[netfilter-cvslog] r3995 - in trunk/conntrack: . extensions src
laforge at netfilter.org
laforge at netfilter.org
Fri Jun 24 18:28:26 CEST 2005
Author: laforge at netfilter.org
Date: 2005-06-24 18:28:24 +0200 (Fri, 24 Jun 2005)
New Revision: 3995
Added:
trunk/conntrack/conntrack.8
trunk/conntrack/extensions/libct_proto_icmp.man
trunk/conntrack/extensions/libct_proto_sctp.c
trunk/conntrack/extensions/libct_proto_tcp.man
trunk/conntrack/extensions/libct_proto_udp.man
Modified:
trunk/conntrack/AUTHORS
trunk/conntrack/ChangeLog
trunk/conntrack/configure.in
trunk/conntrack/extensions/Makefile.am
trunk/conntrack/extensions/libct_proto_icmp.c
trunk/conntrack/extensions/libct_proto_tcp.c
trunk/conntrack/src/conntrack.c
trunk/conntrack/src/libct.c
Log:
o Fixed syntax error (tab/space issue) in help message
o Fixed getopt handling on big endian machines
o Fixed possible future read-over-end-of-array in TCP extension
o Add manpage
o Add missing space at output of libct_proto_icmp.c
o Add status bits that were introduced in 2.6.11
o Add SCTP extension
o Add support for expect creation
o Bump version number to 0.63
Modified: trunk/conntrack/AUTHORS
===================================================================
--- trunk/conntrack/AUTHORS 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/AUTHORS 2005-06-24 16:28:24 UTC (rev 3995)
@@ -1 +1,2 @@
Pablo Neira Ayuso <pablo at eurodev.net>
+Harald Welte <laforge at netfilter.org>
Modified: trunk/conntrack/ChangeLog
===================================================================
--- trunk/conntrack/ChangeLog 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/ChangeLog 2005-06-24 16:28:24 UTC (rev 3995)
@@ -1,3 +1,14 @@
+2005-05-23
+<laforge at netfilter.org>
+ o Fixed syntax error (tab/space issue) in help message
+ o Fixed getopt handling on big endian machines
+ o Fixed possible future read-over-end-of-array in TCP extension
+ o Add manpage
+ o Add missing space at output of libct_proto_icmp.c
+ o Add status bits that were introduced in 2.6.11
+ o Add SCTP extension
+ o Add support for expect creation
+ o Bump version number to 0.63
2005-04-25
<pablo at eurodev.net>
o Added support for mask based event dumping
Modified: trunk/conntrack/configure.in
===================================================================
--- trunk/conntrack/configure.in 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/configure.in 2005-06-24 16:28:24 UTC (rev 3995)
@@ -2,7 +2,7 @@
AC_CANONICAL_SYSTEM
-AM_INIT_AUTOMAKE(conntrack, 0.50)
+AM_INIT_AUTOMAKE(conntrack, 0.63)
AM_CONFIG_HEADER(config.h)
AC_PROG_CC
Added: trunk/conntrack/conntrack.8
===================================================================
--- trunk/conntrack/conntrack.8 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/conntrack.8 2005-06-24 16:28:24 UTC (rev 3995)
@@ -0,0 +1,152 @@
+.TH CONNTRACK 8 "Jun 23, 2005" "" ""
+
+.\" Man page written by Harald Welte <laforge at netfilter.org (Jun 2005)
+
+.SH NAME
+conntrack \- administration tool for netfilter connection tracking
+.SH SYNOPSIS
+.BR "conntrack -L [table] [-z]"
+.br
+.BR "conntrack -G [table] parameters"
+.br
+.BR "conntrack -D [table] paramaters"
+.br
+.BR "conntrack -I [table] parameters"
+.br
+.BR "conntrack -E [table] parameters"
+.br
+.BR "conntrack -F [table]"
+.br
+.BR "conntrack -A [table] [options]"
+.SH DESCRIPTION
+.B conntrack
+is used to search, list, inspect and maintain the netfilter connection tracking
+subsystem of the Linux kernel.
+.PP
+Using
+.B conntrack
+, you can dump a list of all (or a filtered selection of) currently tracked
+connections, delete connections from the state table, and even add new ones.
+.PP
+In addition, you can also monitor connection tracking events, e.g. show an
+event message (one line) per newly established connection.
+.SH TABLES
+The connection tracking subsystem maintains two internal tables:
+.TP
+.BR "conntrack" :
+This is the default table. It contains a list of all currently tracked
+connections through the system. If you don't use connection tracking
+exemptions (NOTRACK iptables target), this means all connections that go
+through the system.
+.TP
+.BR "expect" :
+This is the table of expectations. Connection tracking expectations are the
+mechanism used to "expect" RELATED connections to existing ones. Expectations
+are generally used by "connection tracking helpers" (sometimes called
+application level gateways [ALGs]) for more complex protocols such as FTP,
+SIP, H.323.
+.SH OPTIONS
+The options recognized by
+.B conntrack
+can be divided into several different groups.
+.SS COMMANDS
+These options specify the particular operation to perform. Only one of them
+can be specified at any given time.
+.TP
+.BI "-L --dump "
+List connection tacking or expectation table
+.TP
+.BI "-G, --get "
+Search for and show a particular (matching) entry in the given table.
+.TP
+.BI "-D, --delete "
+Delete an entry from the given table.
+.TP
+.BI "-I, --create "
+Create a new entry from the given table.
+.TP
+.BI "-E, --event "
+Display a real-time event log.
+.TP
+.BI "-F, --flush "
+Flush the whole given table
+.TP
+.BI "-A, --action "
+Set an action.
+.SS PARAMETERS
+.TP
+.BI "-z, --zero "
+Atomically zero counters after reading them. This option is only valid in
+combination with the "-L, --dump" command options.
+.TP
+.BI "-e, --event-mask " "[ALL|NEW|RELATED|DESTROY|REFRESH|STATUS|PROTOINFO|HELPER|HELPINFO|NATINFO][,...]"
+Set the bitmask of events that are to be generated by the in-kernel ctnetlink
+event code. Using this parameter, you can reduce the event messages generated
+by the kernel to those types to those that you are actually interested in.
+.
+Please note that this is a system-wide setting, so make sure to not disable some events that other ctnetlink-using processes might need!
+This option can only be used in conjunction with "-A, --action".
+.TP
+.BI "-m, --dump-mask " "[ALL|TUPLE|STATUS|TIMEOUT|PROTOINFO|HELPINFO|COUNTERS|MARK][,...]"
+Set the bitmask of data fields that are to be sent with each message generated
+by the in-kernel ctnetlink code. Using this parameter, you can reduce the
+amount of information sent by the kernel to those bits and pieces that you are
+actually interested in.
+Please note that this is a system-wide setting, so make sure to not disable some data fields that other ctnetlink-using processes might need!
+This option can only be used in conjunction with "-A, --action".
+.TP
+.BI "-g, --group-mask " "[ALL|TCP|UDP|ICMP][,...]"
+Set the group bitmask to those netlink groups (resembling layer 4 protocols)
+that you're actually interested in.
+This option can only be used in conjunction with "-E, --event".
+.SS FILTER PARAMETERS
+.TP
+.BI "-s, --orig-src " IP_ADDRESS
+Match only entries whose source address in the original direction equals the one specified as argument.
+.TP
+.BI "-d, --orig-dst " IP_ADDRESS
+Match only entries whose destination address in the original direction equals the one specified as argument.
+.TP
+.BI "-r, --reply-src " IP_ADDRESS
+Match only entries whose source address in the reply direction equals the one specified as argument.
+.TP
+.BI "-q, --reply-dst " IP_ADDRESS
+Match only entries whose destination address in the reply direction equals the one specified as argument.
+.TP
+.BI "-p, --proto " "PROTO "
+Specify layer four (TCP, UDP, ...) protocol.
+.TP
+.BI "-t, --timeout " "TIMEOUT"
+Specify the timeout.
+.TP
+.BI "-u, --status " "[EXPECTED|ASSURED|SEEN_REPLY|CONFIRMED|SNAT|DNAT|SEQ_ADJUST|UNSET][,...]"
+Specify the conntrack status.
+.TP
+.BI "--tuple-src " IP_ADDRESS
+Specify the tuple source address of an expectation.
+.TP
+.BI "--tuple-dst " IP_ADDRESS
+Specify the tuple destination address of an expectation.
+.TP
+.BI "--mask-src " IP_ADDRESS
+Specify the source address mask of an expectation.
+.TP
+.BI "--mask-dst " IP_ADDRESS
+Specify the destination address mask of an expectation.
+.SH DIAGNOSTICS
+The exit code is 0 for correct function. Errors which appear to be caused by
+invalid command line parameters cause an exit code of 2. Any other errors
+cause an exit code of 1.
+.SH BUGS
+Bugs? What's this ;-)
+.SH SEE ALSO
+.BR iptables (8)
+.br
+See
+.BR "http://netfilter.org/" .
+.SH AUTHORS
+Jay Schulist, Patrick McHardy and Harald Welte wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool.
+.PP
+Pablo Neira wrote the conntrack tool, Harald Welte added support for conntrack based accounting counters.
+.PP
+Man page written by Harald Welte <laforge at netfilter.org>.
Modified: trunk/conntrack/extensions/Makefile.am
===================================================================
--- trunk/conntrack/extensions/Makefile.am 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/extensions/Makefile.am 2005-06-24 16:28:24 UTC (rev 3995)
@@ -8,8 +8,10 @@
CFLAGS=-fPIC -Wall
LIBS=
-lib_LTLIBRARIES = libct_proto_tcp.la libct_proto_udp.la libct_proto_icmp.la
+lib_LTLIBRARIES = libct_proto_tcp.la libct_proto_udp.la libct_proto_icmp.la \
+ libct_proto_sctp.la
libct_proto_tcp_la_SOURCES = libct_proto_tcp.c
libct_proto_udp_la_SOURCES = libct_proto_udp.c
libct_proto_icmp_la_SOURCES = libct_proto_icmp.c
+libct_proto_sctp_la_SOURCES = libct_proto_sctp.c
Modified: trunk/conntrack/extensions/libct_proto_icmp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_icmp.c 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/extensions/libct_proto_icmp.c 2005-06-24 16:28:24 UTC (rev 3995)
@@ -81,7 +81,7 @@
void print_tuple(struct ip_conntrack_tuple *t)
{
- fprintf(stdout, "type=%d code=%d id=%d", t->dst.u.icmp.type,
+ fprintf(stdout, "type=%d code=%d id=%d ", t->dst.u.icmp.type,
t->dst.u.icmp.code,
t->src.u.icmp.id);
}
Added: trunk/conntrack/extensions/libct_proto_icmp.man
===================================================================
--- trunk/conntrack/extensions/libct_proto_icmp.man 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/extensions/libct_proto_icmp.man 2005-06-24 16:28:24 UTC (rev 3995)
@@ -0,0 +1,10 @@
+This module matches on ICMP-specific fields.
+.TP
+.BI "--icmp-type " "TYPE"
+ICMP Type. Has to be specified numerically.
+.TP
+.BI "--icmp-code " "CODE"
+ICMP Code. Has to be specified numerically.
+.TP
+.BI "--icmp-id " "ID"
+ICMP Id. Has to be specified numerically.
Added: trunk/conntrack/extensions/libct_proto_sctp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_sctp.c 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/extensions/libct_proto_sctp.c 2005-06-24 16:28:24 UTC (rev 3995)
@@ -0,0 +1,160 @@
+/*
+ * (C) 2005 by Harald Welte <lafoorge at netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License Version 2 as
+ * published by the Free Software Foundation
+ *
+ */
+#include <stdio.h>
+#include <getopt.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netinet/in.h> /* For htons */
+#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include "libct_proto.h"
+
+static struct option opts[] = {
+ {"orig-port-src", 1, 0, '1'},
+ {"orig-port-dst", 1, 0, '2'},
+ {"reply-port-src", 1, 0, '3'},
+ {"reply-port-dst", 1, 0, '4'},
+ {"state", 1, 0, '5'},
+ {0, 0, 0, 0}
+};
+
+enum sctp_param_flags {
+ ORIG_SPORT_BIT = 0,
+ ORIG_SPORT = (1 << ORIG_SPORT_BIT),
+
+ ORIG_DPORT_BIT = 1,
+ ORIG_DPORT = (1 << ORIG_DPORT_BIT),
+
+ REPL_SPORT_BIT = 2,
+ REPL_SPORT = (1 << REPL_SPORT_BIT),
+
+ REPL_DPORT_BIT = 3,
+ REPL_DPORT = (1 << REPL_DPORT_BIT),
+
+ STATE_BIT = 4,
+ STATE = (1 << STATE_BIT)
+};
+
+static const char *states[] = {
+ "NONE",
+ "CLOSED",
+ "COOKIE_WAIT",
+ "COOKIE_ECHOED",
+ "ESTABLISHED",
+ "SHUTDOWN_SENT",
+ "SHUTDOWN_RECV",
+ "SHUTDOWN_ACK_SENT",
+};
+
+static void help()
+{
+ fprintf(stdout, "--orig-port-src original source port\n");
+ fprintf(stdout, "--orig-port-dst original destination port\n");
+ fprintf(stdout, "--reply-port-src reply source port\n");
+ fprintf(stdout, "--reply-port-dst reply destination port\n");
+ fprintf(stdout, "--state SCTP state, eg. ESTABLISHED\n");
+}
+
+static int parse(char c, char *argv[],
+ struct ip_conntrack_tuple *orig,
+ struct ip_conntrack_tuple *reply,
+ union ip_conntrack_proto *proto,
+ unsigned int *flags)
+{
+ switch(c) {
+ case '1':
+ if (optarg) {
+ orig->src.u.sctp.port = htons(atoi(optarg));
+ *flags |= ORIG_SPORT;
+ }
+ break;
+ case '2':
+ if (optarg) {
+ orig->dst.u.sctp.port = htons(atoi(optarg));
+ *flags |= ORIG_DPORT;
+ }
+ break;
+ case '3':
+ if (optarg) {
+ reply->src.u.sctp.port = htons(atoi(optarg));
+ *flags |= REPL_SPORT;
+ }
+ break;
+ case '4':
+ if (optarg) {
+ reply->dst.u.sctp.port = htons(atoi(optarg));
+ *flags |= REPL_DPORT;
+ }
+ break;
+ case '5':
+ if (optarg) {
+ int i;
+ for (i=0; i<10; i++) {
+ if (strcmp(optarg, states[i]) == 0) {
+ proto->sctp.state = i;
+ break;
+ }
+ }
+ if (i == 10) {
+ printf("doh?\n");
+ return 0;
+ }
+ }
+ break;
+ }
+ return 1;
+}
+
+static int final_check(unsigned int flags)
+{
+ if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT))
+ return 1;
+ else if ((flags & REPL_SPORT) && (flags & REPL_DPORT))
+ return 1;
+
+ return 0;
+}
+
+static void print_tuple(struct ip_conntrack_tuple *t)
+{
+ fprintf(stdout, "sport=%d dport=%d ", ntohs(t->src.u.sctp.port),
+ ntohs(t->dst.u.sctp.port));
+}
+
+static void print_proto(union ip_conntrack_proto *proto)
+{
+ if (proto->sctp.state > sizeof(states)/sizeof(char *))
+ fprintf(stdout, "[%u] ", proto->sctp.state);
+ else
+ fprintf(stdout, "[%s] ", states[proto->sctp.state]);
+}
+
+static struct ctproto_handler sctp = {
+ .name = "sctp",
+ .protonum = 132,
+ .parse = parse,
+ .print_tuple = print_tuple,
+ .print_proto = print_proto,
+ .final_check = final_check,
+ .help = help,
+ .opts = opts,
+};
+
+void __attribute__ ((constructor)) init(void);
+void __attribute__ ((destructor)) fini(void);
+
+void init(void)
+{
+ register_proto(&sctp);
+}
+
+void fini(void)
+{
+ unregister_proto(&sctp);
+}
Modified: trunk/conntrack/extensions/libct_proto_tcp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_tcp.c 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/extensions/libct_proto_tcp.c 2005-06-24 16:28:24 UTC (rev 3995)
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <getopt.h>
#include <stdlib.h>
+#include <string.h>
#include <netinet/in.h> /* For htons */
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>
@@ -54,7 +55,7 @@
"LISTEN"
};
-void help()
+static void help()
{
fprintf(stdout, "--orig-port-src original source port\n");
fprintf(stdout, "--orig-port-dst original destination port\n");
@@ -63,7 +64,7 @@
fprintf(stdout, "--state TCP state, fe. ESTABLISHED\n");
}
-int parse(char c, char *argv[],
+static int parse(char c, char *argv[],
struct ip_conntrack_tuple *orig,
struct ip_conntrack_tuple *reply,
union ip_conntrack_proto *proto,
@@ -113,7 +114,7 @@
return 1;
}
-int final_check(unsigned int flags)
+static int final_check(unsigned int flags)
{
if ((flags & ORIG_SPORT) && (flags & ORIG_DPORT))
return 1;
@@ -123,15 +124,18 @@
return 0;
}
-void print_tuple(struct ip_conntrack_tuple *t)
+static void print_tuple(struct ip_conntrack_tuple *t)
{
fprintf(stdout, "sport=%d dport=%d ", ntohs(t->src.u.tcp.port),
ntohs(t->dst.u.tcp.port));
}
-void print_proto(union ip_conntrack_proto *proto)
+static void print_proto(union ip_conntrack_proto *proto)
{
- fprintf(stdout, "[%s] ", states[proto->tcp.state]);
+ if (proto->tcp.state > sizeof(states)/sizeof(char *))
+ fprintf(stdout, "[%u] ", states[proto->tcp.state]);
+ else
+ fprintf(stdout, "[%s] ", states[proto->tcp.state]);
}
static struct ctproto_handler tcp = {
@@ -142,7 +146,7 @@
.print_proto = print_proto,
.final_check = final_check,
.help = help,
- .opts = opts
+ .opts = opts,
};
void __attribute__ ((constructor)) init(void);
Added: trunk/conntrack/extensions/libct_proto_tcp.man
===================================================================
--- trunk/conntrack/extensions/libct_proto_tcp.man 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/extensions/libct_proto_tcp.man 2005-06-24 16:28:24 UTC (rev 3995)
@@ -0,0 +1,16 @@
+This module matches on TCP-specific fields.
+.TP
+.BI "--orig-port-src " "PORT"
+Source port in original direction
+.TP
+.BI "--orig-port-dst " "PORT"
+Destination port in original direction
+.TP
+.BI "--reply-port-src " "PORT"
+Source port in reply direction
+.TP
+.BI "--reply-port-dst " "PORT"
+Destination port in reply direction
+.TP
+.BI "--state " "[NONE|SYN_SENT|SYN_RECV|ESTABLISHED|FIN_WAIT|CLOSE_WAIT|LAST_ACK|TIME_WAIT|CLOSE|LISTEN]"
+TCP state
Added: trunk/conntrack/extensions/libct_proto_udp.man
===================================================================
--- trunk/conntrack/extensions/libct_proto_udp.man 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/extensions/libct_proto_udp.man 2005-06-24 16:28:24 UTC (rev 3995)
@@ -0,0 +1,13 @@
+This module matches on UDP-specific fields.
+.TP
+.BI "--orig-port-src " "PORT"
+Source port in original direction
+.TP
+.BI "--orig-port-dst " "PORT"
+Destination port in original direction
+.TP
+.BI "--reply-port-src " "PORT"
+Source port in reply direction
+.TP
+.BI "--reply-port-dst " "PORT"
+Destination port in reply direction
Modified: trunk/conntrack/src/conntrack.c
===================================================================
--- trunk/conntrack/src/conntrack.c 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/src/conntrack.c 2005-06-24 16:28:24 UTC (rev 3995)
@@ -25,6 +25,8 @@
*
* 2005-04-16 Harald Welte <laforge at netfilter.org>:
* Add support for conntrack accounting and conntrack mark
+ * 2005-06-23 Harald Welte <laforge at netfilter.org>:
+ * Add support for expect creation
*
*/
#include <stdio.h>
@@ -47,7 +49,7 @@
#include "libct_proto.h"
#define PROGNAME "conntrack"
-#define VERSION "0.62"
+#define VERSION "0.63"
#if 0
#define DEBUGP printf
@@ -127,11 +129,22 @@
CT_OPT_EVENT_MASK_BIT = 10,
CT_OPT_EVENT_MASK = (1 << CT_OPT_EVENT_MASK_BIT),
+ CT_OPT_TUPLE_SRC_BIT = 11,
+ CT_OPT_TUPLE_SRC = (1 << CT_OPT_TUPLE_SRC_BIT),
+
+ CT_OPT_TUPLE_DST_BIT = 12,
+ CT_OPT_TUPLE_DST = (1 << CT_OPT_TUPLE_DST_BIT),
+
+ CT_OPT_MASK_SRC_BIT = 13,
+ CT_OPT_MASK_SRC = (1 << CT_OPT_MASK_SRC_BIT),
+
+ CT_OPT_MASK_DST_BIT = 14,
+ CT_OPT_MASK_DST = (1 << CT_OPT_MASK_DST_BIT),
};
-#define NUMBER_OF_OPT 11
+#define NUMBER_OF_OPT 15
static const char optflags[NUMBER_OF_OPT]
-= { 's', 'd', 'r', 'q', 'p', 't', 'u', 'z','m','g','e'};
+= { 's', 'd', 'r', 'q', 'p', 't', 'u', 'z','m','g','e', '[',']','{','}'};
static struct option original_opts[] = {
{"dump", 2, 0, 'L'},
@@ -154,6 +167,10 @@
{"dump-mask", 1, 0, 'm'},
{"groups", 1, 0, 'g'},
{"event-mask", 1, 0, 'e'},
+ {"tuple-src", 1, 0, '['},
+ {"tuple-dst", 1, 0, ']'},
+ {"mask-src", 1, 0, '{'},
+ {"mask-dst", 1, 0, '}'},
{0, 0, 0, 0}
};
@@ -174,16 +191,16 @@
static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
/* Well, it's better than "Re: Linux vs FreeBSD" */
{
- /* -s -d -r -q -p -t -u -z -m -g -e */
-/*LIST*/ {'x','x','x','x','x','x','x',' ','x','x','x'},
-/*CREATE*/ {'+','+','+','+','+','+','+','x','x','x','x'},
-/*DELETE*/ {' ',' ',' ',' ',' ','x','x','x','x','x','x'},
-/*GET*/ {' ',' ',' ',' ','+','x','x','x','x','x','x'},
-/*FLUSH*/ {'x','x','x','x','x','x','x','x','x','x','x'},
-/*EVENT*/ {'x','x','x','x','x','x','x','x','x',' ','x'},
-/*ACTION*/ {'x','x','x','x','x','x','x','x',' ','x',' '},
-/*VERSION*/ {'x','x','x','x','x','x','x','x','x','x','x'},
-/*HELP*/ {'x','x','x','x',' ','x','x','x','x','x','x'},
+ /* -s -d -r -q -p -t -u -z -m -g -e ts td ms md */
+/*LIST*/ {'x','x','x','x','x','x','x',' ','x','x','x','x','x','x','x'},
+/*CREATE*/ {'+','+','+','+','+','+','+','x','x','x','x','+','+','+','+'},
+/*DELETE*/ {' ',' ',' ',' ',' ','x','x','x','x','x','x',' ',' ',' ',' '},
+/*GET*/ {' ',' ',' ',' ','+','x','x','x','x','x','x',' ',' ',' ',' '},
+/*FLUSH*/ {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*EVENT*/ {'x','x','x','x','x','x','x','x','x',' ','x','x','x','x','x'},
+/*ACTION*/ {'x','x','x','x','x','x','x','x',' ','x',' ','x','x','x','x'},
+/*VERSION*/ {'x','x','x','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*HELP*/ {'x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x'},
};
/* FIXME: hardcoded!, this must be defined during compilation time */
@@ -355,9 +372,11 @@
size_t size;
unsigned int value[10];
} parse_array[PARSE_MAX] = {
- { {"ASSURED", "SEEN_REPLY", "UNSET"},
- 3,
- { IPS_ASSURED, IPS_SEEN_REPLY, 0} },
+ { {"EXPECTED", "ASSURED", "SEEN_REPLY", "CONFIRMED", "SNAT", "DNAT",
+ "SEQ_ADJUST", "UNSET"},
+ 8,
+ { IPS_EXPECTED, IPS_ASSURED, IPS_SEEN_REPLY, IPS_CONFIRMED,
+ IPS_SRC_NAT, IPS_DST_NAT, IPS_SEQ_ADJUST, 0} },
{ {"ALL", "TCP", "UDP", "ICMP"},
4,
{~0U, NFGRP_IPV4_CT_TCP, NFGRP_IPV4_CT_UDP, NFGRP_IPV4_CT_ICMP} },
@@ -502,7 +521,7 @@
fprintf(stdout, "\n");
fprintf(stdout, "Commands:\n");
fprintf(stdout, "-L [table] [-z] List conntrack or expectation table\n");
-fprintf(stdout, "-G [table] parameters Get conntrack or expectation\n");
+fprintf(stdout, "-G [table] parameters Get conntrack or expectation\n");
fprintf(stdout, "-D [table] parameters Delete conntrack or expectation\n");
fprintf(stdout, "-I [table] parameters Create a conntrack or expectation\n");
fprintf(stdout, "-E [table] [options] Show events\n");
@@ -514,6 +533,10 @@
fprintf(stdout, "--orig-dst ip Destination address from original direction\n");
fprintf(stdout, "--reply-src ip Source addres from reply direction\n");
fprintf(stdout, "--reply-dst ip Destination address from reply direction\n");
+fprintf(stdout, "--tuple-src ip Source address in expect tuple\n");
+fprintf(stdout, "--tuple-dst ip Destination address in expect tuple\n");
+fprintf(stdout, "--mask-src ip Source mask in expect\n");
+fprintf(stdout, "--mask-dst ip Destination mask in expect\n");
fprintf(stdout, "-p proto Layer 4 Protocol\n");
fprintf(stdout, "-t timeout Set timeout\n");
fprintf(stdout, "-u status Set status\n");
@@ -525,9 +548,9 @@
int main(int argc, char *argv[])
{
- char c;
+ int c;
unsigned int command = 0, options = 0;
- struct ip_conntrack_tuple orig, reply, *o = NULL, *r = NULL;
+ struct ip_conntrack_tuple orig, reply, tuple, mask, *o = NULL, *r = NULL;
struct ctproto_handler *h = NULL;
union ip_conntrack_proto proto;
unsigned long timeout = 0;
@@ -543,7 +566,7 @@
reply.dst.dir = IP_CT_DIR_REPLY;
while ((c = getopt_long(argc, argv,
- "L::I::D::G::E::A::F::hVs:d:r:q:p:t:u:m:g:e:z",
+ "L::I::D::G::E::A::F::hVs:d:r:q:p:t:u:m:g:e:z[:]:{:}:",
opts, NULL)) != -1) {
switch(c) {
case 'L':
@@ -644,6 +667,26 @@
case 'z':
options |= CT_OPT_ZERO;
break;
+ case '[':
+ options |= CT_OPT_TUPLE_SRC;
+ if (optarg)
+ tuple.src.ip = inet_addr(optarg);
+ break;
+ case ']':
+ options |= CT_OPT_TUPLE_DST;
+ if (optarg)
+ tuple.dst.ip = inet_addr(optarg);
+ break;
+ case '{':
+ options |= CT_OPT_MASK_SRC;
+ if (optarg)
+ mask.src.ip = inet_addr(optarg);
+ break;
+ case '}':
+ options |= CT_OPT_MASK_DST;
+ if (optarg)
+ mask.dst.ip = inet_addr(optarg);
+ break;
default:
if (h && h->parse && !h->parse(c - h->option_offset,
argv, &orig, &reply,
@@ -687,7 +730,8 @@
res = create_conntrack(&orig, &reply, timeout,
&proto, status);
else
- not_implemented_yet();
+ res = create_expect(&tuple, &mask, &orig,
+ &reply, timeout);
break;
case CT_DELETE:
Modified: trunk/conntrack/src/libct.c
===================================================================
--- trunk/conntrack/src/libct.c 2005-06-24 02:15:31 UTC (rev 3994)
+++ trunk/conntrack/src/libct.c 2005-06-24 16:28:24 UTC (rev 3995)
@@ -1,5 +1,6 @@
/*
- * (C) 2005 by Pablo Neira Ayuso <pablo at eurodev.net>
+ * (C) 2005 by Pablo Neira Ayuso <pablo at eurodev.net>,
+ * Harald Welte <laforge at netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -233,6 +234,28 @@
return 0;
}
+int create_expect(struct ip_conntrack_tuple *tuple,
+ struct ip_conntrack_tuple *mask,
+ struct ip_conntrack_tuple *master_tuple_orig,
+ struct ip_conntrack_tuple *master_tuple_reply,
+ unsigned long timeout)
+{
+ struct ctnl_handle cth;
+ int ret;
+
+ if ((ret = ctnl_open(&cth, 0)) < 0)
+ return ret;
+
+ if ((ret = ctnl_new_expect(&cth, tuple, mask, master_tuple_orig,
+ master_tuple_reply, timeout)) < 0)
+ return ret;
+
+ if ((ret = ctnl_close(&cth)) < 0)
+ return ret;
+
+ return -1;
+}
+
int delete_conntrack(struct ip_conntrack_tuple *tuple,
enum ctattr_type_t t)
{
More information about the netfilter-cvslog
mailing list