summaryrefslogtreecommitdiffstats
path: root/src/libnetfilter_conntrack.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libnetfilter_conntrack.c')
-rw-r--r--src/libnetfilter_conntrack.c61
1 files changed, 51 insertions, 10 deletions
diff --git a/src/libnetfilter_conntrack.c b/src/libnetfilter_conntrack.c
index e207a7f..54dd82c 100644
--- a/src/libnetfilter_conntrack.c
+++ b/src/libnetfilter_conntrack.c
@@ -8,6 +8,7 @@
* (at your option) any later version.
*/
#include <stdio.h>
+#include <unistd.h>
#include <getopt.h>
#include <dlfcn.h>
#include <stdlib.h>
@@ -604,6 +605,10 @@ int nfct_default_conntrack_display(void *arg, unsigned int flags, int type,
{
char buf[512];
int size;
+ struct nfct_conntrack_compare *cmp = data;
+
+ if (cmp && !nfct_conntrack_compare(cmp->ct, arg, 0, cmp->protoflag))
+ return 0;
memset(buf, 0, sizeof(buf));
size = nfct_sprintf_conntrack(buf, arg, flags);
@@ -618,6 +623,10 @@ int nfct_default_conntrack_display_id(void *arg, unsigned int flags, int type,
{
char buf[512];
int size;
+ struct nfct_conntrack_compare *cmp = data;
+
+ if (cmp && !nfct_conntrack_compare(cmp->ct, arg, 0, cmp->protoflag))
+ return 0;
memset(buf, 0, sizeof(buf));
size = nfct_sprintf_conntrack_id(buf, arg, flags);
@@ -627,6 +636,13 @@ int nfct_default_conntrack_display_id(void *arg, unsigned int flags, int type,
return 0;
}
+int nfct_default_conntrack_event_display(void *arg, unsigned int flags,
+ int type, void *data)
+{
+ fprintf(stdout, "%9s ", msgtype[type]);
+ return nfct_default_conntrack_display_id(arg, flags, type, data);
+}
+
int nfct_sprintf_expect_proto(char *buf, struct nfct_expect *exp)
{
return(sprintf(buf, "%u proto=%d ", exp->timeout,
@@ -684,15 +700,6 @@ int nfct_default_expect_display_id(void *arg, unsigned int flags, int type,
return 0;
}
-static int nfct_event_netlink_handler(struct nfct_handle *cth,
- struct nlmsghdr *nlh,
- void *arg)
-{
- int type = NFNL_MSG_TYPE(nlh->nlmsg_type);
- fprintf(stdout, "%9s ", msgtype[typemsg2enum(type, nlh->nlmsg_flags)]);
- return nfct_conntrack_netlink_handler(cth, nlh, arg);
-}
-
static int nfct_expect_netlink_handler(struct nfct_handle *cth,
struct nlmsghdr *nlh, void *arg)
{
@@ -763,6 +770,28 @@ void nfct_conntrack_free(struct nfct_conntrack *ct)
free(ct);
}
+int nfct_conntrack_compare(struct nfct_conntrack *ct1,
+ struct nfct_conntrack *ct2,
+ unsigned int cmp_flag,
+ unsigned int cmp_protoflag)
+{
+ struct nfct_proto *proto;
+
+ if (ct1->tuple[NFCT_DIR_ORIGINAL].protonum !=
+ ct2->tuple[NFCT_DIR_ORIGINAL].protonum)
+ return 0;
+
+ /*
+ * TODO: implement tuple, status, mark... comparison.
+ */
+
+ proto = findproto(proto2str[ct1->tuple[NFCT_DIR_ORIGINAL].protonum]);
+ if (!proto)
+ return 0;
+
+ return proto->compare(ct1, ct2, cmp_protoflag);
+}
+
int nfct_create_conntrack(struct nfct_handle *cth, struct nfct_conntrack *ct)
{
struct nfnlhdr *req;
@@ -938,7 +967,13 @@ int nfct_dump_conntrack_table_reset_counters(struct nfct_handle *cth)
int nfct_event_conntrack(struct nfct_handle *cth)
{
- cth->handler = nfct_event_netlink_handler;
+ /*
+ * You need to be root to listen to conntrack events
+ */
+ if (getuid() != 0)
+ return -EPERM;
+
+ cth->handler = nfct_conntrack_netlink_handler;
return nfnl_listen(&cth->nfnlh, &callback_handler, cth);
}
@@ -1092,6 +1127,12 @@ int nfct_delete_expectation(struct nfct_handle *cth,struct nfct_tuple *tuple,
int nfct_event_expectation(struct nfct_handle *cth)
{
+ /*
+ * You need to be root to listen to conntrack events
+ */
+ if (getuid() != 0)
+ return -EPERM;
+
cth->handler = nfct_expect_netlink_handler;
return nfnl_listen(&cth->nfnlh, &callback_handler, cth);
}