From 20f919a8e90ccd232b97e7d150c11104491053ae Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 11 Sep 2012 17:01:19 +0200
Subject: expect: add example that creates an expectation with NAT

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 utils/Makefile.am         |   4 ++
 utils/expect_create_nat.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 156 insertions(+)
 create mode 100644 utils/expect_create_nat.c

diff --git a/utils/Makefile.am b/utils/Makefile.am
index 2fe5ea7..69bafe6 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -2,6 +2,7 @@ include $(top_srcdir)/Make_global.am
 
 check_PROGRAMS = expect_dump expect_create expect_get expect_delete \
 	       expect_flush expect_events expect_create_userspace \
+	       expect_create_nat \
 	       conntrack_create conntrack_dump conntrack_update \
 	       conntrack_delete conntrack_flush conntrack_create_nat \
 	       conntrack_get conntrack_events \
@@ -49,6 +50,9 @@ conntrack_master_LDADD = ../src/libnetfilter_conntrack.la
 expect_dump_SOURCES = expect_dump.c
 expect_dump_LDADD = ../src/libnetfilter_conntrack.la
 
+expect_create_nat_SOURCES = expect_create_nat.c
+expect_create_nat_LDADD = ../src/libnetfilter_conntrack.la
+
 expect_create_SOURCES = expect_create.c
 expect_create_LDADD = ../src/libnetfilter_conntrack.la
 
diff --git a/utils/expect_create_nat.c b/utils/expect_create_nat.c
new file mode 100644
index 0000000..ea2daea
--- /dev/null
+++ b/utils/expect_create_nat.c
@@ -0,0 +1,152 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <arpa/inet.h>
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
+
+/*
+ * WARNING: This test file creates an expectation for the FTP helper.
+ * Therefore, make sure you have load nf_conntrack_ftp before executing it. 
+ */
+
+int main(void)
+{
+	int ret;
+	struct nfct_handle *h;
+	struct nf_conntrack *master, *expected, *mask, *nat;
+	struct nf_expect *exp;
+
+	/*
+	 * Step 1: Setup master conntrack
+	 */
+
+	master = nfct_new();
+	if (!master) {
+		perror("nfct_new");
+		exit(EXIT_FAILURE);
+	}
+
+	nfct_set_attr_u8(master, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(master, ATTR_IPV4_SRC, inet_addr("1.1.1.1"));
+	nfct_set_attr_u32(master, ATTR_IPV4_DST, inet_addr("2.2.2.2"));
+
+	nfct_set_attr_u8(master, ATTR_L4PROTO, IPPROTO_TCP);
+	nfct_set_attr_u16(master, ATTR_PORT_SRC, htons(1025));
+	nfct_set_attr_u16(master, ATTR_PORT_DST, htons(21));
+
+	nfct_setobjopt(master, NFCT_SOPT_SETUP_REPLY);
+
+	nfct_set_attr_u8(master, ATTR_TCP_STATE, TCP_CONNTRACK_ESTABLISHED);
+	nfct_set_attr_u32(master, ATTR_TIMEOUT, 200);
+	nfct_set_attr(master, ATTR_HELPER_NAME, "ftp");
+
+	h = nfct_open(CONNTRACK, 0);
+	if (!h) {
+		perror("nfct_open");
+		nfct_destroy(master);
+		return -1;
+	}
+
+	ret = nfct_query(h, NFCT_Q_CREATE, master);
+
+	printf("TEST: add master conntrack ");
+	if (ret == -1)
+		printf("(%d)(%s)\n", ret, strerror(errno));
+	else
+		printf("(OK)\n");
+
+	nfct_close(h);
+
+	expected = nfct_new();
+	if (!expected) {
+		perror("nfct_new");
+		exit(EXIT_FAILURE);
+	}
+
+	nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("1.1.1.1"));
+	nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("2.2.2.2"));
+
+	nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP);
+	nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0);
+	nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241));
+
+	mask = nfct_new();
+	if (!mask) {
+		perror("nfct_new");
+		nfct_destroy(master);
+		nfct_destroy(expected);
+		exit(EXIT_FAILURE);
+	}
+
+	nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(mask, ATTR_IPV4_SRC, 0xffffffff);
+	nfct_set_attr_u32(mask, ATTR_IPV4_DST, 0xffffffff);
+
+	nfct_set_attr_u8(mask, ATTR_L4PROTO, IPPROTO_TCP);
+	nfct_set_attr_u16(mask, ATTR_PORT_SRC, 0x0000);
+	nfct_set_attr_u16(mask, ATTR_PORT_DST, 0xffff);
+
+	nat = nfct_new();
+	if (!nat) {
+		perror("nfct_new");
+		nfct_destroy(mask);
+		nfct_destroy(master);
+		nfct_destroy(expected);
+		exit(EXIT_FAILURE);
+	}
+
+	nfct_set_attr_u8(nat, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(nat, ATTR_IPV4_SRC, inet_addr("3.3.3.3"));
+	nfct_set_attr_u32(nat, ATTR_IPV4_DST, 0);
+
+	nfct_set_attr_u8(nat, ATTR_L4PROTO, IPPROTO_TCP);
+	nfct_set_attr_u16(nat, ATTR_PORT_SRC, 12345);
+	nfct_set_attr_u16(nat, ATTR_PORT_DST, 0);
+
+	/*
+	 * Step 2: Setup expectation
+	 */
+
+	exp = nfexp_new();
+	if (!exp) {
+		perror("nfexp_new");
+		nfct_destroy(master);
+		nfct_destroy(expected);
+		nfct_destroy(mask);
+		exit(EXIT_FAILURE);
+	}
+
+	nfexp_set_attr(exp, ATTR_EXP_MASTER, master);
+	nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected);
+	nfexp_set_attr(exp, ATTR_EXP_MASK, mask);
+	nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat);
+	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, 0);
+	nfexp_set_attr_u32(exp, ATTR_EXP_TIMEOUT, 200);
+
+	nfct_destroy(master);
+	nfct_destroy(expected);
+	nfct_destroy(mask);
+	nfct_destroy(nat);
+
+	h = nfct_open(EXPECT, 0);
+	if (!h) {
+		perror("nfct_open");
+		return -1;
+	}
+
+	ret = nfexp_query(h, NFCT_Q_CREATE, exp);
+
+	printf("TEST: create expectation ");
+	if (ret == -1)
+		printf("(%d)(%s)\n", ret, strerror(errno));
+	else
+		printf("(OK)\n");
+
+	nfct_close(h);
+
+	ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
+}
-- 
cgit v1.2.3