diff options
author | /C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org> | 2007-05-06 17:39:00 +0000 |
---|---|---|
committer | /C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org> | 2007-05-06 17:39:00 +0000 |
commit | 84f120b150d14adb1cefec601e28b2522612a620 (patch) | |
tree | cc96e2849a8e7be3ec9a36759b8fe5ad84d0ffa4 | |
parent | 04678e577c875efdefc93a0450688ca60cc93cd8 (diff) |
- add warning note to ctnl_test.c: old API is deprecated
- split expect_api_test.c into small example files expect_*.c
- introduce alias tags for original tuple attributes
- introduce nfexp_sizeof and nfexp_maxsize
- build expectation attributes iif they are set
- fix l3num setting in expect/build.c
-rw-r--r-- | include/libnetfilter_conntrack/libnetfilter_conntrack.h | 80 | ||||
-rw-r--r-- | src/expect/api.c | 29 | ||||
-rw-r--r-- | src/expect/build.c | 48 | ||||
-rw-r--r-- | utils/Makefile.am | 32 | ||||
-rw-r--r-- | utils/ctnl_test.c | 4 | ||||
-rw-r--r-- | utils/expect_api_test.c | 160 | ||||
-rw-r--r-- | utils/expect_create.c | 117 | ||||
-rw-r--r-- | utils/expect_delete.c | 50 | ||||
-rw-r--r-- | utils/expect_dump.c | 40 | ||||
-rw-r--r-- | utils/expect_events.c | 48 | ||||
-rw-r--r-- | utils/expect_flush.c | 27 | ||||
-rw-r--r-- | utils/expect_get.c | 63 |
12 files changed, 477 insertions, 221 deletions
diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 75eb6dc..174cf6f 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -56,39 +56,47 @@ struct nf_conntrack; /* conntrack attributes */ enum nf_conntrack_attr { - ATTR_ORIG_IPV4_SRC = 0, /* u32 bits */ - ATTR_ORIG_IPV4_DST, /* u32 bits */ - ATTR_REPL_IPV4_SRC, /* u32 bits */ - ATTR_REPL_IPV4_DST, /* u32 bits */ - ATTR_ORIG_IPV6_SRC = 4, /* u128 bits */ - ATTR_ORIG_IPV6_DST, /* u128 bits */ - ATTR_REPL_IPV6_SRC, /* u128 bits */ - ATTR_REPL_IPV6_DST, /* u128 bits */ - ATTR_ORIG_PORT_SRC = 8, /* u16 bits */ - ATTR_ORIG_PORT_DST, /* u16 bits */ - ATTR_REPL_PORT_SRC, /* u16 bits */ - ATTR_REPL_PORT_DST, /* u16 bits */ - ATTR_ICMP_TYPE = 12, /* u8 bits */ - ATTR_ICMP_CODE, /* u8 bits */ - ATTR_ICMP_ID, /* u16 bits */ - ATTR_ORIG_L3PROTO, /* u8 bits */ - ATTR_REPL_L3PROTO = 16, /* u8 bits */ - ATTR_ORIG_L4PROTO, /* u8 bits */ - ATTR_REPL_L4PROTO, /* u8 bits */ - ATTR_TCP_STATE, /* u8 bits */ - ATTR_SNAT_IPV4 = 20, /* u32 bits */ - ATTR_DNAT_IPV4, /* u32 bits */ - ATTR_SNAT_PORT, /* u16 bits */ - ATTR_DNAT_PORT, /* u16 bits */ - ATTR_TIMEOUT = 24, /* u32 bits */ - ATTR_MARK, /* u32 bits */ - ATTR_ORIG_COUNTER_PACKETS, /* u32 bits */ - ATTR_REPL_COUNTER_PACKETS, /* u32 bits */ - ATTR_ORIG_COUNTER_BYTES = 28, /* u32 bits */ - ATTR_REPL_COUNTER_BYTES, /* u32 bits */ - ATTR_USE, /* u32 bits */ - ATTR_ID, /* u32 bits */ - ATTR_STATUS = 32, /* u32 bits */ + ATTR_ORIG_IPV4_SRC = 0, /* u32 bits */ + ATTR_IPV4_SRC = ATTR_ORIG_IPV4_SRC, /* alias */ + ATTR_ORIG_IPV4_DST, /* u32 bits */ + ATTR_IPV4_DST = ATTR_ORIG_IPV4_DST, /* alias */ + ATTR_REPL_IPV4_SRC, /* u32 bits */ + ATTR_REPL_IPV4_DST, /* u32 bits */ + ATTR_ORIG_IPV6_SRC = 4, /* u128 bits */ + ATTR_IPV6_SRC = ATTR_ORIG_IPV6_SRC, /* alias */ + ATTR_ORIG_IPV6_DST, /* u128 bits */ + ATTR_IPV6_DST = ATTR_ORIG_IPV6_DST, /* alias */ + ATTR_REPL_IPV6_SRC, /* u128 bits */ + ATTR_REPL_IPV6_DST, /* u128 bits */ + ATTR_ORIG_PORT_SRC = 8, /* u16 bits */ + ATTR_PORT_SRC = ATTR_ORIG_PORT_SRC, /* alias */ + ATTR_ORIG_PORT_DST, /* u16 bits */ + ATTR_PORT_DST = ATTR_ORIG_PORT_DST, /* alias */ + ATTR_REPL_PORT_SRC, /* u16 bits */ + ATTR_REPL_PORT_DST, /* u16 bits */ + ATTR_ICMP_TYPE = 12, /* u8 bits */ + ATTR_ICMP_CODE, /* u8 bits */ + ATTR_ICMP_ID, /* u16 bits */ + ATTR_ORIG_L3PROTO, /* u8 bits */ + ATTR_L3PROTO = ATTR_ORIG_L3PROTO, /* alias */ + ATTR_REPL_L3PROTO = 16, /* u8 bits */ + ATTR_ORIG_L4PROTO, /* u8 bits */ + ATTR_L4PROTO = ATTR_ORIG_L4PROTO, /* alias */ + ATTR_REPL_L4PROTO, /* u8 bits */ + ATTR_TCP_STATE, /* u8 bits */ + ATTR_SNAT_IPV4 = 20, /* u32 bits */ + ATTR_DNAT_IPV4, /* u32 bits */ + ATTR_SNAT_PORT, /* u16 bits */ + ATTR_DNAT_PORT, /* u16 bits */ + ATTR_TIMEOUT = 24, /* u32 bits */ + ATTR_MARK, /* u32 bits */ + ATTR_ORIG_COUNTER_PACKETS, /* u32 bits */ + ATTR_REPL_COUNTER_PACKETS, /* u32 bits */ + ATTR_ORIG_COUNTER_BYTES = 28, /* u32 bits */ + ATTR_REPL_COUNTER_BYTES, /* u32 bits */ + ATTR_USE, /* u32 bits */ + ATTR_ID, /* u32 bits */ + ATTR_STATUS = 32, /* u32 bits */ ATTR_MAX }; @@ -289,6 +297,12 @@ extern void nfexp_destroy(struct nf_expect *exp); /* clone */ extern struct nf_expect *nfexp_clone(const struct nf_expect *exp); +/* object size */ +extern size_t nfexp_sizeof(const struct nf_expect *exp); + +/* maximum object size */ +extern size_t nfexp_maxsize(void); + /* register / unregister callback */ extern int nfexp_callback_register(struct nfct_handle *h, diff --git a/src/expect/api.c b/src/expect/api.c index 127846a..5c3868c 100644 --- a/src/expect/api.c +++ b/src/expect/api.c @@ -43,6 +43,35 @@ void nfexp_destroy(struct nf_expect *exp) } /** + * nfexp_sizeof - return the size in bytes of a certain expect object + * @exp: pointer to the expect object + */ +size_t nfexp_sizeof(const struct nf_expect *exp) +{ + assert(exp != NULL); + return sizeof(*exp); +} + +/** + * nfexp_maxsize - return the maximum size in bytes of a expect object + * + * Use this function if you want to allocate a expect object in the stack + * instead of the heap. For example: + * + * char buf[nfexp_maxsize()]; + * struct nf_expect *exp = (struct nf_expect *) buf; + * memset(exp, 0, nfexp_maxsize()); + * + * Note: As for now this function returns the same size that nfexp_sizeof(exp) + * does although _this could change in the future_. Therefore, do not assume + * that nfexp_sizeof(exp) == nfexp_maxsize(). + */ +size_t nfexp_maxsize() +{ + return sizeof(struct nf_expect); +} + +/** * nfexp_clone - clone a expectation object * @exp: pointer to a valid expectation object * diff --git a/src/expect/build.c b/src/expect/build.c index 501263a..0415621 100644 --- a/src/expect/build.c +++ b/src/expect/build.c @@ -21,35 +21,37 @@ int __build_expect(struct nfnl_subsys_handle *ssh, u_int16_t flags, const struct nf_expect *exp) { - u_int8_t l3num = exp->master.tuple[NFCT_DIR_ORIGINAL].l3protonum; + u_int8_t l3num; - if (!test_bit(ATTR_ORIG_L3PROTO, exp->master.set)) { - errno = EINVAL; - return -1; - } + if (test_bit(ATTR_ORIG_L3PROTO, exp->master.set)) + l3num = exp->master.tuple[NFCT_DIR_ORIGINAL].l3protonum; + else if (test_bit(ATTR_ORIG_L3PROTO, exp->expected.set)) + l3num = exp->expected.tuple[NFCT_DIR_ORIGINAL].l3protonum; memset(req, 0, size); nfnl_fill_hdr(ssh, &req->nlh, 0, l3num, 0, type, flags); - __build_tuple(req, - size, - &exp->expected.tuple[__DIR_ORIG], - CTA_EXPECT_TUPLE); - - /* get and delete only require the expectation tuple */ - if (type == IPCTNL_MSG_EXP_GET || type == IPCTNL_MSG_EXP_DELETE) - return 0; - - __build_tuple(req, - size, - &exp->master.tuple[__DIR_ORIG], - CTA_EXPECT_MASTER); - - __build_tuple(req, - size, - &exp->mask.tuple[__DIR_ORIG], - CTA_EXPECT_MASK); + if (test_bit(ATTR_EXP_EXPECTED, exp->set)) { + __build_tuple(req, + size, + &exp->expected.tuple[__DIR_ORIG], + CTA_EXPECT_TUPLE); + } + + if (test_bit(ATTR_EXP_MASTER, exp->set)) { + __build_tuple(req, + size, + &exp->master.tuple[__DIR_ORIG], + CTA_EXPECT_MASTER); + } + + if (test_bit(ATTR_EXP_MASK, exp->set)) { + __build_tuple(req, + size, + &exp->mask.tuple[__DIR_ORIG], + CTA_EXPECT_MASK); + } if (test_bit(ATTR_EXP_TIMEOUT, exp->set)) __build_timeout(req, size, exp); diff --git a/utils/Makefile.am b/utils/Makefile.am index e2f387d..f01e153 100644 --- a/utils/Makefile.am +++ b/utils/Makefile.am @@ -1,15 +1,37 @@ include $(top_srcdir)/Make_global.am -bin_PROGRAMS = ctnl_test new_api_test expect_api_test +bin_PROGRAMS = ctnl_test new_api_test \ + expect_dump expect_create expect_get expect_delete \ + expect_flush expect_events new_api_test_SOURCES = new_api_test.c new_api_test_LDADD = ../src/libnetfilter_conntrack.la new_api_test_LDFLAGS = -dynamic -ldl -expect_api_test_SOURCES = expect_api_test.c -expect_api_test_LDADD = ../src/libnetfilter_conntrack.la -expect_api_test_LDFLAGS = -dynamic -ldl - ctnl_test_SOURCES = ctnl_test.c ctnl_test_LDADD = ../src/libnetfilter_conntrack.la ctnl_test_LDFLAGS = -dynamic -ldl + +expect_dump_SOURCES = expect_dump.c +expect_dump_LDADD = ../src/libnetfilter_conntrack.la +expect_dump_LDFLAGS = -dynamic -ldl + +expect_create_SOURCES = expect_create.c +expect_create_LDADD = ../src/libnetfilter_conntrack.la +expect_create_LDFLAGS = -dynamic -ldl + +expect_get_SOURCES = expect_get.c +expect_get_LDADD = ../src/libnetfilter_conntrack.la +expect_get_LDFLAGS = -dynamic -ldl + +expect_delete_SOURCES = expect_delete.c +expect_delete_LDADD = ../src/libnetfilter_conntrack.la +expect_delete_LDFLAGS = -dynamic -ldl + +expect_flush_SOURCES = expect_flush.c +expect_flush_LDADD = ../src/libnetfilter_conntrack.la +expect_flush_LDFLAGS = -dynamic -ldl + +expect_events_SOURCES = expect_events.c +expect_events_LDADD = ../src/libnetfilter_conntrack.la +expect_events_LDFLAGS = -dynamic -ldl diff --git a/utils/ctnl_test.c b/utils/ctnl_test.c index 78f26d6..381f697 100644 --- a/utils/ctnl_test.c +++ b/utils/ctnl_test.c @@ -7,6 +7,10 @@ * (at your option) any later version. * * libnetfilter_conntrack test file: yet incomplete + * + * XXX: This is the test file for the *old* libnetfilter_conntrack API. + * Please, do not use this API for new applications since the old + * API will be removed soon. */ #include <stdio.h> diff --git a/utils/expect_api_test.c b/utils/expect_api_test.c deleted file mode 100644 index e075b10..0000000 --- a/utils/expect_api_test.c +++ /dev/null @@ -1,160 +0,0 @@ -#include <stdio.h> -#include <stdlib.h> -#include <errno.h> - -#include <libnetfilter_conntrack/libnetfilter_conntrack.h> -#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h> - -static int cb(enum nf_conntrack_msg_type type, - struct nf_expect *exp, - void *data) -{ - char buf[1024]; - - nfexp_snprintf(buf, 1024, exp, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0); - printf("%s\n", buf); - - return NFCT_CB_CONTINUE; -} - -static int event_cb(enum nf_conntrack_msg_type type, - struct nf_expect *exp, - void *data) -{ - static int n = 0; - char buf[1024]; - - nfexp_snprintf(buf, 1024, exp, type, NFCT_O_DEFAULT, 0); - printf("%s\n", buf); - - if (++n == 10) - return NFCT_CB_STOP; - - return NFCT_CB_CONTINUE; -} - -int main() -{ - int ret; - u_int8_t family = AF_INET; - struct nfct_handle *h; - struct nf_conntrack *master, *expected, *mask; - struct nf_expect *exp; - char buf[1024]; - - printf("Test for NEW expectation libnetfilter_conntrack API\n"); - printf("===================================================\n"); - - master = nfct_new(); - if (!master) { - perror("nfct_new"); - exit(EXIT_FAILURE); - } - - nfct_set_attr_u8(master, ATTR_ORIG_L3PROTO, AF_INET); - nfct_set_attr_u32(master, ATTR_ORIG_IPV4_SRC, inet_addr("1.1.1.1")); - nfct_set_attr_u32(master, ATTR_ORIG_IPV4_DST, inet_addr("2.2.2.2")); - - nfct_set_attr_u8(master, ATTR_ORIG_L4PROTO, IPPROTO_TCP); - nfct_set_attr_u16(master, ATTR_ORIG_PORT_SRC, htons(1025)); - nfct_set_attr_u16(master, ATTR_ORIG_PORT_DST, htons(21)); - - nfct_set_attr_u8(master, ATTR_REPL_L3PROTO, AF_INET); - nfct_set_attr_u32(master, ATTR_REPL_IPV4_SRC, inet_addr("2.2.2.2")); - nfct_set_attr_u32(master, ATTR_REPL_IPV4_DST, inet_addr("1.1.1.1")); - - nfct_set_attr_u8(master, ATTR_REPL_L4PROTO, IPPROTO_TCP); - nfct_set_attr_u16(master, ATTR_REPL_PORT_SRC, htons(21)); - nfct_set_attr_u16(master, ATTR_REPL_PORT_DST, htons(1025)); - - nfct_set_attr_u8(master, ATTR_TCP_STATE, TCP_CONNTRACK_LISTEN); - nfct_set_attr_u32(master, ATTR_TIMEOUT, 200); - - h = nfct_open(CONNTRACK, 0); - if (!h) { - perror("nfct_open"); - return -1; - } - - ret = nfct_query(h, NFCT_Q_CREATE, master); - - printf("TEST 1: create conntrack (%d)(%s)\n", ret, strerror(errno)); - - nfct_close(h); - - expected = nfct_new(); - if (!expected) { - perror("nfct_new"); - exit(EXIT_FAILURE); - } - - nfct_set_attr_u8(expected, ATTR_ORIG_L3PROTO, AF_INET); - nfct_set_attr_u32(expected, ATTR_ORIG_IPV4_SRC, inet_addr("4.4.4.4")); - nfct_set_attr_u32(expected, ATTR_ORIG_IPV4_DST, inet_addr("5.5.5.5")); - - nfct_set_attr_u8(expected, ATTR_ORIG_L4PROTO, IPPROTO_TCP); - nfct_set_attr_u16(expected, ATTR_ORIG_PORT_SRC, htons(10240)); - nfct_set_attr_u16(expected, ATTR_ORIG_PORT_DST, htons(10241)); - - mask = nfct_new(); - if (!mask) { - perror("nfct_new"); - exit(EXIT_FAILURE); - } - - nfct_set_attr_u8(mask, ATTR_ORIG_L3PROTO, AF_INET); - nfct_set_attr_u32(mask, ATTR_ORIG_IPV4_SRC, 0xffffffff); - nfct_set_attr_u32(mask, ATTR_ORIG_IPV4_DST, 0xffffffff); - - nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_TCP); - nfct_set_attr_u16(mask, ATTR_ORIG_PORT_SRC, 0xffff); - nfct_set_attr_u16(mask, ATTR_ORIG_PORT_DST, 0xffff); - - exp = nfexp_new(); - if (!exp) { - perror("nfexp_new"); - exit(EXIT_FAILURE); - } - - nfexp_set_attr(exp, ATTR_EXP_MASTER, master); - nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected); - nfexp_set_attr(exp, ATTR_EXP_MASK, mask); - nfexp_set_attr_u32(exp, ATTR_EXP_TIMEOUT, 200); - - h = nfct_open(EXPECT, 0); - if (!h) { - perror("nfct_open"); - return -1; - } - - ret = nfexp_query(h, NFCT_Q_CREATE, exp); - - printf("TEST 2: create expectation (%d)(%s)\n", ret, strerror(errno)); - - nfexp_callback_register(h, NFCT_T_ALL, cb, NULL); - ret = nfexp_query(h, NFCT_Q_GET, exp); - - printf("TEST 3: get expectation (%d)(%s)\n", ret, strerror(errno)); - - ret = nfexp_query(h, NFCT_Q_DESTROY, exp); - - printf("TEST 4: destroy expectation (%d)(%s)\n", ret, strerror(errno)); - - nfct_close(h); - - h = nfct_open(EXPECT, NF_NETLINK_CONNTRACK_EXP_NEW); - if (!h) { - perror("nfct_open"); - return -1; - } - - nfexp_callback_register(h, NFCT_T_ALL, event_cb, NULL); - - printf("TEST 5: waiting for 10 events...\n"); - - ret = nfexp_catch(h); - - printf("TEST 5: OK (%d)(%s)\n", ret, strerror(errno)); - - nfct_close(h); -} diff --git a/utils/expect_create.c b/utils/expect_create.c new file mode 100644 index 0000000..9663958 --- /dev/null +++ b/utils/expect_create.c @@ -0,0 +1,117 @@ +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> + +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h> + +int main() +{ + int ret; + struct nfct_handle *h; + struct nf_conntrack *master, *expected, *mask; + struct nf_expect *exp; + + /* + * Step 1: Setup master conntrack + */ + + master = nfct_new(); + if (!master) { + perror("nfct_new"); + exit(EXIT_FAILURE); + } + + nfct_set_attr_u8(master, ATTR_ORIG_L3PROTO, AF_INET); + nfct_set_attr_u32(master, ATTR_ORIG_IPV4_SRC, inet_addr("1.1.1.1")); + nfct_set_attr_u32(master, ATTR_ORIG_IPV4_DST, inet_addr("2.2.2.2")); + + nfct_set_attr_u8(master, ATTR_ORIG_L4PROTO, IPPROTO_TCP); + nfct_set_attr_u16(master, ATTR_ORIG_PORT_SRC, htons(1025)); + nfct_set_attr_u16(master, ATTR_ORIG_PORT_DST, htons(21)); + + nfct_set_attr_u8(master, ATTR_REPL_L3PROTO, AF_INET); + nfct_set_attr_u32(master, ATTR_REPL_IPV4_SRC, inet_addr("2.2.2.2")); + nfct_set_attr_u32(master, ATTR_REPL_IPV4_DST, inet_addr("1.1.1.1")); + + nfct_set_attr_u8(master, ATTR_REPL_L4PROTO, IPPROTO_TCP); + nfct_set_attr_u16(master, ATTR_REPL_PORT_SRC, htons(21)); + nfct_set_attr_u16(master, ATTR_REPL_PORT_DST, htons(1025)); + + nfct_set_attr_u8(master, ATTR_TCP_STATE, TCP_CONNTRACK_LISTEN); + nfct_set_attr_u32(master, ATTR_TIMEOUT, 200); + + h = nfct_open(CONNTRACK, 0); + if (!h) { + perror("nfct_open"); + return -1; + } + + ret = nfct_query(h, NFCT_Q_CREATE, master); + + printf("TEST: add master conntrack (%d)(%s)\n", ret, strerror(errno)); + + nfct_close(h); + + expected = nfct_new(); + if (!expected) { + perror("nfct_new"); + exit(EXIT_FAILURE); + } + + nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET); + nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("4.4.4.4")); + nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("5.5.5.5")); + + nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP); + nfct_set_attr_u16(expected, ATTR_PORT_SRC, htons(10240)); + nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241)); + + mask = nfct_new(); + if (!mask) { + perror("nfct_new"); + exit(EXIT_FAILURE); + } + + nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET); + nfct_set_attr_u32(mask, ATTR_IPV4_SRC, 0xffffffff); + nfct_set_attr_u32(mask, ATTR_IPV4_DST, 0xffffffff); + + nfct_set_attr_u8(mask, ATTR_L4PROTO, IPPROTO_TCP); + nfct_set_attr_u16(mask, ATTR_PORT_SRC, 0xffff); + nfct_set_attr_u16(mask, ATTR_PORT_DST, 0xffff); + + /* + * Step 2: Setup expectation + */ + + exp = nfexp_new(); + if (!exp) { + perror("nfexp_new"); + exit(EXIT_FAILURE); + } + + nfexp_set_attr(exp, ATTR_EXP_MASTER, master); + nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected); + nfexp_set_attr(exp, ATTR_EXP_MASK, mask); + nfexp_set_attr_u32(exp, ATTR_EXP_TIMEOUT, 200); + + nfct_destroy(master); + nfct_destroy(expected); + nfct_destroy(mask); + + h = nfct_open(EXPECT, 0); + if (!h) { + perror("nfct_open"); + return -1; + } + + ret = nfexp_query(h, NFCT_Q_CREATE, exp); + + printf("TEST: create expectation (%d)(%s)\n", ret, strerror(errno)); + + if (ret == -1) + exit(EXIT_FAILURE); + + exit(EXIT_SUCCESS); +} diff --git a/utils/expect_delete.c b/utils/expect_delete.c new file mode 100644 index 0000000..e6255da --- /dev/null +++ b/utils/expect_delete.c @@ -0,0 +1,50 @@ +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> + +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> + +int main() +{ + int ret; + struct nfct_handle *h; + struct nf_conntrack *expected; + struct nf_expect *exp; + + expected = nfct_new(); + if (!expected) { + perror("nfct_new"); + exit(EXIT_FAILURE); + } + + nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET); + nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("4.4.4.4")); + nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("5.5.5.5")); + + nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP); + nfct_set_attr_u16(expected, ATTR_PORT_SRC, htons(10240)); + nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241)); + + exp = nfexp_new(); + if (!exp) { + perror("nfexp_new"); + exit(EXIT_FAILURE); + } + + nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected); + + h = nfct_open(EXPECT, 0); + if (!h) { + perror("nfct_open"); + return -1; + } + + ret = nfexp_query(h, NFCT_Q_DESTROY, exp); + + printf("TEST: delete expectation (%d)(%s)\n", ret, strerror(errno)); + + if (ret == -1) + exit(EXIT_FAILURE); + + exit(EXIT_SUCCESS); +} diff --git a/utils/expect_dump.c b/utils/expect_dump.c new file mode 100644 index 0000000..d636d18 --- /dev/null +++ b/utils/expect_dump.c @@ -0,0 +1,40 @@ +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> + +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> + +static int cb(enum nf_conntrack_msg_type type, + struct nf_expect *exp, + void *data) +{ + char buf[1024]; + + nfexp_snprintf(buf, 1024, exp, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0); + printf("%s\n", buf); + + return NFCT_CB_CONTINUE; +} + +int main() +{ + int ret; + u_int8_t family = AF_INET; + struct nfct_handle *h; + + h = nfct_open(EXPECT, 0); + if (!h) { + perror("nfct_open"); + return -1; + } + + nfexp_callback_register(h, NFCT_T_ALL, cb, NULL); + ret = nfexp_query(h, NFCT_Q_DUMP, &family); + + printf("TEST: get expectation (%d)(%s)\n", ret, strerror(errno)); + + if (ret == -1) + exit(EXIT_FAILURE); + + exit(EXIT_SUCCESS); +} diff --git a/utils/expect_events.c b/utils/expect_events.c new file mode 100644 index 0000000..956ca42 --- /dev/null +++ b/utils/expect_events.c @@ -0,0 +1,48 @@ +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> + +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> + +static int event_cb(enum nf_conntrack_msg_type type, + struct nf_expect *exp, + void *data) +{ + static int n = 0; + char buf[1024]; + + nfexp_snprintf(buf, 1024, exp, type, NFCT_O_DEFAULT, 0); + printf("%s\n", buf); + + if (++n == 10) + return NFCT_CB_STOP; + + return NFCT_CB_CONTINUE; +} + +int main() +{ + int ret; + struct nfct_handle *h; + + h = nfct_open(EXPECT, NF_NETLINK_CONNTRACK_EXP_NEW); + if (!h) { + perror("nfct_open"); + return -1; + } + + nfexp_callback_register(h, NFCT_T_ALL, event_cb, NULL); + + printf("TEST: waiting for 10 expectation events...\n"); + + ret = nfexp_catch(h); + + printf("TEST: OK (%d)(%s)\n", ret, strerror(errno)); + + nfct_close(h); + + if (ret == -1) + exit(EXIT_FAILURE); + + exit(EXIT_SUCCESS); +} diff --git a/utils/expect_flush.c b/utils/expect_flush.c new file mode 100644 index 0000000..22ae3d3 --- /dev/null +++ b/utils/expect_flush.c @@ -0,0 +1,27 @@ +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> + +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> + +int main() +{ + int ret; + u_int8_t family = AF_INET; + struct nfct_handle *h; + + h = nfct_open(EXPECT, 0); + if (!h) { + perror("nfct_open"); + return -1; + } + + ret = nfexp_query(h, NFCT_Q_FLUSH, &family); + + printf("TEST: flush expectation (%d)(%s)\n", ret, strerror(errno)); + + if (ret == -1) + exit(EXIT_FAILURE); + + exit(EXIT_SUCCESS); +} diff --git a/utils/expect_get.c b/utils/expect_get.c new file mode 100644 index 0000000..b9518bc --- /dev/null +++ b/utils/expect_get.c @@ -0,0 +1,63 @@ +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> + +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> + +static int cb(enum nf_conntrack_msg_type type, + struct nf_expect *exp, + void *data) +{ + char buf[1024]; + + nfexp_snprintf(buf, 1024, exp, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0); + printf("%s\n", buf); + + return NFCT_CB_CONTINUE; +} + +int main() +{ + int ret; + struct nfct_handle *h; + struct nf_conntrack *master; + struct nf_expect *exp; + + master = nfct_new(); + if (!master) { + perror("nfct_new"); + exit(EXIT_FAILURE); + } + + nfct_set_attr_u8(master, ATTR_L3PROTO, AF_INET); + nfct_set_attr_u32(master, ATTR_IPV4_SRC, inet_addr("4.4.4.4")); + nfct_set_attr_u32(master, ATTR_IPV4_DST, inet_addr("5.5.5.5")); + + nfct_set_attr_u8(master, ATTR_L4PROTO, IPPROTO_TCP); + nfct_set_attr_u16(master, ATTR_PORT_SRC, htons(10240)); + nfct_set_attr_u16(master, ATTR_PORT_DST, htons(10241)); + + exp = nfexp_new(); + if (!exp) { + perror("nfexp_new"); + exit(EXIT_FAILURE); + } + + nfexp_set_attr(exp, ATTR_EXP_MASTER, master); + + h = nfct_open(EXPECT, 0); + if (!h) { + perror("nfct_open"); + return -1; + } + + nfexp_callback_register(h, NFCT_T_ALL, cb, NULL); + ret = nfexp_query(h, NFCT_Q_GET, exp); + + printf("TEST: get expectation (%d)(%s)\n", ret, strerror(errno)); + + if (ret == -1) + exit(EXIT_FAILURE); + + exit(EXIT_SUCCESS); +} |