[netfilter-cvslog] r4444 - in trunk/conntrack: . extensions include
src
pablo at netfilter.org
pablo at netfilter.org
Thu Nov 3 21:47:19 CET 2005
Author: pablo at netfilter.org
Date: 2005-11-03 21:47:17 +0100 (Thu, 03 Nov 2005)
New Revision: 4444
Modified:
trunk/conntrack/ChangeLog
trunk/conntrack/extensions/libct_proto_icmp.c
trunk/conntrack/extensions/libct_proto_sctp.c
trunk/conntrack/extensions/libct_proto_tcp.c
trunk/conntrack/extensions/libct_proto_udp.c
trunk/conntrack/include/conntrack.h
trunk/conntrack/src/conntrack.c
Log:
See ChangeLog
Modified: trunk/conntrack/ChangeLog
===================================================================
--- trunk/conntrack/ChangeLog 2005-11-03 19:57:50 UTC (rev 4443)
+++ trunk/conntrack/ChangeLog 2005-11-03 20:47:17 UTC (rev 4444)
@@ -5,6 +5,13 @@
CAP_NET_ADMIN
<pablo at eurodev.net>
o check if --state missing when -p is passed
+ o command type is passed to final_check: checkings based on the
+ command can be done now.
+ o kill duplicated definition of IPS_* bits: Already present in
+ libnetfilter_conntrack.
+ o Move action and command enum to conntrack.h
+ o kill NIPQUAD macro
+ o make conntrack handler cth static.
o Bumped version to 0.96
2005-11-01
Modified: trunk/conntrack/extensions/libct_proto_icmp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_icmp.c 2005-11-03 19:57:50 UTC (rev 4443)
+++ trunk/conntrack/extensions/libct_proto_icmp.c 2005-11-03 20:47:17 UTC (rev 4444)
@@ -87,6 +87,7 @@
}
int final_check(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply)
{
Modified: trunk/conntrack/extensions/libct_proto_sctp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_sctp.c 2005-11-03 19:57:50 UTC (rev 4443)
+++ trunk/conntrack/extensions/libct_proto_sctp.c 2005-11-03 20:47:17 UTC (rev 4444)
@@ -116,6 +116,7 @@
}
int final_check(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply)
{
@@ -136,10 +137,11 @@
&& ((flags & (REPL_SPORT|REPL_DPORT))))
ret = 1;
- if (ret & (flags & STATE))
- return 1;
+ /* --state is missing and we are trying to create a conntrack */
+ if (ret && (command & CT_CREATE) && (!(flags & STATE)))
+ ret = 0;
- return 0;
+ return ret;
}
static struct ctproto_handler sctp = {
Modified: trunk/conntrack/extensions/libct_proto_tcp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_tcp.c 2005-11-03 19:57:50 UTC (rev 4443)
+++ trunk/conntrack/extensions/libct_proto_tcp.c 2005-11-03 20:47:17 UTC (rev 4444)
@@ -139,6 +139,7 @@
}
int final_check(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply)
{
@@ -159,10 +160,11 @@
&& ((flags & (REPL_SPORT|REPL_DPORT))))
ret = 1;
- if (ret && (flags & STATE))
- return 1;
+ /* --state is missing and we are trying to create a conntrack */
+ if (ret && (command & CT_CREATE) && (!(flags & STATE)))
+ ret = 0;
- return 0;
+ return ret;
}
static struct ctproto_handler tcp = {
Modified: trunk/conntrack/extensions/libct_proto_udp.c
===================================================================
--- trunk/conntrack/extensions/libct_proto_udp.c 2005-11-03 19:57:50 UTC (rev 4443)
+++ trunk/conntrack/extensions/libct_proto_udp.c 2005-11-03 20:47:17 UTC (rev 4444)
@@ -103,6 +103,7 @@
}
int final_check(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply)
{
Modified: trunk/conntrack/include/conntrack.h
===================================================================
--- trunk/conntrack/include/conntrack.h 2005-11-03 19:57:50 UTC (rev 4443)
+++ trunk/conntrack/include/conntrack.h 2005-11-03 20:47:17 UTC (rev 4444)
@@ -8,13 +8,113 @@
#define PROGNAME "conntrack"
#define CONNTRACK_VERSION "0.96"
-/* FIXME: These should be independent from kernel space */
-#define IPS_ASSURED (1 << 2)
-#define IPS_SEEN_REPLY (1 << 1)
-#define IPS_SRC_NAT_DONE (1 << 7)
-#define IPS_DST_NAT_DONE (1 << 8)
-#define IPS_CONFIRMED (1 << 3)
+enum action {
+ CT_NONE = 0,
+
+ CT_LIST_BIT = 0,
+ CT_LIST = (1 << CT_LIST_BIT),
+
+ CT_CREATE_BIT = 1,
+ CT_CREATE = (1 << CT_CREATE_BIT),
+ CT_UPDATE_BIT = 2,
+ CT_UPDATE = (1 << CT_UPDATE_BIT),
+
+ CT_DELETE_BIT = 3,
+ CT_DELETE = (1 << CT_DELETE_BIT),
+
+ CT_GET_BIT = 4,
+ CT_GET = (1 << CT_GET_BIT),
+
+ CT_FLUSH_BIT = 5,
+ CT_FLUSH = (1 << CT_FLUSH_BIT),
+
+ CT_EVENT_BIT = 6,
+ CT_EVENT = (1 << CT_EVENT_BIT),
+
+ CT_VERSION_BIT = 7,
+ CT_VERSION = (1 << CT_VERSION_BIT),
+
+ CT_HELP_BIT = 8,
+ CT_HELP = (1 << CT_HELP_BIT),
+
+ EXP_LIST_BIT = 9,
+ EXP_LIST = (1 << EXP_LIST_BIT),
+
+ EXP_CREATE_BIT = 10,
+ EXP_CREATE = (1 << EXP_CREATE_BIT),
+
+ EXP_DELETE_BIT = 11,
+ EXP_DELETE = (1 << EXP_DELETE_BIT),
+
+ EXP_GET_BIT = 12,
+ EXP_GET = (1 << EXP_GET_BIT),
+
+ EXP_FLUSH_BIT = 13,
+ EXP_FLUSH = (1 << EXP_FLUSH_BIT),
+
+ EXP_EVENT_BIT = 14,
+ EXP_EVENT = (1 << EXP_EVENT_BIT),
+};
+#define NUMBER_OF_CMD 15
+
+enum options {
+ CT_OPT_ORIG_SRC_BIT = 0,
+ CT_OPT_ORIG_SRC = (1 << CT_OPT_ORIG_SRC_BIT),
+
+ CT_OPT_ORIG_DST_BIT = 1,
+ CT_OPT_ORIG_DST = (1 << CT_OPT_ORIG_DST_BIT),
+
+ CT_OPT_ORIG = (CT_OPT_ORIG_SRC | CT_OPT_ORIG_DST),
+
+ CT_OPT_REPL_SRC_BIT = 2,
+ CT_OPT_REPL_SRC = (1 << CT_OPT_REPL_SRC_BIT),
+
+ CT_OPT_REPL_DST_BIT = 3,
+ CT_OPT_REPL_DST = (1 << CT_OPT_REPL_DST_BIT),
+
+ CT_OPT_REPL = (CT_OPT_REPL_SRC | CT_OPT_REPL_DST),
+
+ CT_OPT_PROTO_BIT = 4,
+ CT_OPT_PROTO = (1 << CT_OPT_PROTO_BIT),
+
+ CT_OPT_TIMEOUT_BIT = 5,
+ CT_OPT_TIMEOUT = (1 << CT_OPT_TIMEOUT_BIT),
+
+ CT_OPT_STATUS_BIT = 6,
+ CT_OPT_STATUS = (1 << CT_OPT_STATUS_BIT),
+
+ CT_OPT_ZERO_BIT = 7,
+ CT_OPT_ZERO = (1 << CT_OPT_ZERO_BIT),
+
+ CT_OPT_EVENT_MASK_BIT = 8,
+ CT_OPT_EVENT_MASK = (1 << CT_OPT_EVENT_MASK_BIT),
+
+ CT_OPT_EXP_SRC_BIT = 9,
+ CT_OPT_EXP_SRC = (1 << CT_OPT_EXP_SRC_BIT),
+
+ CT_OPT_EXP_DST_BIT = 10,
+ CT_OPT_EXP_DST = (1 << CT_OPT_EXP_DST_BIT),
+
+ CT_OPT_MASK_SRC_BIT = 11,
+ CT_OPT_MASK_SRC = (1 << CT_OPT_MASK_SRC_BIT),
+
+ CT_OPT_MASK_DST_BIT = 12,
+ CT_OPT_MASK_DST = (1 << CT_OPT_MASK_DST_BIT),
+
+ CT_OPT_NATRANGE_BIT = 13,
+ CT_OPT_NATRANGE = (1 << CT_OPT_NATRANGE_BIT),
+
+ CT_OPT_MARK_BIT = 14,
+ CT_OPT_MARK = (1 << CT_OPT_MARK_BIT),
+
+ CT_OPT_ID_BIT = 15,
+ CT_OPT_ID = (1 << CT_OPT_ID_BIT),
+
+ CT_OPT_MAX = CT_OPT_ID
+};
+#define NUMBER_OF_OPT CT_OPT_MAX
+
struct ctproto_handler {
struct list_head head;
@@ -32,6 +132,7 @@
unsigned int *flags);
int (*final_check)(unsigned int flags,
+ unsigned int command,
struct nfct_tuple *orig,
struct nfct_tuple *reply);
@@ -44,10 +145,4 @@
extern void register_proto(struct ctproto_handler *h);
-#define NIPQUAD(addr) \
- ((unsigned char *)&addr)[0], \
- ((unsigned char *)&addr)[1], \
- ((unsigned char *)&addr)[2], \
- ((unsigned char *)&addr)[3]
-
#endif
Modified: trunk/conntrack/src/conntrack.c
===================================================================
--- trunk/conntrack/src/conntrack.c 2005-11-03 19:57:50 UTC (rev 4443)
+++ trunk/conntrack/src/conntrack.c 2005-11-03 20:47:17 UTC (rev 4444)
@@ -52,119 +52,12 @@
#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
#endif
-enum action {
- CT_NONE = 0,
-
- CT_LIST_BIT = 0,
- CT_LIST = (1 << CT_LIST_BIT),
-
- CT_CREATE_BIT = 1,
- CT_CREATE = (1 << CT_CREATE_BIT),
-
- CT_UPDATE_BIT = 2,
- CT_UPDATE = (1 << CT_UPDATE_BIT),
-
- CT_DELETE_BIT = 3,
- CT_DELETE = (1 << CT_DELETE_BIT),
-
- CT_GET_BIT = 4,
- CT_GET = (1 << CT_GET_BIT),
-
- CT_FLUSH_BIT = 5,
- CT_FLUSH = (1 << CT_FLUSH_BIT),
-
- CT_EVENT_BIT = 6,
- CT_EVENT = (1 << CT_EVENT_BIT),
-
- CT_VERSION_BIT = 7,
- CT_VERSION = (1 << CT_VERSION_BIT),
-
- CT_HELP_BIT = 8,
- CT_HELP = (1 << CT_HELP_BIT),
-
- EXP_LIST_BIT = 9,
- EXP_LIST = (1 << EXP_LIST_BIT),
-
- EXP_CREATE_BIT = 10,
- EXP_CREATE = (1 << EXP_CREATE_BIT),
-
- EXP_DELETE_BIT = 11,
- EXP_DELETE = (1 << EXP_DELETE_BIT),
-
- EXP_GET_BIT = 12,
- EXP_GET = (1 << EXP_GET_BIT),
-
- EXP_FLUSH_BIT = 13,
- EXP_FLUSH = (1 << EXP_FLUSH_BIT),
-
- EXP_EVENT_BIT = 14,
- EXP_EVENT = (1 << EXP_EVENT_BIT),
-};
-#define NUMBER_OF_CMD 15
-
static const char cmdflags[NUMBER_OF_CMD]
= {'L','I','U','D','G','F','E','V','h','L','I','D','G','F','E'};
static const char cmd_need_param[NUMBER_OF_CMD]
= {' ','x','x','x','x',' ',' ',' ',' ',' ','x','x','x',' ',' '};
-enum options {
- CT_OPT_ORIG_SRC_BIT = 0,
- CT_OPT_ORIG_SRC = (1 << CT_OPT_ORIG_SRC_BIT),
-
- CT_OPT_ORIG_DST_BIT = 1,
- CT_OPT_ORIG_DST = (1 << CT_OPT_ORIG_DST_BIT),
-
- CT_OPT_ORIG = (CT_OPT_ORIG_SRC | CT_OPT_ORIG_DST),
-
- CT_OPT_REPL_SRC_BIT = 2,
- CT_OPT_REPL_SRC = (1 << CT_OPT_REPL_SRC_BIT),
-
- CT_OPT_REPL_DST_BIT = 3,
- CT_OPT_REPL_DST = (1 << CT_OPT_REPL_DST_BIT),
-
- CT_OPT_REPL = (CT_OPT_REPL_SRC | CT_OPT_REPL_DST),
-
- CT_OPT_PROTO_BIT = 4,
- CT_OPT_PROTO = (1 << CT_OPT_PROTO_BIT),
-
- CT_OPT_TIMEOUT_BIT = 5,
- CT_OPT_TIMEOUT = (1 << CT_OPT_TIMEOUT_BIT),
-
- CT_OPT_STATUS_BIT = 6,
- CT_OPT_STATUS = (1 << CT_OPT_STATUS_BIT),
-
- CT_OPT_ZERO_BIT = 7,
- CT_OPT_ZERO = (1 << CT_OPT_ZERO_BIT),
-
- CT_OPT_EVENT_MASK_BIT = 8,
- CT_OPT_EVENT_MASK = (1 << CT_OPT_EVENT_MASK_BIT),
-
- CT_OPT_EXP_SRC_BIT = 9,
- CT_OPT_EXP_SRC = (1 << CT_OPT_EXP_SRC_BIT),
-
- CT_OPT_EXP_DST_BIT = 10,
- CT_OPT_EXP_DST = (1 << CT_OPT_EXP_DST_BIT),
-
- CT_OPT_MASK_SRC_BIT = 11,
- CT_OPT_MASK_SRC = (1 << CT_OPT_MASK_SRC_BIT),
-
- CT_OPT_MASK_DST_BIT = 12,
- CT_OPT_MASK_DST = (1 << CT_OPT_MASK_DST_BIT),
-
- CT_OPT_NATRANGE_BIT = 13,
- CT_OPT_NATRANGE = (1 << CT_OPT_NATRANGE_BIT),
-
- CT_OPT_MARK_BIT = 14,
- CT_OPT_MARK = (1 << CT_OPT_MARK_BIT),
-
- CT_OPT_ID_BIT = 15,
- CT_OPT_ID = (1 << CT_OPT_ID_BIT),
-
- CT_OPT_MAX = CT_OPT_ID
-};
-#define NUMBER_OF_OPT CT_OPT_MAX
-
static const char optflags[NUMBER_OF_OPT]
= {'s','d','r','q','p','t','u','z','e','[',']','{','}','a','m','i'};
@@ -199,7 +92,7 @@
#define OPTION_OFFSET 256
-struct nfct_handle *cth;
+static struct nfct_handle *cth;
static struct option *opts = original_opts;
static unsigned int global_option_offset = 0;
@@ -895,7 +788,7 @@
if (!(command & CT_HELP)
&& h && h->final_check
- && !h->final_check(extra_flags, &orig, &reply)) {
+ && !h->final_check(extra_flags, command, &orig, &reply)) {
usage(argv[0]);
extension_help(h);
exit_error(PARAMETER_PROBLEM, "Missing protocol arguments!\n");
More information about the netfilter-cvslog
mailing list