diff options
Diffstat (limited to 'extensions/libxt_conntrack.c')
-rw-r--r-- | extensions/libxt_conntrack.c | 54 |
1 files changed, 42 insertions, 12 deletions
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index e1d85755..8e1777e3 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -93,7 +93,8 @@ static const struct xt_option_entry conntrack_mt_opts_v0[] = { {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, - .flags = XTOPT_INVERT}, + .flags = XTOPT_INVERT, + XTOPT_POINTER(s, tuple[IP_CT_DIR_ORIGINAL].dst.protonum)}, {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOST, .flags = XTOPT_INVERT}, {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOST, @@ -110,13 +111,45 @@ static const struct xt_option_entry conntrack_mt_opts_v0[] = { }; #undef s +#define s struct xt_conntrack_mtinfo2 +/* We exploit the fact that v1-v2 share the same xt_o_e layout */ +static const struct xt_option_entry conntrack2_mt_opts[] = { + {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, + .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)}, + {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC, + .flags = XTOPT_INVERT}, + {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING}, + XTOPT_TABLEEND, +}; +#undef s + #define s struct xt_conntrack_mtinfo3 /* for v1-v3 */ /* We exploit the fact that v1-v3 share the same layout */ -static const struct xt_option_entry conntrack_mt_opts[] = { +static const struct xt_option_entry conntrack3_mt_opts[] = { {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, - .flags = XTOPT_INVERT}, + .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)}, {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK, .flags = XTOPT_INVERT}, {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK, @@ -305,8 +338,6 @@ static void conntrack_parse(struct xt_option_call *cb) case O_CTPROTO: if (cb->invert) sinfo->invflags |= XT_CONNTRACK_PROTO; - sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol; - if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 && (sinfo->invflags & XT_INV_PROTO)) xtables_error(PARAMETER_PROBLEM, @@ -369,7 +400,6 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev) info->invert_flags |= XT_CONNTRACK_STATE; break; case O_CTPROTO: - info->l4proto = cb->val.protocol; if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO)) xtables_error(PARAMETER_PROBLEM, "conntrack: rule would " "never match protocol"); @@ -992,7 +1022,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack1_mt4_print, .save = conntrack1_mt4_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1006,7 +1036,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack1_mt6_print, .save = conntrack1_mt6_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1020,7 +1050,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack2_mt_print, .save = conntrack2_mt_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1034,7 +1064,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack2_mt6_print, .save = conntrack2_mt6_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1048,7 +1078,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack3_mt_print, .save = conntrack3_mt_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack3_mt_opts, }, { .version = XTABLES_VERSION, @@ -1062,7 +1092,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack3_mt6_print, .save = conntrack3_mt6_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack3_mt_opts, }, }; |