[netfilter-cvslog] r6289 - in trunk/conntrack: . extensions src

pablo at netfilter.org pablo at netfilter.org
Sat Dec 3 23:34:07 CET 2005


Author: pablo at netfilter.org
Date: 2005-12-03 23:33:53 +0100 (Sat, 03 Dec 2005)
New Revision: 6289

Modified:
   trunk/conntrack/ChangeLog
   trunk/conntrack/configure.in
   trunk/conntrack/conntrack.8
   trunk/conntrack/extensions/libct_proto_icmp.c
   trunk/conntrack/extensions/libct_proto_sctp.c
   trunk/conntrack/extensions/libct_proto_tcp.c
   trunk/conntrack/extensions/libct_proto_udp.c
   trunk/conntrack/src/conntrack.c
Log:
o Add support to filter events. ie: -p tcp --orig-port-dst 80 in
  conjuction with -E to get all the requests to HTTP servers
o Update manpage
o Missing static function declaration in the protocol handlers
o Use protocol flags defined in libnetfilter_conntrack
o Kill leftover #include "conntrack.h" in the ICMP helper
o Bumped version to 0.991



Modified: trunk/conntrack/ChangeLog
===================================================================
--- trunk/conntrack/ChangeLog	2005-12-03 14:53:58 UTC (rev 6288)
+++ trunk/conntrack/ChangeLog	2005-12-03 22:33:53 UTC (rev 6289)
@@ -1,3 +1,13 @@
+2005-13-03
+<pablo at netfilter.org>
+	o Add support to filter events. ie: -p tcp --orig-port-dst 80 in
+	conjuction with -E to get all the requests to HTTP servers
+	o Update manpage
+	o Missing static function declaration in the protocol handlers
+	o Use protocol flags defined in libnetfilter_conntrack
+	o Kill leftover #include "conntrack.h" in the ICMP helper
+	o Bumped version to 0.991
+
 2005-11-22
 <marcus at ingate.com>
 	o Fix oversized number of options
@@ -10,6 +20,7 @@
 	o move plugins into pkglibdir
 	o remove 'lib' prefix of plugins, they're not really libraries
 	o remove version information from plugin filenames
+	o Bumped version to 0.99
 2005-11-09
 <pablo at netfilter.org>
 	o set status to zero, libnetfilter_conntrack now activate

Modified: trunk/conntrack/configure.in
===================================================================
--- trunk/conntrack/configure.in	2005-12-03 14:53:58 UTC (rev 6288)
+++ trunk/conntrack/configure.in	2005-12-03 22:33:53 UTC (rev 6289)
@@ -2,7 +2,7 @@
 
 AC_CANONICAL_SYSTEM
 
-AM_INIT_AUTOMAKE(conntrack, 0.99)
+AM_INIT_AUTOMAKE(conntrack, 0.991)
 #AM_CONFIG_HEADER(config.h)
 
 AC_PROG_CC

Modified: trunk/conntrack/conntrack.8
===================================================================
--- trunk/conntrack/conntrack.8	2005-12-03 14:53:58 UTC (rev 6288)
+++ trunk/conntrack/conntrack.8	2005-12-03 22:33:53 UTC (rev 6289)
@@ -74,18 +74,12 @@
 Atomically zero counters after reading them.  This option is only valid in
 combination with the "-L, --dump" command options.
 .TP
-.BI "-e, --event-mask " "[ALL|NEW|RELATED|DESTROY|REFRESH|STATUS|PROTOINFO|HELPER|HELPINFO|NATINFO][,...]"
+.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
 Set the bitmask of events that are to be generated by the in-kernel ctnetlink
 event code.  Using this parameter, you can reduce the event messages generated
 by the kernel to those types to those that you are actually interested in.
 .
-Please note that this is a system-wide setting, so make sure to not disable some events that other ctnetlink-using processes might need!
 This option can only be used in conjunction with "-E, --event".
-.TP
-.BI "-g, --group-mask " "[ALL|TCP|UDP|ICMP][,...]"
-Set the group bitmask to those netlink groups (resembling layer 4 protocols)
-that you're actually interested in. 
-This option can only be used in conjunction with "-E, --event".
 .SS FILTER PARAMETERS
 .TP
 .BI "-s, --orig-src " IP_ADDRESS
@@ -106,11 +100,13 @@
 .BI "-t, --timeout " "TIMEOUT"
 Specify the timeout.
 .TP
-.BI "-u, --status " "[EXPECTED|ASSURED|SEEN_REPLY|CONFIRMED|SNAT|DNAT|SEQ_ADJUST|UNSET][,...]"
+.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]"
 Specify the conntrack status.
 .TP
 .BI "-i, --id " "ID"
-Specify the conntrack ID.
+Specify the conntrack ID. 
+.
+This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs.
 .TP
 .BI "--tuple-src " IP_ADDRESS
 Specify the tuple source address of an expectation.

Modified: trunk/conntrack/extensions/libct_proto_icmp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_icmp.c	2005-12-03 14:53:58 UTC (rev 6288)
+++ trunk/conntrack/extensions/libct_proto_icmp.c	2005-12-03 22:33:53 UTC (rev 6289)
@@ -14,7 +14,7 @@
 #include <netinet/in.h> /* For htons */
 #include <netinet/ip_icmp.h>
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
-#include "conntrack.h"
+#include <libnetfilter_conntrack/libnetfilter_conntrack_icmp.h>
 
 static struct option opts[] = {
 	{"icmp-type", 1, 0, '1'},
@@ -23,18 +23,7 @@
 	{0, 0, 0, 0}
 };
 
-enum icmp_param_flags {
-	ICMP_TYPE_BIT = 0,
-	ICMP_TYPE = (1 << ICMP_TYPE_BIT),
-
-	ICMP_CODE_BIT = 1,
-	ICMP_CODE = (1 << ICMP_CODE_BIT),
-
-	ICMP_ID_BIT = 2,
-	ICMP_ID = (1 << ICMP_ID_BIT)
-};
-
-void help()
+static void help()
 {
 	fprintf(stdout, "--icmp-type            icmp type\n");
 	fprintf(stdout, "--icmp-code            icmp code\n");
@@ -52,12 +41,12 @@
 	    [ICMP_ADDRESS] = ICMP_ADDRESSREPLY + 1,
 	    [ICMP_ADDRESSREPLY] = ICMP_ADDRESS + 1};
 
-int parse(char c, char *argv[], 
-	   struct nfct_tuple *orig,
-	   struct nfct_tuple *reply,
-	   struct nfct_tuple *mask,
-	   union nfct_protoinfo *proto,
-	   unsigned int *flags)
+static int parse(char c, char *argv[], 
+		 struct nfct_tuple *orig,
+		 struct nfct_tuple *reply,
+		 struct nfct_tuple *mask,
+		 union nfct_protoinfo *proto,
+		 unsigned int *flags)
 {
 	switch(c) {
 		case '1':
@@ -86,10 +75,10 @@
 	return 1;
 }
 
-int final_check(unsigned int flags,
-		unsigned int command,
-		struct nfct_tuple *orig,
-		struct nfct_tuple *reply)
+static int final_check(unsigned int flags,
+		       unsigned int command,
+		       struct nfct_tuple *orig,
+		       struct nfct_tuple *reply)
 {
 	if (!(flags & ICMP_TYPE))
 		return 0;
@@ -109,9 +98,9 @@
 	.version	= VERSION,
 };
 
-void __attribute__ ((constructor)) init(void);
+static void __attribute__ ((constructor)) init(void);
 
-void init(void)
+static void init(void)
 {
 	register_proto(&icmp);
 }

Modified: trunk/conntrack/extensions/libct_proto_sctp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_sctp.c	2005-12-03 14:53:58 UTC (rev 6288)
+++ trunk/conntrack/extensions/libct_proto_sctp.c	2005-12-03 22:33:53 UTC (rev 6289)
@@ -14,6 +14,7 @@
 #include <netinet/in.h> /* For htons */
 #include "conntrack.h"
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_sctp.h>
 
 static struct option opts[] = {
 	{"orig-port-src", 1, 0, '1'},
@@ -24,23 +25,6 @@
 	{0, 0, 0, 0}
 };
 
-enum sctp_param_flags {
-	ORIG_SPORT_BIT = 0,
-	ORIG_SPORT = (1 << ORIG_SPORT_BIT),
-
-	ORIG_DPORT_BIT = 1,
-	ORIG_DPORT = (1 << ORIG_DPORT_BIT),
-
-	REPL_SPORT_BIT = 2,
-	REPL_SPORT = (1 << REPL_SPORT_BIT),
-
-	REPL_DPORT_BIT = 3,
-	REPL_DPORT = (1 << REPL_DPORT_BIT),
-
-	STATE_BIT = 4,
-	STATE = (1 << STATE_BIT)
-};
-
 static const char *states[] = {
 	"NONE",
 	"CLOSED",
@@ -52,7 +36,7 @@
 	"SHUTDOWN_ACK_SENT",
 };
 
-void help()
+static void help()
 {
 	fprintf(stdout, "--orig-port-src        original source port\n");
 	fprintf(stdout, "--orig-port-dst        original destination port\n");
@@ -61,12 +45,12 @@
 	fprintf(stdout, "--state                SCTP state, fe. ESTABLISHED\n");
 }
 
-int parse_options(char c, char *argv[], 
-		  struct nfct_tuple *orig,
-		  struct nfct_tuple *reply,
-		  struct nfct_tuple *mask,
-		  union nfct_protoinfo *proto,
-		  unsigned int *flags)
+static int parse_options(char c, char *argv[], 
+			 struct nfct_tuple *orig,
+			 struct nfct_tuple *reply,
+			 struct nfct_tuple *mask,
+			 union nfct_protoinfo *proto,
+			 unsigned int *flags)
 {
 	switch(c) {
 		case '1':
@@ -115,10 +99,10 @@
 	return 1;
 }
 
-int final_check(unsigned int flags,
-		unsigned int command,
-		struct nfct_tuple *orig,
-		struct nfct_tuple *reply)
+static int final_check(unsigned int flags,
+		       unsigned int command,
+		       struct nfct_tuple *orig,
+		       struct nfct_tuple *reply)
 {
 	int ret = 0;
 	
@@ -154,9 +138,9 @@
 	.version		= VERSION,
 };
 
-void __attribute__ ((constructor)) init(void);
+static void __attribute__ ((constructor)) init(void);
 
-void init(void)
+static void init(void)
 {
 	register_proto(&sctp);
 }

Modified: trunk/conntrack/extensions/libct_proto_tcp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_tcp.c	2005-12-03 14:53:58 UTC (rev 6288)
+++ trunk/conntrack/extensions/libct_proto_tcp.c	2005-12-03 22:33:53 UTC (rev 6289)
@@ -13,6 +13,7 @@
 #include <string.h>
 #include <netinet/in.h> /* For htons */
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
 
 #include "conntrack.h"
 
@@ -27,29 +28,6 @@
 	{0, 0, 0, 0}
 };
 
-enum tcp_param_flags {
-	ORIG_SPORT_BIT = 0,
-	ORIG_SPORT = (1 << ORIG_SPORT_BIT),
-
-	ORIG_DPORT_BIT = 1,
-	ORIG_DPORT = (1 << ORIG_DPORT_BIT),
-
-	REPL_SPORT_BIT = 2,
-	REPL_SPORT = (1 << REPL_SPORT_BIT),
-
-	REPL_DPORT_BIT = 3,
-	REPL_DPORT = (1 << REPL_DPORT_BIT),
-
-	MASK_SPORT_BIT = 4,
-	MASK_SPORT = (1 << MASK_SPORT_BIT),
-
-	MASK_DPORT_BIT = 5,
-	MASK_DPORT = (1 << MASK_DPORT_BIT),
-
-	STATE_BIT = 6,
-	STATE = (1 << STATE_BIT)
-};
-
 static const char *states[] = {
 	"NONE",
 	"SYN_SENT",
@@ -63,7 +41,7 @@
 	"LISTEN"
 };
 
-void help()
+static void help()
 {
 	fprintf(stdout, "--orig-port-src        original source port\n");
 	fprintf(stdout, "--orig-port-dst        original destination port\n");
@@ -74,48 +52,48 @@
 	fprintf(stdout, "--state                TCP state, fe. ESTABLISHED\n");
 }
 
-int parse_options(char c, char *argv[], 
-		  struct nfct_tuple *orig,
-		  struct nfct_tuple *reply,
-		  struct nfct_tuple *mask,
-		  union nfct_protoinfo *proto,
-		  unsigned int *flags)
+static int parse_options(char c, char *argv[], 
+			 struct nfct_tuple *orig,
+			 struct nfct_tuple *reply,
+			 struct nfct_tuple *mask,
+			 union nfct_protoinfo *proto,
+			 unsigned int *flags)
 {
 	switch(c) {
 		case '1':
 			if (optarg) {
 				orig->l4src.tcp.port = htons(atoi(optarg));
-				*flags |= ORIG_SPORT;
+				*flags |= TCP_ORIG_SPORT;
 			}
 			break;
 		case '2':
 			if (optarg) {
 				orig->l4dst.tcp.port = htons(atoi(optarg));
-				*flags |= ORIG_DPORT;
+				*flags |= TCP_ORIG_DPORT;
 			}
 			break;
 		case '3':
 			if (optarg) {
 				reply->l4src.tcp.port = htons(atoi(optarg));
-				*flags |= REPL_SPORT;
+				*flags |= TCP_REPL_SPORT;
 			}
 			break;
 		case '4':
 			if (optarg) {
 				reply->l4dst.tcp.port = htons(atoi(optarg));
-				*flags |= REPL_DPORT;
+				*flags |= TCP_REPL_DPORT;
 			}
 			break;
 		case '5':
 			if (optarg) {
 				mask->l4src.tcp.port = htons(atoi(optarg));
-				*flags |= MASK_SPORT;
+				*flags |= TCP_MASK_SPORT;
 			}
 			break;
 		case '6':
 			if (optarg) {
 				mask->l4dst.tcp.port = htons(atoi(optarg));
-				*flags |= MASK_DPORT;
+				*flags |= TCP_MASK_DPORT;
 			}
 			break;
 		case '7':
@@ -131,37 +109,37 @@
 					printf("doh?\n");
 					return 0;
 				}
-				*flags |= STATE;
+				*flags |= TCP_STATE;
 			}
 			break;
 	}
 	return 1;
 }
 
-int final_check(unsigned int flags,
-		unsigned int command,
-		struct nfct_tuple *orig,
-		struct nfct_tuple *reply)
+static int final_check(unsigned int flags,
+		       unsigned int command,
+		       struct nfct_tuple *orig,
+		       struct nfct_tuple *reply)
 {
 	int ret = 0;
 	
-	if ((flags & (ORIG_SPORT|ORIG_DPORT)) 
-	    && !(flags & (REPL_SPORT|REPL_DPORT))) {
+	if ((flags & (TCP_ORIG_SPORT|TCP_ORIG_DPORT)) 
+	    && !(flags & (TCP_REPL_SPORT|TCP_REPL_DPORT))) {
 		reply->l4src.tcp.port = orig->l4dst.tcp.port;
 		reply->l4dst.tcp.port = orig->l4src.tcp.port;
 		ret = 1;
-	} else if (!(flags & (ORIG_SPORT|ORIG_DPORT))
-	            && (flags & (REPL_SPORT|REPL_DPORT))) {
+	} else if (!(flags & (TCP_ORIG_SPORT|TCP_ORIG_DPORT))
+	            && (flags & (TCP_REPL_SPORT|TCP_REPL_DPORT))) {
 		orig->l4src.tcp.port = reply->l4dst.tcp.port;
 		orig->l4dst.tcp.port = reply->l4src.tcp.port;
 		ret = 1;
 	}
-	if ((flags & (ORIG_SPORT|ORIG_DPORT)) 
-	    && ((flags & (REPL_SPORT|REPL_DPORT))))
+	if ((flags & (TCP_ORIG_SPORT|TCP_ORIG_DPORT)) 
+	    && ((flags & (TCP_REPL_SPORT|TCP_REPL_DPORT))))
 		ret = 1;
 
 	/* --state is missing and we are trying to create a conntrack */
-	if (ret && (command & CT_CREATE) && (!(flags & STATE)))
+	if (ret && (command & CT_CREATE) && (!(flags & TCP_STATE)))
 		ret = 0;
 
 	return ret;
@@ -177,9 +155,9 @@
 	.version		= VERSION,
 };
 
-void __attribute__ ((constructor)) init(void);
+static void __attribute__ ((constructor)) init(void);
 
-void init(void)
+static void init(void)
 {
 	register_proto(&tcp);
 }

Modified: trunk/conntrack/extensions/libct_proto_udp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_udp.c	2005-12-03 14:53:58 UTC (rev 6288)
+++ trunk/conntrack/extensions/libct_proto_udp.c	2005-12-03 22:33:53 UTC (rev 6289)
@@ -13,6 +13,7 @@
 #include <netinet/in.h> /* For htons */
 #include "conntrack.h"
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_udp.h>
 
 static struct option opts[] = {
 	{"orig-port-src", 1, 0, '1'},
@@ -24,27 +25,7 @@
 	{0, 0, 0, 0}
 };
 
-enum udp_param_flags {
-	ORIG_SPORT_BIT = 0,
-	ORIG_SPORT = (1 << ORIG_SPORT_BIT),
-
-	ORIG_DPORT_BIT = 1,
-	ORIG_DPORT = (1 << ORIG_DPORT_BIT),
-
-	REPL_SPORT_BIT = 2,
-	REPL_SPORT = (1 << REPL_SPORT_BIT),
-
-	REPL_DPORT_BIT = 3,
-	REPL_DPORT = (1 << REPL_DPORT_BIT),
-
-	MASK_SPORT_BIT = 4,
-	MASK_SPORT = (1 << MASK_SPORT_BIT),
-
-	MASK_DPORT_BIT = 5,
-	MASK_DPORT = (1 << MASK_DPORT_BIT),
-};
-
-void help()
+static void help()
 {
 	fprintf(stdout, "--orig-port-src        original source port\n");
 	fprintf(stdout, "--orig-port-dst        original destination port\n");
@@ -54,72 +35,72 @@
 	fprintf(stdout, "--mask-port-dst	mask destination port\n");
 }
 
-int parse_options(char c, char *argv[], 
-		  struct nfct_tuple *orig,
-		  struct nfct_tuple *reply,
-		  struct nfct_tuple *mask,
-		  union nfct_protoinfo *proto,
-		  unsigned int *flags)
+static int parse_options(char c, char *argv[], 
+			 struct nfct_tuple *orig,
+			 struct nfct_tuple *reply,
+			 struct nfct_tuple *mask,
+			 union nfct_protoinfo *proto,
+			 unsigned int *flags)
 {
 	switch(c) {
 		case '1':
 			if (optarg) {
 				orig->l4src.udp.port = htons(atoi(optarg));
-				*flags |= ORIG_SPORT;
+				*flags |= UDP_ORIG_SPORT;
 			}
 			break;
 		case '2':
 			if (optarg) {
 				orig->l4dst.udp.port = htons(atoi(optarg));
-				*flags |= ORIG_DPORT;
+				*flags |= UDP_ORIG_DPORT;
 			}
 			break;
 		case '3':
 			if (optarg) {
 				reply->l4src.udp.port = htons(atoi(optarg));
-				*flags |= REPL_SPORT;
+				*flags |= UDP_REPL_SPORT;
 			}
 			break;
 		case '4':
 			if (optarg) {
 				reply->l4dst.udp.port = htons(atoi(optarg));
-				*flags |= REPL_DPORT;
+				*flags |= UDP_REPL_DPORT;
 			}
 			break;
 		case '5':
 			if (optarg) {
 				mask->l4src.udp.port = htons(atoi(optarg));
-				*flags |= MASK_SPORT;
+				*flags |= UDP_MASK_SPORT;
 			}
 			break;
 		case '6':
 			if (optarg) {
 				mask->l4dst.udp.port = htons(atoi(optarg));
-				*flags |= MASK_DPORT;
+				*flags |= UDP_MASK_DPORT;
 			}
 			break;
 	}
 	return 1;
 }
 
-int final_check(unsigned int flags,
-		unsigned int command,
-		struct nfct_tuple *orig,
-		struct nfct_tuple *reply)
+static int final_check(unsigned int flags,
+		       unsigned int command,
+		       struct nfct_tuple *orig,
+		       struct nfct_tuple *reply)
 {
-	if ((flags & (ORIG_SPORT|ORIG_DPORT)) 
-	    && !(flags & (REPL_SPORT|REPL_DPORT))) {
+	if ((flags & (UDP_ORIG_SPORT|UDP_ORIG_DPORT)) 
+	    && !(flags & (UDP_REPL_SPORT|UDP_REPL_DPORT))) {
 		reply->l4src.udp.port = orig->l4dst.udp.port;
 		reply->l4dst.udp.port = orig->l4src.udp.port;
 		return 1;
-	} else if (!(flags & (ORIG_SPORT|ORIG_DPORT))
-	            && (flags & (REPL_SPORT|REPL_DPORT))) {
+	} else if (!(flags & (UDP_ORIG_SPORT|UDP_ORIG_DPORT))
+	            && (flags & (UDP_REPL_SPORT|UDP_REPL_DPORT))) {
 		orig->l4src.udp.port = reply->l4dst.udp.port;
 		orig->l4dst.udp.port = reply->l4src.udp.port;
 		return 1;
 	}
-	if ((flags & (ORIG_SPORT|ORIG_DPORT)) 
-	    && ((flags & (REPL_SPORT|REPL_DPORT))))
+	if ((flags & (UDP_ORIG_SPORT|UDP_ORIG_DPORT)) 
+	    && ((flags & (UDP_REPL_SPORT|UDP_REPL_DPORT))))
 		return 1;
 
 	return 0;
@@ -135,9 +116,9 @@
 	.version		= VERSION,
 };
 
-void __attribute__ ((constructor)) init(void);
+static void __attribute__ ((constructor)) init(void);
 
-void init(void)
+static void init(void)
 {
 	register_proto(&udp);
 }

Modified: trunk/conntrack/src/conntrack.c
===================================================================
--- trunk/conntrack/src/conntrack.c	2005-12-03 14:53:58 UTC (rev 6288)
+++ trunk/conntrack/src/conntrack.c	2005-12-03 22:33:53 UTC (rev 6289)
@@ -120,7 +120,7 @@
 /*CT_DELETE*/ {' ',' ',' ',' ',' ','x','x','x','x','x','x','x','x','x','x',' '},
 /*CT_GET*/    {' ',' ',' ',' ','+','x','x','x','x','x','x','x','x','x','x',' '},
 /*CT_FLUSH*/  {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x','x'},
-/*CT_EVENT*/  {'x','x','x','x','x','x','x','x',' ','x','x','x','x','x','x','x'},
+/*CT_EVENT*/  {'x','x','x','x',' ','x','x','x',' ','x','x','x','x','x','x','x'},
 /*VERSION*/   {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x','x'},
 /*HELP*/      {'x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x'},
 /*EXP_LIST*/  {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x',' '},
@@ -1014,24 +1014,33 @@
 		break;
 		
 	case CT_EVENT:
-		if (options & CT_OPT_EVENT_MASK) {
+		ct = nfct_conntrack_alloc(&orig, &reply, timeout,
+					  &proto, status, mark, id, NULL);
+		if (!ct)
+			exit_error(OTHER_PROBLEM, "Not enough memory");
+
+		if (options & CT_OPT_EVENT_MASK)
 			cth = nfct_open(CONNTRACK, event_mask);
-			if (!cth)
-				exit_error(OTHER_PROBLEM, "Can't open handler");
-			signal(SIGINT, event_sighandler);
-			nfct_register_callback(cth, 
-					nfct_default_conntrack_display, NULL);
-			res = nfct_event_conntrack(cth);
-		} else {
+		else
 			cth = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS);
-			if (!cth)
-				exit_error(OTHER_PROBLEM, "Can't open handler");
-			signal(SIGINT, event_sighandler);
+
+		if (!cth)
+			exit_error(OTHER_PROBLEM, "Can't open handler");
+		signal(SIGINT, event_sighandler);
+
+		if (options & CT_OPT_PROTO) {
+			struct nfct_conntrack_compare cmp = {
+				.ct = ct,
+				.flag = 0,
+				.protoflag = extra_flags
+			};
 			nfct_register_callback(cth,
-					       nfct_default_conntrack_display,
-					       NULL);
-			res = nfct_event_conntrack(cth);
+				nfct_default_conntrack_display, (void *)&cmp);
+		} else {
+			nfct_register_callback(cth, 
+				nfct_default_conntrack_display, NULL);
 		}
+		res = nfct_event_conntrack(cth);
 		nfct_close(cth);
 		break;
 




More information about the netfilter-cvslog mailing list