From 25b2d74cebc9680dde4028f2f50aec396b29559e Mon Sep 17 00:00:00 2001 From: "/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org" Date: Sat, 3 Dec 2005 22:50:27 +0000 Subject: o Fixed bugs in UDP and SCTP protocol handlers (parse_proto) o Added the comparison infrastructure for layer-4 protocols o Added libnetfilter_conntrack_[tcp|udp|icmp|sctp].h that contains the protocol flags used by the comparison infrastructure o Added nfct_conntrack_compare to compare two conntracks based on flags o Killed nfct_event_netlink_handler o nfct_event_[conntrack|expect] requires ROOT privileges (reason: netlink multicast) o Bumped version to 0.29 --- include/libnetfilter_conntrack/Makefile.am | 2 +- .../libnetfilter_conntrack.h | 23 ++++++++++++--- .../libnetfilter_conntrack_extensions.h | 2 ++ .../libnetfilter_conntrack_icmp.h | 22 ++++++++++++++ .../libnetfilter_conntrack_sctp.h | 34 ++++++++++++++++++++++ .../libnetfilter_conntrack_tcp.h | 34 ++++++++++++++++++++++ .../libnetfilter_conntrack_udp.h | 34 ++++++++++++++++++++++ 7 files changed, 146 insertions(+), 5 deletions(-) create mode 100644 include/libnetfilter_conntrack/libnetfilter_conntrack_icmp.h create mode 100644 include/libnetfilter_conntrack/libnetfilter_conntrack_sctp.h create mode 100644 include/libnetfilter_conntrack/libnetfilter_conntrack_tcp.h create mode 100644 include/libnetfilter_conntrack/libnetfilter_conntrack_udp.h (limited to 'include') diff --git a/include/libnetfilter_conntrack/Makefile.am b/include/libnetfilter_conntrack/Makefile.am index da43eec..d6e11c5 100644 --- a/include/libnetfilter_conntrack/Makefile.am +++ b/include/libnetfilter_conntrack/Makefile.am @@ -1,4 +1,4 @@ -pkginclude_HEADERS = libnetfilter_conntrack.h linux_nfnetlink_conntrack.h +pkginclude_HEADERS = libnetfilter_conntrack.h linux_nfnetlink_conntrack.h libnetfilter_conntrack_tcp.h libnetfilter_conntrack_udp.h libnetfilter_conntrack_icmp.h libnetfilter_conntrack_sctp.h noinst_HEADERS = libnetfilter_conntrack_extensions.h diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack.h b/include/libnetfilter_conntrack/libnetfilter_conntrack.h index 9fbb969..a93e246 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack.h @@ -108,6 +108,11 @@ struct nfct_expect { u_int32_t id; }; +struct nfct_conntrack_compare { + struct nfct_conntrack *ct; + unsigned int flag; + unsigned int protoflag; +}; enum { NFCT_STATUS_BIT = 0, @@ -234,10 +239,12 @@ extern void nfct_unregister_callback(struct nfct_handle *cth); /* * callback displayers */ -extern int nfct_default_conntrack_display(void *arg, unsigned int, int, void *); -extern int nfct_default_conntrack_display_id(void *arg, unsigned int, int, void *); -extern int nfct_default_expect_display(void *arg, unsigned int, int, void *); -extern int nfct_default_expect_display_id(void *arg, unsigned int, int, void *); +extern int nfct_default_conntrack_display(void *, unsigned int, int, void *); +extern int nfct_default_conntrack_display_id(void *, unsigned int, int, void *); +extern int nfct_default_expect_display(void *, unsigned int, int, void *); +extern int nfct_default_expect_display_id(void *, unsigned int, int, void *); +extern int nfct_default_conntrack_event_display(void *, unsigned int, int, + void *); /* * [Create|update|get|destroy] conntracks @@ -282,6 +289,14 @@ extern int nfct_sprintf_mark(char *buf, struct nfct_conntrack *ct); extern int nfct_sprintf_use(char *buf, struct nfct_conntrack *ct); extern int nfct_sprintf_id(char *buf, u_int32_t id); +/* + * Conntrack comparison + */ +extern int nfct_conntrack_compare(struct nfct_conntrack *ct1, + struct nfct_conntrack *ct2, + unsigned int cmp_flag, + unsigned int cmp_protoflag); + /* * Expectations */ diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h index 25430d7..db7828d 100644 --- a/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_extensions.h @@ -29,6 +29,8 @@ struct nfct_proto { void (*build_protoinfo)(struct nfnlhdr *, int, struct nfct_conntrack *); int (*print_protoinfo)(char *, union nfct_protoinfo *); int (*print_proto)(char *, struct nfct_tuple *); + int (*compare)(struct nfct_conntrack *, struct nfct_conntrack *, + unsigned int); }; extern void nfct_register_proto(struct nfct_proto *h); diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_icmp.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_icmp.h new file mode 100644 index 0000000..837621b --- /dev/null +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_icmp.h @@ -0,0 +1,22 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + */ + +#ifndef _LIBNETFILTER_CONNTRACK_ICMP_H_ +#define _LIBNETFILTER_CONNTRACK_ICMP_H_ + +enum icmp_flags { + ICMP_TYPE_BIT = 0, + ICMP_TYPE = (1 << ICMP_TYPE_BIT), + + ICMP_CODE_BIT = 1, + ICMP_CODE = (1 << ICMP_CODE_BIT), + + ICMP_ID_BIT = 2, + ICMP_ID = (1 << ICMP_ID_BIT) +}; + +#endif diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_sctp.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_sctp.h new file mode 100644 index 0000000..366bc9c --- /dev/null +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_sctp.h @@ -0,0 +1,34 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + */ + +#ifndef _LIBNETFILTER_CONNTRACK_SCTP_H_ +#define _LIBNETFILTER_CONNTRACK_SCTP_H_ + +enum sctp_flags { + SCTP_ORIG_SPORT_BIT = 0, + SCTP_ORIG_SPORT = (1 << SCTP_ORIG_SPORT_BIT), + + SCTP_ORIG_DPORT_BIT = 1, + SCTP_ORIG_DPORT = (1 << SCTP_ORIG_DPORT_BIT), + + SCTP_REPL_SPORT_BIT = 2, + SCTP_REPL_SPORT = (1 << SCTP_REPL_SPORT_BIT), + + SCTP_REPL_DPORT_BIT = 3, + SCTP_REPL_DPORT = (1 << SCTP_REPL_DPORT_BIT), + + SCTP_MASK_SPORT_BIT = 4, + SCTP_MASK_SPORT = (1 << SCTP_MASK_SPORT_BIT), + + SCTP_MASK_DPORT_BIT = 5, + SCTP_MASK_DPORT = (1 << SCTP_MASK_DPORT_BIT), + + SCTP_STATE_BIT = 6, + SCTP_STATE = (1 << SCTP_STATE_BIT) +}; + +#endif diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_tcp.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_tcp.h new file mode 100644 index 0000000..7231417 --- /dev/null +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_tcp.h @@ -0,0 +1,34 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + */ + +#ifndef _LIBNETFILTER_CONNTRACK_TCP_H_ +#define _LIBNETFILTER_CONNTRACK_TCP_H_ + +enum tcp_flags { + TCP_ORIG_SPORT_BIT = 0, + TCP_ORIG_SPORT = (1 << TCP_ORIG_SPORT_BIT), + + TCP_ORIG_DPORT_BIT = 1, + TCP_ORIG_DPORT = (1 << TCP_ORIG_DPORT_BIT), + + TCP_REPL_SPORT_BIT = 2, + TCP_REPL_SPORT = (1 << TCP_REPL_SPORT_BIT), + + TCP_REPL_DPORT_BIT = 3, + TCP_REPL_DPORT = (1 << TCP_REPL_DPORT_BIT), + + TCP_MASK_SPORT_BIT = 4, + TCP_MASK_SPORT = (1 << TCP_MASK_SPORT_BIT), + + TCP_MASK_DPORT_BIT = 5, + TCP_MASK_DPORT = (1 << TCP_MASK_DPORT_BIT), + + TCP_STATE_BIT = 6, + TCP_STATE = (1 << TCP_STATE_BIT) +}; + +#endif diff --git a/include/libnetfilter_conntrack/libnetfilter_conntrack_udp.h b/include/libnetfilter_conntrack/libnetfilter_conntrack_udp.h new file mode 100644 index 0000000..895095e --- /dev/null +++ b/include/libnetfilter_conntrack/libnetfilter_conntrack_udp.h @@ -0,0 +1,34 @@ +/* + * (C) 2005 by Pablo Neira Ayuso + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + */ + +#ifndef _LIBNETFILTER_CONNTRACK_UDP_H_ +#define _LIBNETFILTER_CONNTRACK_UDP_H_ + +enum udp_flags { + UDP_ORIG_SPORT_BIT = 0, + UDP_ORIG_SPORT = (1 << UDP_ORIG_SPORT_BIT), + + UDP_ORIG_DPORT_BIT = 1, + UDP_ORIG_DPORT = (1 << UDP_ORIG_DPORT_BIT), + + UDP_REPL_SPORT_BIT = 2, + UDP_REPL_SPORT = (1 << UDP_REPL_SPORT_BIT), + + UDP_REPL_DPORT_BIT = 3, + UDP_REPL_DPORT = (1 << UDP_REPL_DPORT_BIT), + + UDP_MASK_SPORT_BIT = 4, + UDP_MASK_SPORT = (1 << UDP_MASK_SPORT_BIT), + + UDP_MASK_DPORT_BIT = 5, + UDP_MASK_DPORT = (1 << UDP_MASK_DPORT_BIT), + + UDP_STATE_BIT = 6, + UDP_STATE = (1 << UDP_STATE_BIT) +}; + +#endif -- cgit v1.2.3