match)->data; char *protocol = NULL; unsigned int naddrs = 0; struct in_addr *addrs = NULL; @@ -177,16 +170,16 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, parse_states(argv[optind-1], sinfo); if (invert) { - sinfo->invflags |= IPT_CONNTRACK_STATE; + sinfo->invflags |= XT_CONNTRACK_STATE; } - sinfo->flags |= IPT_CONNTRACK_STATE; + sinfo->flags |= XT_CONNTRACK_STATE; break; case '2': check_inverse(optarg, &invert, &optind, 0); if(invert) - sinfo->invflags |= IPT_CONNTRACK_PROTO; + sinfo->invflags |= XT_CONNTRACK_PROTO; /* Canonicalize into lower case */ for (protocol = argv[optind-1]; *protocol; protocol++) @@ -196,18 +189,18 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = parse_protocol(protocol); if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 - && (sinfo->invflags & IPT_INV_PROTO)) + && (sinfo->invflags & XT_INV_PROTO)) exit_error(PARAMETER_PROBLEM, "rule would never match protocol"); - sinfo->flags |= IPT_CONNTRACK_PROTO; + sinfo->flags |= XT_CONNTRACK_PROTO; break; case '3': check_inverse(optarg, &invert, &optind, 0); if (invert) - sinfo->invflags |= IPT_CONNTRACK_ORIGSRC; + sinfo->invflags |= XT_CONNTRACK_ORIGSRC; parse_hostnetworkmask(argv[optind-1], &addrs, &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], @@ -220,14 +213,14 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr; } - sinfo->flags |= IPT_CONNTRACK_ORIGSRC; + sinfo->flags |= XT_CONNTRACK_ORIGSRC; break; case '4': check_inverse(optarg, &invert, &optind, 0); if (invert) - sinfo->invflags |= IPT_CONNTRACK_ORIGDST; + sinfo->invflags |= XT_CONNTRACK_ORIGDST; parse_hostnetworkmask(argv[optind-1], &addrs, &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], @@ -240,14 +233,14 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr; } - sinfo->flags |= IPT_CONNTRACK_ORIGDST; + sinfo->flags |= XT_CONNTRACK_ORIGDST; break; case '5': check_inverse(optarg, &invert, &optind, 0); if (invert) - sinfo->invflags |= IPT_CONNTRACK_REPLSRC; + sinfo->invflags |= XT_CONNTRACK_REPLSRC; parse_hostnetworkmask(argv[optind-1], &addrs, &sinfo->sipmsk[IP_CT_DIR_REPLY], @@ -260,14 +253,14 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr; } - sinfo->flags |= IPT_CONNTRACK_REPLSRC; + sinfo->flags |= XT_CONNTRACK_REPLSRC; break; case '6': check_inverse(optarg, &invert, &optind, 0); if (invert) - sinfo->invflags |= IPT_CONNTRACK_REPLDST; + sinfo->invflags |= XT_CONNTRACK_REPLDST; parse_hostnetworkmask(argv[optind-1], &addrs, &sinfo->dipmsk[IP_CT_DIR_REPLY], @@ -280,7 +273,7 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr; } - sinfo->flags |= IPT_CONNTRACK_REPLDST; + sinfo->flags |= XT_CONNTRACK_REPLDST; break; case '7': @@ -288,9 +281,9 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, parse_statuses(argv[optind-1], sinfo); if (invert) { - sinfo->invflags |= IPT_CONNTRACK_STATUS; + sinfo->invflags |= XT_CONNTRACK_STATUS; } - sinfo->flags |= IPT_CONNTRACK_STATUS; + sinfo->flags |= XT_CONNTRACK_STATUS; break; case '8': @@ -298,9 +291,9 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, parse_expires(argv[optind-1], sinfo); if (invert) { - sinfo->invflags |= IPT_CONNTRACK_EXPIRES; + sinfo->invflags |= XT_CONNTRACK_EXPIRES; } - sinfo->flags |= IPT_CONNTRACK_EXPIRES; + sinfo->flags |= XT_CONNTRACK_EXPIRES; break; default: @@ -311,9 +304,9 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, return 1; } -static void conntrack_check(unsigned int flags) +static void conntrack_mt_check(unsigned int flags) { - if (!flags) + if (flags == 0) exit_error(PARAMETER_PROBLEM, "You must specify one or more options"); } @@ -322,31 +315,31 @@ print_state(unsigned int statemask) { const char *sep = ""; - if (statemask & IPT_CONNTRACK_STATE_INVALID) { + if (statemask & XT_CONNTRACK_STATE_INVALID) { printf("%sINVALID", sep); sep = ","; } - if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_NEW)) { + if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) { printf("%sNEW", sep); sep = ","; } - if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) { + if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) { printf("%sRELATED", sep); sep = ","; } - if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) { + if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) { printf("%sESTABLISHED", sep); sep = ","; } - if (statemask & IPT_CONNTRACK_STATE_UNTRACKED) { + if (statemask & XT_CONNTRACK_STATE_UNTRACKED) { printf("%sUNTRACKED", sep); sep = ","; } - if (statemask & IPT_CONNTRACK_STATE_SNAT) { + if (statemask & XT_CONNTRACK_STATE_SNAT) { printf("%sSNAT", sep); sep = ","; } - if (statemask & IPT_CONNTRACK_STATE_DNAT) { + if (statemask & XT_CONNTRACK_STATE_DNAT) { printf("%sDNAT", sep); sep = ","; } @@ -388,8 +381,8 @@ print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric) { char buf[BUFSIZ]; - if (inv) - printf("! "); + if (inv) + printf("! "); if (mask->s_addr == 0L && !numeric) printf("%s ", "anywhere"); @@ -407,73 +400,81 @@ print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric) static void matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx) { - struct ipt_conntrack_info *sinfo = (struct ipt_conntrack_info *)match->data; + struct xt_conntrack_info *sinfo = (void *)match->data; - if(sinfo->flags & IPT_CONNTRACK_STATE) { - printf("%sctstate ", optpfx); - if (sinfo->invflags & IPT_CONNTRACK_STATE) + if(sinfo->flags & XT_CONNTRACK_STATE) { + if (sinfo->invflags & XT_CONNTRACK_STATE) printf("! "); + printf("%sctstate ", optpfx); print_state(sinfo->statemask); } - if(sinfo->flags & IPT_CONNTRACK_PROTO) { - printf("%sctproto ", optpfx); - if (sinfo->invflags & IPT_CONNTRACK_PROTO) + if(sinfo->flags & XT_CONNTRACK_PROTO) { + if (sinfo->invflags & XT_CONNTRACK_PROTO) printf("! "); + printf("%sctproto ", optpfx); printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum); } - if(sinfo->flags & IPT_CONNTRACK_ORIGSRC) { + if(sinfo->flags & XT_CONNTRACK_ORIGSRC) { + if (sinfo->invflags & XT_CONNTRACK_ORIGSRC) + printf("! "); printf("%sctorigsrc ", optpfx); print_addr( (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], - sinfo->invflags & IPT_CONNTRACK_ORIGSRC, + false, numeric); } - if(sinfo->flags & IPT_CONNTRACK_ORIGDST) { + if(sinfo->flags & XT_CONNTRACK_ORIGDST) { + if (sinfo->invflags & XT_CONNTRACK_ORIGDST) + printf("! "); printf("%sctorigdst ", optpfx); print_addr( (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], - sinfo->invflags & IPT_CONNTRACK_ORIGDST, + false, numeric); } - if(sinfo->flags & IPT_CONNTRACK_REPLSRC) { + if(sinfo->flags & XT_CONNTRACK_REPLSRC) { + if (sinfo->invflags & XT_CONNTRACK_REPLSRC) + printf("! "); printf("%sctreplsrc ", optpfx); print_addr( (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip, &sinfo->sipmsk[IP_CT_DIR_REPLY], - sinfo->invflags & IPT_CONNTRACK_REPLSRC, + false, numeric); } - if(sinfo->flags & IPT_CONNTRACK_REPLDST) { + if(sinfo->flags & XT_CONNTRACK_REPLDST) { + if (sinfo->invflags & XT_CONNTRACK_REPLDST) + printf("! "); printf("%sctrepldst ", optpfx); print_addr( (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, &sinfo->dipmsk[IP_CT_DIR_REPLY], - sinfo->invflags & IPT_CONNTRACK_REPLDST, + false, numeric); } - if(sinfo->flags & IPT_CONNTRACK_STATUS) { - printf("%sctstatus ", optpfx); - if (sinfo->invflags & IPT_CONNTRACK_STATUS) + if(sinfo->flags & XT_CONNTRACK_STATUS) { + if (sinfo->invflags & XT_CONNTRACK_STATUS) printf("! "); + printf("%sctstatus ", optpfx); print_status(sinfo->statusmask); } - if(sinfo->flags & IPT_CONNTRACK_EXPIRES) { - printf("%sctexpire ", optpfx); - if (sinfo->invflags & IPT_CONNTRACK_EXPIRES) + if(sinfo->flags & XT_CONNTRACK_EXPIRES) { + if (sinfo->invflags & XT_CONNTRACK_EXPIRES) printf("! "); + printf("%sctexpire ", optpfx); if (sinfo->expires_max == sinfo->expires_min) printf("%lu ", sinfo->expires_min); @@ -495,20 +496,22 @@ static void conntrack_save(const void *ip, const struct xt_entry_match *match) matchinfo_print(ip, match, 1, "--"); } -static struct iptables_match conntrack_match = { - .name = "conntrack", - .version = IPTABLES_VERSION, - .size = IPT_ALIGN(sizeof(struct ipt_conntrack_info)), - .userspacesize = IPT_ALIGN(sizeof(struct ipt_conntrack_info)), - .help = conntrack_help, - .parse = conntrack_parse, - .final_check = conntrack_check, - .print = conntrack_print, - .save = conntrack_save, - .extra_opts = conntrack_opts, +static struct xtables_match conntrack_match = { + .version = IPTABLES_VERSION, + .name = "conntrack", + .revision = 0, + .family = AF_INET, + .size = XT_ALIGN(sizeof(struct xt_conntrack_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)), + .help = conntrack_mt_help, + .parse = conntrack_parse, + .final_check = conntrack_mt_check, + .print = conntrack_print, + .save = conntrack_save, + .extra_opts = conntrack_mt_opts, }; void _init(void) { - register_match(&conntrack_match); + xtables_register_match(&conntrack_match); } diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man new file mode 100644 index 0000000..b852bca --- /dev/null +++ b/extensions/libxt_conntrack.man @@ -0,0 +1,71 @@ +This module, when combined with connection tracking, allows access to the +connection tracking state for this packet/connection. +.TP +[\fB!\fR] \fB--ctstate\fR \fIstatelist\fR +\fIstatelist\fR is a comma separated list of the connection states to match. +Possible states are listed below. +.TP +[\fB!\fR] \fB--ctproto\fR \fIl4proto\fR +Layer-4 protocol to match (by number or name) +.TP +[\fB!\fR] \fB--ctorigsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR] +Match against original source address +.TP +[\fB!\fR] \fB--ctorigdst\fR \fIaddress\fR[\fB/\fR\fImask\fR] +Match against original destination address +.TP +[\fB!\fR] \fB--ctreplsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR] +Match against reply source address +.TP +[\fB!\fR] \fB--ctrepldst\fR \fIaddress\fR[\fB/\fR\fImask\fR] +Match against reply destination address +.TP +[\fB!\fR] \fB--ctstatus\fR \fIstatelist\fR +\fIstatuslist\fR is a comma separated list of the connection statuses to match. +Possible statuses are listed below. +.TP +[\fB!\fR] \fB--ctexpire\fR \fItime\fR[\fB:\fR\fItime\fR] +Match remaining lifetime in seconds against given value or range of values +(inclusive) +.PP +States for \fB--ctstate\fR: +.TP +\fBINVALID\fR +meaning that the packet is associated with no known connection +.TP +\fBNEW\fR +meaning that the packet has started a new connection, or otherwise associated +with a connection which has not seen packets in both directions, and +.TP +\fBESTABLISHED\fR +meaning that the packet is associated with a connection which has seen packets +in both directions, +.TP +\fBRELATED\fR +meaning that the packet is starting a new connection, but is associated with an +existing connection, such as an FTP data transfer, or an ICMP error. +.TP +\fBSNAT\fR +A virtual state, matching if the original source address differs from the reply +destination. +.TP +\fBDNAT\fR +A virtual state, matching if the original destination differs from the reply +source. +.PP +Statuses for \fB--ctstatus\fR: +.TP +\fBNONE\fR +None of the below. +.TP +\fBEXPECTED\fR +This is an expected connection (i.e. a conntrack helper set it up) +.TP +\fBSEEN_REPLY\fR +Conntrack has seen packets in both directions. +.TP +\fBASSURED\fR +Conntrack entry should never be early-expired. +.TP +\fBCONFIRMED\fR +Connection is confirmed: originating packet has left box. diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h new file mode 100644 index 0000000..9e35ccd --- /dev/null +++ b/include/linux/netfilter/xt_conntrack.h @@ -0,0 +1,83 @@ +/* Header file for kernel module to match connection tracking information. + * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). + */ + +#ifndef _XT_CONNTRACK_H +#define _XT_CONNTRACK_H + +#include <linux/netfilter/nf_conntrack_tuple_common.h> + +#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) +#define XT_CONNTRACK_STATE_INVALID (1 << 0) + +#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) +#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) +#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) + +/* flags, invflags: */ +enum { + XT_CONNTRACK_STATE = 1 << 0, + XT_CONNTRACK_PROTO = 1 << 1, + XT_CONNTRACK_ORIGSRC = 1 << 2, + XT_CONNTRACK_ORIGDST = 1 << 3, + XT_CONNTRACK_REPLSRC = 1 << 4, + XT_CONNTRACK_REPLDST = 1 << 5, + XT_CONNTRACK_STATUS = 1 << 6, + XT_CONNTRACK_EXPIRES = 1 << 7, + XT_CONNTRACK_ORIGSRC_PORT = 1 << 8, + XT_CONNTRACK_ORIGDST_PORT = 1 << 9, + XT_CONNTRACK_REPLSRC_PORT = 1 << 10, + XT_CONNTRACK_REPLDST_PORT = 1 << 11, + XT_CONNTRACK_DIRECTION = 1 << 12, +}; + +/* This is exposed to userspace, so remains frozen in time. */ +struct ip_conntrack_old_tuple +{ + struct { + __be32 ip; + union { + __u16 all; + } u; + } src; + + struct { + __be32 ip; + union { + __u16 all; + } u; + + /* The protocol. */ + __u16 protonum; + } dst; +}; + +struct xt_conntrack_info +{ + unsigned int statemask, statusmask; + + struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; + struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; + + unsigned long expires_min, expires_max; + + /* Flags word */ + u_int8_t flags; + /* Inverse flags */ + u_int8_t invflags; +}; + +struct xt_conntrack_mtinfo1 { + union nf_inet_addr origsrc_addr, origsrc_mask; + union nf_inet_addr origdst_addr, origdst_mask; + union nf_inet_addr replsrc_addr, replsrc_mask; + union nf_inet_addr repldst_addr, repldst_mask; + u_int32_t expires_min, expires_max; + u_int16_t l4proto; + u_int16_t origsrc_port, origdst_port; + u_int16_t replsrc_port, repldst_port; + u_int16_t match_flags, invert_flags; + u_int8_t state_mask, status_mask; +}; + +#endif /*_XT_CONNTRACK_H*/ diff --git a/include/linux/netfilter_ipv4/ipt_conntrack.h b/include/linux/netfilter_ipv4/ipt_conntrack.h deleted file mode 100644 index 54a9985..0000000 --- a/include/linux/netfilter_ipv4/ipt_conntrack.h +++ /dev/null @@ -1,77 +0,0 @@ -/* Header file for kernel module to match connection tracking information. - * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). - */ - -#ifndef _IPT_CONNTRACK_H -#define _IPT_CONNTRACK_H - -#include <linux/netfilter/nf_conntrack_common.h> - -/* backwards compatibility crap. only exists in userspace - HW */ -#include <linux/version.h> -#ifndef KERNEL_VERSION -#define KERNEL_VERSION(a,b,c) (((a) << 16) | ((b) << 8) | (c)) -#endif - -#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,4,18)) || !defined IPS_EXPECTED -#define IPS_EXPECTED (1 << 0) -#define IPS_SEEN_REPLY (1 << 1) -#define IPS_ASSURED (1 << 2) -#define IP_CT_DIR_ORIGINAL 0 -#define IP_CT_DIR_REPLY 1 -#define IP_CT_DIR_MAX 2 -#endif - -#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) -#define IPT_CONNTRACK_STATE_INVALID (1 << 0) - -#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) -#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) -#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) - -/* flags, invflags: */ -#define IPT_CONNTRACK_STATE 0x01 -#define IPT_CONNTRACK_PROTO 0x02 -#define IPT_CONNTRACK_ORIGSRC 0x04 -#define IPT_CONNTRACK_ORIGDST 0x08 -#define IPT_CONNTRACK_REPLSRC 0x10 -#define IPT_CONNTRACK_REPLDST 0x20 -#define IPT_CONNTRACK_STATUS 0x40 -#define IPT_CONNTRACK_EXPIRES 0x80 - -/* This is exposed to userspace, so remains frozen in time. */ -struct ip_conntrack_old_tuple -{ - struct { - u_int32_t ip; - union { - u_int16_t all; - } u; - } src; - - struct { - u_int32_t ip; - union { - u_int16_t all; - } u; - - /* The protocol. */ - u_int16_t protonum; - } dst; -}; - -struct ipt_conntrack_info -{ - unsigned int statemask, statusmask; - - struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; - struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; - - unsigned long expires_min, expires_max; - - /* Flags word */ - u_int8_t flags; - /* Inverse flags */ - u_int8_t invflags; -}; -#endif /*_IPT_CONNTRACK_H*/ |