summaryrefslogtreecommitdiffstats
path: root/src/conntrack
diff options
context:
space:
mode:
Diffstat (limited to 'src/conntrack')
-rw-r--r--src/conntrack/api.c12
-rw-r--r--src/conntrack/compare.c42
-rw-r--r--src/conntrack/setter.c15
-rw-r--r--src/conntrack/snprintf_default.c23
-rw-r--r--src/conntrack/snprintf_xml.c6
5 files changed, 79 insertions, 19 deletions
diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index bd6a154..7d82d4d 100644
--- a/src/conntrack/api.c
+++ b/src/conntrack/api.c
@@ -697,10 +697,18 @@ int nfct_compare(const struct nf_conntrack *ct1,
*
* - NFCT_CMP_ALL: full comparison of both objects
* - NFCT_CMP_ORIG: it only compares the source and destination address;
- * source and destination ports; and the layer 3 and 4 protocol numbers
- * of the original direction.
+ * source and destination ports; the layer 3 and 4 protocol numbers
+ * of the original direction; and the id (if present).
* - NFCT_CMP_REPL: like NFCT_CMP_REPL but it compares the flow
* information that goes in the reply direction.
+ * - NFCT_CMP_TIMEOUT_EQ: timeout(ct1) == timeout(ct2)
+ * - NFCT_CMP_TIMEOUT_GT: timeout(ct1) > timeout(ct2)
+ * - NFCT_CMP_TIMEOUT_LT: timeout(ct1) < timeout(ct2)
+ * - NFCT_CMP_TIMEOUT_GE: timeout(ct1) >= timeout(ct2)
+ * - NFCT_CMP_TIMEOUT_LE: timeout(ct1) <= timeout(ct2)
+ *
+ * The default status bits comparison consists of the following operation:
+ * status(ct1) & status(ct2) == status(ct1).
*
* If both conntrack object are equal, this function returns 1, otherwise
* 0 is returned.
diff --git a/src/conntrack/compare.c b/src/conntrack/compare.c
index 0280638..06afbe6 100644
--- a/src/conntrack/compare.c
+++ b/src/conntrack/compare.c
@@ -100,21 +100,47 @@ static int cmp_repl(const struct nf_conntrack *ct1,
}
static int cmp_meta(const struct nf_conntrack *ct1,
- const struct nf_conntrack *ct2)
+ const struct nf_conntrack *ct2,
+ unsigned int flags)
{
+ if (test_bit(ATTR_ID, ct1->set) &&
+ test_bit(ATTR_ID, ct2->set) &&
+ ct1->id != ct2->id)
+ return 0;
+
if (test_bit(ATTR_MARK, ct1->set) &&
test_bit(ATTR_MARK, ct2->set) &&
ct1->mark != ct2->mark)
return 0;
if (test_bit(ATTR_TIMEOUT, ct1->set) &&
- test_bit(ATTR_TIMEOUT, ct2->set) &&
- ct1->timeout != ct2->timeout)
- return 0;
+ test_bit(ATTR_TIMEOUT, ct2->set)) {
+ int ret = 0;
+
+#define __NFCT_CMP_TIMEOUT (NFCT_CMP_TIMEOUT_LE | NFCT_CMP_TIMEOUT_GT)
+
+ if (!(flags & __NFCT_CMP_TIMEOUT) &&
+ ct1->timeout != ct2->timeout)
+ return 0;
+ else {
+ if (flags & NFCT_CMP_TIMEOUT_GT &&
+ ct1->timeout > ct2->timeout)
+ ret = 1;
+ else if (flags & NFCT_CMP_TIMEOUT_LT &&
+ ct1->timeout < ct2->timeout)
+ ret = 1;
+ else if (flags & NFCT_CMP_TIMEOUT_EQ &&
+ ct1->timeout == ct2->timeout)
+ ret = 1;
+
+ if (ret == 0)
+ return 0;
+ }
+ }
if (test_bit(ATTR_STATUS, ct1->set) &&
test_bit(ATTR_STATUS, ct2->set) &&
- ct1->status == ct2->status)
+ !((ct1->status & ct2->status) == ct1->status))
return 0;
if (test_bit(ATTR_TCP_STATE, ct1->set) &&
@@ -130,9 +156,9 @@ int __compare(const struct nf_conntrack *ct1,
unsigned int flags)
{
if (flags == NFCT_CMP_ALL)
- return cmp_orig(ct1, ct2) &&
- cmp_repl(ct1, ct2) &&
- cmp_meta(ct1, ct2);
+ return cmp_meta(ct1, ct2, flags) &&
+ cmp_orig(ct1, ct2) &&
+ cmp_repl(ct1, ct2);
if (flags & NFCT_CMP_ORIG && !cmp_orig(ct1, ct2))
return 0;
diff --git a/src/conntrack/setter.c b/src/conntrack/setter.c
index 62be3e6..52a2aab 100644
--- a/src/conntrack/setter.c
+++ b/src/conntrack/setter.c
@@ -1,5 +1,5 @@
/*
- * (C) 2006 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2006-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
*
* This software may be used and distributed according to the terms
* of the GNU General Public License, incorporated herein by reference.
@@ -210,6 +210,11 @@ static void set_attr_status(struct nf_conntrack *ct, const void *value)
ct->status = *((u_int32_t *) value);
}
+static void set_attr_id(struct nf_conntrack *ct, const void *value)
+{
+ ct->id = *((u_int32_t *) value);
+}
+
static void set_attr_master_ipv4_src(struct nf_conntrack *ct, const void *value)
{
ct->tuple[__DIR_MASTER].src.v4 = *((u_int32_t *) value);
@@ -280,6 +285,8 @@ static void set_attr_repl_off_aft(struct nf_conntrack *ct, const void *value)
ct->tuple[__DIR_REPL].natseq.offset_after = *((u_int32_t *) value);
}
+static void set_attr_do_nothing(struct nf_conntrack *ct, const void *value) {}
+
set_attr set_attr_array[] = {
[ATTR_ORIG_IPV4_SRC] = set_attr_orig_ipv4_src,
[ATTR_ORIG_IPV4_DST] = set_attr_orig_ipv4_dst,
@@ -307,6 +314,12 @@ set_attr set_attr_array[] = {
[ATTR_DNAT_PORT] = set_attr_dnat_port,
[ATTR_TIMEOUT] = set_attr_timeout,
[ATTR_MARK] = set_attr_mark,
+ [ATTR_ORIG_COUNTER_PACKETS] = set_attr_do_nothing,
+ [ATTR_REPL_COUNTER_PACKETS] = set_attr_do_nothing,
+ [ATTR_ORIG_COUNTER_BYTES] = set_attr_do_nothing,
+ [ATTR_REPL_COUNTER_BYTES] = set_attr_do_nothing,
+ [ATTR_USE] = set_attr_do_nothing,
+ [ATTR_ID] = set_attr_id,
[ATTR_STATUS] = set_attr_status,
[ATTR_TCP_FLAGS_ORIG] = set_attr_tcp_flags_orig,
[ATTR_TCP_FLAGS_REPL] = set_attr_tcp_flags_repl,
diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c
index 5811290..e2573df 100644
--- a/src/conntrack/snprintf_default.c
+++ b/src/conntrack/snprintf_default.c
@@ -1,5 +1,5 @@
/*
- * (C) 2006 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2006-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
*
* This software may be used and distributed according to the terms
* of the GNU General Public License, incorporated herein by reference.
@@ -194,26 +194,28 @@ int __snprintf_counters(char *buf,
(unsigned long long) ct->counters[dir].bytes));
}
-int __snprintf_mark(char *buf, unsigned int len, const struct nf_conntrack *ct)
+static int
+__snprintf_mark(char *buf, unsigned int len, const struct nf_conntrack *ct)
{
return (snprintf(buf, len, "mark=%u ", ct->mark));
}
-int __snprintf_secmark(char *buf,
- unsigned int len,
- const struct nf_conntrack *ct)
+static int
+__snprintf_secmark(char *buf, unsigned int len, const struct nf_conntrack *ct)
{
return (snprintf(buf, len, "secmark=%u ", ct->secmark));
}
-int __snprintf_use(char *buf, unsigned int len, const struct nf_conntrack *ct)
+static int
+__snprintf_use(char *buf, unsigned int len, const struct nf_conntrack *ct)
{
return (snprintf(buf, len, "use=%u ", ct->use));
}
-int __snprintf_id(char *buf, unsigned int len, u_int32_t id)
+static int
+__snprintf_id(char *buf, unsigned int len, const struct nf_conntrack *ct)
{
- return (snprintf(buf, len, "id=%u ", id));
+ return (snprintf(buf, len, "id=%u ", ct->id));
}
int __snprintf_conntrack_default(char *buf,
@@ -307,6 +309,11 @@ int __snprintf_conntrack_default(char *buf,
BUFFER_SIZE(ret, size, len, offset);
}
+ if (flags & NFCT_OF_ID && test_bit(ATTR_ID, ct->set)) {
+ ret = __snprintf_id(buf+offset, len, ct);
+ BUFFER_SIZE(ret, size, len, offset);
+ }
+
/* Delete the last blank space */
size--;
diff --git a/src/conntrack/snprintf_xml.c b/src/conntrack/snprintf_xml.c
index 8b6d0cf..bb9bdef 100644
--- a/src/conntrack/snprintf_xml.c
+++ b/src/conntrack/snprintf_xml.c
@@ -46,6 +46,7 @@
* <timeout>100</timeout>
* <mark>1</mark>
* <secmark>0</secmark>
+ * <id>453281439</id>
* <use>1</use>
* <assured/>
* </meta>
@@ -322,6 +323,11 @@ int __snprintf_conntrack_xml(char *buf,
BUFFER_SIZE(ret, size, len, offset);
}
+ if (test_bit(ATTR_ID, ct->set)) {
+ ret = snprintf(buf+offset, len, "<id>%u</id>", ct->id);
+ BUFFER_SIZE(ret, size, len, offset);
+ }
+
if (test_bit(ATTR_STATUS, ct->set)
&& ct->status & IPS_ASSURED) {
ret = snprintf(buf+offset, len, "<assured/>");