[netfilter-cvslog] r6793 - in trunk/conntrack-tools: . cli
cli/include cli/src daemon include src
pablo at netfilter.org
pablo at netfilter.org
Mon Apr 16 21:08:42 CEST 2007
Author: pablo at netfilter.org
Date: 2007-04-16 21:08:42 +0200 (Mon, 16 Apr 2007)
New Revision: 6793
Added:
trunk/conntrack-tools/AUTHORS
trunk/conntrack-tools/CHANGELOG
trunk/conntrack-tools/CONTRIBUTORS
trunk/conntrack-tools/ChangeLog
trunk/conntrack-tools/INSTALL
trunk/conntrack-tools/Make_global.am
trunk/conntrack-tools/Makefile.am
trunk/conntrack-tools/TODO
trunk/conntrack-tools/autogen.sh
trunk/conntrack-tools/configure.in
trunk/conntrack-tools/conntrack.8
trunk/conntrack-tools/examples/
trunk/conntrack-tools/extensions/
trunk/conntrack-tools/include/
trunk/conntrack-tools/include/conntrack.h
trunk/conntrack-tools/src/
trunk/conntrack-tools/src/conntrack.c
trunk/conntrack-tools/test.sh
Removed:
trunk/conntrack-tools/cli/ChangeLog
trunk/conntrack-tools/cli/conntrack.8
trunk/conntrack-tools/cli/extensions/
trunk/conntrack-tools/cli/include/conntrack.h
trunk/conntrack-tools/cli/src/conntrack.c
trunk/conntrack-tools/cli/test.sh
trunk/conntrack-tools/daemon/AUTHORS
trunk/conntrack-tools/daemon/CHANGELOG
trunk/conntrack-tools/daemon/CONTRIBUTORS
trunk/conntrack-tools/daemon/INSTALL
trunk/conntrack-tools/daemon/Make_global.am
trunk/conntrack-tools/daemon/Makefile.am
trunk/conntrack-tools/daemon/TODO
trunk/conntrack-tools/daemon/autogen.sh
trunk/conntrack-tools/daemon/configure.in
trunk/conntrack-tools/daemon/examples/
trunk/conntrack-tools/daemon/include/
trunk/conntrack-tools/daemon/src/
Modified:
trunk/conntrack-tools/src/Makefile.am
Log:
first step forward to merge conntrackd and conntrack into the same building chain
Copied: trunk/conntrack-tools/AUTHORS (from rev 6792, trunk/conntrack-tools/daemon/AUTHORS)
===================================================================
--- trunk/conntrack-tools/AUTHORS (rev 0)
+++ trunk/conntrack-tools/AUTHORS 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1 @@
+Pablo Neira Ayuso <pablo at netfilter.org>
Copied: trunk/conntrack-tools/CHANGELOG (from rev 6792, trunk/conntrack-tools/daemon/CHANGELOG)
===================================================================
--- trunk/conntrack-tools/CHANGELOG (rev 0)
+++ trunk/conntrack-tools/CHANGELOG 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,184 @@
+version 0.9.3 (yet unreleased)
+------------------------------
+o fix commit of confirmed expectations (reported by Nishit Shah)
+o fix double increment of counters in cache_update_force() (Niko Tyni)
+o nl_dump_handler must return NFCT_CB_CONTINUE (Niko Tyni)
+o initialize buffer in nl_event_handler() and nl_dump_handler() (Niko Tyni)
+o CacheCommit value can be set via conntrackd.conf for the NACK approach
+o fix leaks in the hashtable/cache flush path (Niko Tyni)
+o fix leak if a connection already exists in the cache (Niko Tyni)
+o introduce a new header that encapsulates netlink messages
+o remove all '_entry' tail from all functions in cache.c
+o split cache.c: move cache iterators to file cache_iterators.c
+o fix inconsistencies in the cache API related to counters
+o cleanup 'usage' message
+o fix typo in examples/sync/nack/node1/conntrackd.conf
+o introduce message checksumming as described in RFC1071 (enabled by default)
+o major cleanups in the synchronization code
+o just warn once that the maximum netlink socket buffer has been reached
+o fix ignore conntrack entries by IP and introduce ignore pool abstraction layer
+o introduce netlink socket buffer overrun handler
+o constification of hash, compare and hashtable_test functions in hash.c
+o introduce ACKnowledgement mechanisms to reduce the size of the resend queue
+o remove OK messages at startup since provide useless data
+o fix compilation warning in mcast.c: recvfrom takes socklen_t not size_t
+o add a lock per buffer: makes buffer code thread safe
+o introduce 'Replicate' clause to explicitely set states to be replicated
+o kill cache feature abuse: introduce nicer cache hooks for sync algorithms
+o fix oversized buffer allocated in the stack in the cache functions
+o add support to dump internal/external cache in XML format '-x'
+
+version 0.9.2 (2006/01/17)
+--------------------------
+o remove spamming packet lost messages
+o generalize network netlink sequence tracking
+o fix bogus error message on resync `-R'
+o fix endianess issues in the network netlink message
+o introduce generic netlink multicast primitives to send and receive
+o fix bogus replayed multicast message due to sequence numbering wraparound
+o introduce counter for malformed netlink messages received
+o introduce a new syntax for the `Sync' section in the configuration file
+o several cleanups and remove unused variables
+o add autostuff to include examples in the tarball (reported by Victor Lozano)
+o use the new API available in libnetfilter_conntrack-0.0.50
+o implement a NACK based protocol for replication
+
+version 0.9.1 (2006/11/06)
+--------------------------
+o conntrackd requires kernel >= 2.6.18
+o remove bogus TIMERS_MODE constant
+o implement bulk mode '-B': first works to address the preemption issue
+o fix minor reduction conflicts in the configfile grammar
+o check for CAP_NET_ADMIN instead of requiring root privileges
+o check that linux/capability.h exists
+o fix formatting at dump statistics '-s'
+o move dump traffic stats before multicast traffic stats
+o move event and dump handler to a generic infrastructure: kill events.c file
+o kill unused function inc_ct_stats
+o kill file resync.h
+o cleanup broadcast_sync: renamed to mcast_send_sync
+o sed 's/perror/debug/g' local.c
+o fix bogus increment of update_fail stats at dump stage
+o display descriptive error if we can't connect to conntrackd via UNIX socket
+o remove debugging message from alarm.c
+o move dump_mcast_stats to mcast.c where it really belongs
+o rename stats.c to traffic_stats.c
+o check for replayed/lost multicast message: simple seq tracking w/o recovery
+o reissue nfnl_catch on ENOENT error: a message for other subsystem
+o remove test/ directory in tree
+o improve cache commit stats
+o kill last_commit and last_flush from cache statistics: use the logfile
+o recover cache naming for dump stats `-s'
+o display multicast sequence tracking statistics: packets lost and replayed
+o zero ct_sync_state and ct_stats_state structures after allocation
+o improve keepalived scripts:
+ - resync with conntrack table on transition to master
+ - send bulk on transition to backup
+o implement alarm cascade of ten levels
+o implement timer cache flavour: limited life of entries in the external cache
+o implement a global lock that protects operation with conntrack entries
+o remove debug checking in cache_del_entry
+o set a reduced timeout for committed entries: 180 seconds by default
+o update comments on the sync-mode code
+o introduce delay destroy messages facility
+o increase timer for external states from 60 to 180 seconds
+o remove unused replicate/dont_replicated constants
+o fix cache entry clashing issue (reported by Maik Hentsche)
+o fix bogus increment of error stats in the external cache
+o remove pollution generated by `[REQ] cache dump' message from logfile
+
+version 0.9.0 (2006/09/17)
+--------------------------
+o implement initial for IPv6 (untested)
+o implement generic extensible cache: kill the internal and external caches
+o implement persistence cache feature
+o implement lifetime cache feature
+o modify UNIX facilities identification numbers:
+ separate master conntrack facilities and internal plugin facilities
+o break backward compatibility of configuration file:
+ remove IgnoreLoopback, use IgnoreTrafficFor instead
+ remove IgnoreMulticastTraffic, use IgnoreTrafficFor instead
+o merge event/event_subsys and sync/sync_subsys initialization to run.c
+o improve control of the iteration process in the hashtables
+o fix wrong locking in the alarm thread
+o supersede AcceptNAT by StripNAT clause
+o replace ignore traffic array by a hashtable
+o move lockfile checking before daemonization
+o on initialization error give a descriptive error
+o introduce netlink socket size grown limitator
+o introduce force resync with master conntrack table facility '-R'
+o ignore SIGPIPE signal
+o kill post_step since it is not used anymore
+
+version 0.8.3 (2006/09/03)
+--------------------------
+Author: Maik Hentsche <maik mm-double net>
+
+o Fix typo in conntrackd -h
+o Disable debugging messages by default
+o No signals while signals handlings
+o Add extra checkings at forking
+o Check maximum size for file passed via -C
+
+Author: Pablo Neira Ayuso <pablo netfilter org>
+
+o retry select() if EINTR is returned (Reported by Maik Hentsche)
+o Fix bug in slist_for_each_entry (Reported by Maik Hetsche)
+o Signal handler registration done after intialization
+o Implement alarm thread (based on Maik Hentsche's patch)
+o Fix segfault on conntrackd -k (Reported by Maik Hentsche)
+o Fix bug on alarm removal (Reported by Maik Hentsche)
+o configure stops if bison, flex or yacc are not installed
+
+version 0.8.2 (2006/07/05)
+--------------------------
+o RelaxTransitions clause introduced in Sync mode
+o multicast messages sequence tracking
+o SocketBufferSize clause to set up the netlink socket buffer
+o use new libnfnetlink API to solve limitations of nfnl_listen
+o extra sanity checkings for netlink multicast messages
+o improve statistics
+o tons of cleanups 8)
+
+version 0.8.1 (2006/06/13)
+--------------------------
+o -f now just flushes the internal and external caches
+o -F flushes the master conntrack table
+o fix segfault under heavy load and signal received
+o added -S mode for statistics: still needs more thinking
+
+version 0.8.0 (2006/06/11)
+--------------------------
+o more work to generalize the daemon: now it's ready to implement
+modular support for adaptive timers and conntrack statistics, time
+to implement them ;). This is *still* a work in progress.
+
+version 0.7.2 (2006/06/05)
+--------------------------
+o stupid bug in normal and alarm caches initialization: flush unset
+o fix racy signal handling
+
+version 0.7.1 (2006/06/05)
+--------------------------
+o Bugfix for multicast sockets communication
+
+version 0.7 (2006/06/01)
+------------------------
+o Major code re-structuration: internal and external cache abstraction
+o sequence tracking for event messages
+o expect more changes, I still dislike some stuff in its current status ;)
+
+version 0.6 (2006/05/31)
+------------------------
+o Lock file support
+o use new API nfct_conntrack_event_raw
+o major code clean ups
+
+version 0.5 (2006/05/30)
+-------------------------
+o Fix multicast server binds to wrong interface
+o Include clause `IgnoreProtocol', deprecates IgnoreUDP and IgnoreICMP
+
+version 0.4 (2006/05/29)
+------------------------
+o Initial release
Copied: trunk/conntrack-tools/CONTRIBUTORS (from rev 6792, trunk/conntrack-tools/daemon/CONTRIBUTORS)
===================================================================
--- trunk/conntrack-tools/CONTRIBUTORS (rev 0)
+++ trunk/conntrack-tools/CONTRIBUTORS 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,3 @@
+Maik Hentsche <netfilter at mm-double.de>:
+ - Feedback & Brainstorming
+ - Bug hunting
Copied: trunk/conntrack-tools/ChangeLog (from rev 6792, trunk/conntrack-tools/cli/ChangeLog)
===================================================================
--- trunk/conntrack-tools/ChangeLog (rev 0)
+++ trunk/conntrack-tools/ChangeLog 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,243 @@
+2006-03-20
+<hidden at sch.bme.hu>
+ o fix ICMP protocol extension parse callback
+
+2006-01-15
+<pablo at netfilter.org>
+ o Added missing parameters to set the ports of an expectation tuple
+ o Add support to filter dumped entries.
+ ie: conntrack -L -p tcp --orig-port-dst 993
+ display all the connections to IMAPS servers
+ conntrack -L -m 2
+ display all the connection marked with 2
+ o Bumped version to 1.00beta2
+
+2005-12-26
+<pablo at netfilter.org>
+ o add IPv6 support: main change
+ o removed dead code: iptables_insmod and get_modprobe
+ o compact the commands vs. options table
+ o move working vars from the stack to the BSS section
+ o update manpage
+ o Bumped version to 1.0beta1
+<yasuyuki.kozakai at toshiba.co.jp>
+ o check address family mismatch
+ o fix incomplete copying IPv6 addresses
+
+2005-12-19
+<pablo at netfilter.org>
+ o We only support ipv4 at the moment: set l3protonum to AF_INET
+ o Minor changes to prepare upcoming ipv6 support
+
+2005-12-03
+<pablo at netfilter.org>
+ o Add support to filter events. ie: -p tcp --orig-port-dst 80 in
+ conjuction with -E to get all the requests to HTTP servers
+ o Update manpage
+ o Missing static function declaration in the protocol handlers
+ o Use protocol flags defined in libnetfilter_conntrack
+ o Bumped version to 0.991
+
+2005-11-22
+<marcus at ingate.com>
+ o Fix oversized number of options
+
+2005-11-11
+<laforge at netfilter.org>
+ o don't check for kernel header path in configure, since we don't use
+ kernel headers
+ o don't check for libnfnetlink, we don't use it directly
+ o move plugins into pkglibdir
+ o remove 'lib' prefix of plugins, they're not really libraries
+ o remove version information from plugin filenames
+ o Bumped version to 0.99
+2005-11-09
+<pablo at netfilter.org>
+ o set status to zero, libnetfilter_conntrack now activate
+ IPS_CONFIRMED since all conntrack in hash must be confirmed.
+ o Bumped version to 0.98
+
+2005-11-08
+<olenf at ans.pl>
+ o Fix warnings generated by gcc -Wall
+ o Fix conntrack exit value at error
+ o Replace obsolete inet_addr by inet_aton
+
+2005-11-05
+<olenf at ans.pl>
+ o Improved conntrack -h output
+ o add htons for icmp id.
+<pablo at eurodev.net>
+ o -t and -u are optional at update.
+ o Fixed versioning :(
+ o Bumped version to 0.97
+
+2005-11-03
+<laforge at netfilter.org>
+ o Use extra 'data' argument of nfct_register_callback() function that
+ I've introduced in libetfilter_conntrack.
+<olenf at ans.pl>
+ o moves conntrack tool from bin to sbin directory since this
+ application is an administration utility and it requires uid==0 or
+ CAP_NET_ADMIN
+<pablo at eurodev.net>
+ o check if --state missing when -p is passed
+ o command type is passed to final_check: checkings based on the
+ command can be done now.
+ o kill duplicated definition of IPS_* bits: Already present in
+ libnetfilter_conntrack.
+ o Move action and command enum to conntrack.h
+ o kill NIPQUAD macro
+ o make conntrack handler cth static.
+ o Bumped version to 0.96
+
+2005-11-01
+<pablo at eurodev.net>
+ o Fix error message describing illegal option -E -i
+ o -D -i ID requires tuple information: Display an error message
+ o Use NFCT_ALL_CT_GROUPS flag instead of NFCT_ALL_GROUPS
+ o Event mask doesn't make sense for expectations, kill dead code
+ o Bumped version to 0.95
+<olenf at ans.pl>
+ o Fix wrong formating in conntrack -h
+
+2005-10-30
+<pablo at eurodev.net>
+ Special thanks to Deti Fiegl from the Leibniz Supercomputing Centre in
+ Munich, Germany for providing the "fast" hardware to reproduce
+ spurious bugs ;)
+
+ o Replace misleading message "Not enough memory" by "Can't open handler"
+ o New option -i for expectation dumping: conntrack -L expect [-i]
+ o sed 's/VERSION/CONNTRACK_VERSION/g'
+ o Fix nfct_open flags, now uses NFCT_ALL_GROUPS when needed
+ o Bumped version to 0.94
+
+2005-10-28
+<pablo at eurodev.net>
+ o New option -i for dumping: conntrack -L [-i]
+ o Fixed warning in findproto due to a stupid wrong type definition
+ o sed 's/nfct_set_callback/nfct_register_callback/g'
+ o killed the 'retry' logic, *sigh* it is broken in some cases
+ o killed broken and unneeded protocol handler destructors (fini)
+ o killed unregister_proto
+ o Fixed code indentation in the command selector
+ o Bumped version to 0.93
+
+2005-10-27
+<pablo at eurodev.net>
+ o Use conntrack VERSION instead of the old LIBCT_VERSION
+ o proto_list and lib_dir are now static
+ o kill dead code: function dump_tuple
+ o Bumped version to 0.92
+
+2005-10-25
+<eleblond at inl.fr>
+ o Add missing autogen.sh file
+
+2005-10-24
+<pablo at eurodev.net>
+ o use NFCT_ANY_GROUP flag in nfct_open()
+
+2005-10-21
+<pablo at eurodev.net>
+ o Bumped version to 0.90
+ o Add support for id and marks
+
+2005-10-20
+<pablo at eurodev.net>
+ o Kill some more files that generated by the autocrap
+ o Resync with the lastest libnetfilter_conntrack API changes
+
+2005-10-16
+<pablo at netfilter.org>
+ o Rename libct_proto.h to conntrack.h
+ o Remove config.h.in from svn, it's autogenerated by the autocrap :)
+ o Remove dead functions in the SCTP protocol helper
+
+2005-10-14
+<pablo at netfilter.org>
+ o Kill config.h.in, it's generated by the autocrap
+ o The conntrack tool now uses libnetfilter_conntrack :)
+ o libct.c has been killed, now it's in libnetfilter_conntrack
+ o Check if you're root or CAP_NET_ADMIN
+ o Bumped version number to 0.86
+
+2005-10-07
+<chentschel at iplan.com.ar>
+ o Fixed ICMP options
+<pablo at netfilter.org>
+ o Multiple fixes for the ICMP protocol handler
+ o Fix ICMP output: wrong output. type and code were set to zero.
+
+2005-10-05
+<pablo at netfilter.org>
+ o Fix up counters
+ o Fix up compilation (IPS_* stuff missing), still need a proper fix
+ o Bumped version number to 0.82
+
+2005-09-24
+<laforge at netfilter.org>
+ o Get rid of C++ style comments
+ o Remove remaining bits of "-A --action", group-mask and dump-mask
+ o Clean up #include's
+ o Fix double-free when exiting via signal handler (Ctrl+C)
+ o Add "version" member to plugins
+ o Fix some Endianness issues when printing CTA_STATUS
+
+2005-08-31
+<pablo at netfilter.org>
+ o Fix packet and bytes counters (use __be64_to_cpu)
+ o Fix ip_conntrack_netlink load-on-demand
+
+2005-07-12
+<pablo at eurodev.net>
+ o Use conntrack netlink attributes: Major change
+ o Kill action setting: Mask based dumping
+ o Fix ChangeLog
+
+2005-05-23
+<laforge at netfilter.org>
+ o Fixed syntax error (tab/space issue) in help message
+ o Fixed getopt handling on big endian machines
+ o Fixed possible future read-over-end-of-array in TCP extension
+ o Add manpage
+ o Add missing space at output of libct_proto_icmp.c
+ o Add status bits that were introduced in 2.6.11
+ o Add SCTP extension
+ o Add support for expect creation
+ o Bump version number to 0.63
+
+2005-05-17
+<pablo at eurodev.net>
+ o Added descriptive error messages.
+ o Fix wrong flags check in [tcp|udp] proto helpers.
+
+2005-05-16
+<pablo at eurodev.net>
+ o Implemented ICMP proto helper
+ o Added help() and final_check() functions for proto helpers.
+
+2005-05-01
+<pablo at eurodev.net>
+ o Created changelog file
+ o Deleted libctnetlink.h and libnfnetlink.h from the include/ dir.
+ o Added support for version (-V) and help (-h)
+ o Added event mask based support
+ o Added GPLv2 headers
+ o Use fprintf instead of printf
+ o Defined print_tuple and print_proto output interfaces
+ o ctnl_[get|del]_conntrack handles return value from kernel via msgerr
+ o Added support for conntrack table flushing
+ o Added test case file (test.sh)
+ o Improve dump output
+
+<azez at ufomechanic.net>
+ o Autoconf stuff for conntrack + some pablo's modifications.
+ o Fixed packet counters formatting (use %llu instead of %lu)
+
+2005-04-25
+<pablo at eurodev.net>
+ o Added support for mask based event dumping
+ o Added support for mask based event notification
+ o On-demand autoload of ip_conntrack_netlink
Copied: trunk/conntrack-tools/INSTALL (from rev 6792, trunk/conntrack-tools/daemon/INSTALL)
===================================================================
--- trunk/conntrack-tools/INSTALL (rev 0)
+++ trunk/conntrack-tools/INSTALL 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,199 @@
+Copyright (C) 2006-2007 Pablo Neira Ayuso <pablo netfilter org>
+
+1.Basic Installation
+====================
+
+ To compile and install 'conntrackd' just follow the classical steps:
+
+ $ ./configure
+ $ make
+ # make install
+ # mkdir /etc/conntrackd/
+
+2.1. Synchronization Mode
+=========================
+
+ Conntrackd can replicate the status of the connections that are currently
+ being processed by your stateful firewall based on Linux. This section
+ describes how to setup the daemon in synchronization mode:
+
+2.1.1. Requirements
+
+ You have to install the following software in order to get conntrackd working,
+ make sure that you have installed them correctly before going forward:
+
+ o linux kernel version >= 2.6.18 (http://www.kernel.org) with support for:
+ - connection tracking system (quite obvious ;)
+ - nfnetlink
+ - ctnetlink (ip_conntrack_netlink)
+ - connection tracking event notification API
+
+ o libnfnetlink: the netfilter netlink library
+
+ Since conntrackd version 0.9.2 you can used the official release availble at
+ http://www.netfilter.org/projects/libnfnetlink/files/
+
+ Up to conntrackd version 0.9.1 use the unofficial release available at the
+ download section
+
+ o libnetfilter_conntrack: the netfilter conntrack library
+
+ Since conntrackd version 0.9.2 you can used the official release availble at
+ http://www.netfilter.org/projects/libnetfilter_conntrack/files/
+
+ Up to conntrackd version 0.9.1 use the unnoficial release available at the
+ download section
+
+ o Keepalived version 1.x (http://www.keepalived.org)
+ check if your distribution comes with a recent version
+
+2.1.2. Configuration
+
+ 1) Setting up keepalived
+
+ There is an example file available inside the conntrackd tarball:
+
+ For node 1: conntrackd-x.x.x/examples/sync/node1/keepalived.conf
+ For node 2: conntrackd-x.x.x/examples/sync/node2/keepalived.conf
+
+ These files can be used to set up a simple VRRP cluster composed of
+ two machines that hold the virtual IPs 192.168.0.100 on eth0 and
+ 192.168.1.100 on eth1.
+
+ If you are not familiar with keepalived, please read the official
+ docs available at http://www.keepalived.org
+
+ Please, make sure that keepalived is correctly working before passing
+ to step 2)
+
+ 2) Setting up conntrackd
+
+ To setup 'conntrackd' in synchronization mode, you have to put the
+ configuration file in the directory /etc/conntrackd.
+
+ On node 1:
+ # cp examples/sync/_type_/node1/conntrackd.conf /etc/conntrackd.conf
+
+ On node 2:
+ # cp examples/sync/_type_/node1/conntrackd.conf /etc/conntrackd.conf
+
+ Where _type_ is the synchronization type selected, currently there are
+ two: the persistent mode and the NACK mode. The persistent mode consumes
+ more resources than the NACK mode, however the NACK mode is still
+ experimental
+
+ Do not forget to edit the files in order to adapt them to the
+ setting that you are deploying.
+
+ Note: If you don't want to put the config file under /etc/conntrackd,
+ just tell conntrackd where to find it passing the option -C
+
+ 3) Running conntrackd
+
+ Conntrackd can run in console mode, in that case just type 'conntrackd',
+ otherwise, if you want to run it in daemon mode the type 'conntrackd -d'.
+
+ 4) Checking that conntrackd is working fine
+
+ Conntrackd comes with several facilities to check its status:
+
+ - Dump the cache of connections that are currently being processed by
+ this node (aka. internal cache):
+
+ # conntrackd -i
+
+ - Dump the cache of connections that has been transfered from
+ others active nodes in the network (aka. external cache)
+
+ # conntrackd -e
+
+ - Dump statistics collected by the replication daemon:
+
+ # conntrackd -s
+
+ 5) Setting up interaction with keepalived
+
+ If keepalived detects the failure of the active node, then it designates
+ a candidate node that will replace the failing active. On such event,
+ the external cache, eg. the cache that contains the connections processed
+ by other nodes, must be commited. To commit the external cache, just type:
+
+ # conntrackd -c
+
+ See that keepalived provides a shell script interface to interact with
+ other programs, so we can automate the process of commiting the external
+ cache by introducing the following line in the keepalived file:
+
+ notify_master /etc/conntrackd/script_master.sh
+
+ The script 'script_master.sh' just the following:
+
+ #!/bin/sh
+ /usr/sbin/conntrackd -c
+
+ Therefore, on failure event, the candidate node takes over the virtual
+ IPs and the connections that the failing active was processing. Observe
+ that this file differs for the NACK mode.
+
+ 6) Disable TCP window tracking
+
+ Until the appropiate patches don't go into kernel mainline, you will have
+ to disable TCP window tracking, consider this as a temporary solution:
+
+ # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+
+2.2. Statistics mode
+====================
+
+ Conntrackd can also run as statistics daemon, if you are not interested in
+ this mode, just skip it. It is not required in order to get the
+ synchronization mode working. This section details how to setup the daemon
+ in statistics mode:
+
+2.2.1. Requirements
+
+ You have to install the following software in order to get conntrackd working,
+ make sure that you have them installed correctly before going forward:
+
+ o linux kernel version >= 2.6.18 (http://www.kernel.org) with support for:
+ - connection tracking system
+ - nfnetlink
+ - ctnetlink (ip_conntrack_netlink)
+ - connection tracking event notification API
+
+ o libnfnetlink: the netfilter netlink library
+
+ Since conntrackd version 0.9.2 you can used the official release availble at
+ http://www.netfilter.org/projects/libnfnetlink/files/
+
+ Up to conntrackd version 0.9.1 use the unofficial release available at the
+ download section
+
+ o libnetfilter_conntrack: the netfilter conntrack library
+
+ Since conntrackd version 0.9.2 you can used the official release availble at
+ http://www.netfilter.org/projects/libnetfilter_conntrack/files/
+
+ Up to conntrackd version 0.9.1 use the unnoficial release available at the
+ download section
+
+2.2.2. Configuration
+
+ Setting up conntrackd in statistics mode is rather easy. Just copy the
+ configuration file
+
+ # cp examples/stats/conntrackd.conf /etc/conntrackd.conf
+
+2.2.3. Running conntrackd in statistics mode
+
+ To run conntrackd in statistics mode:
+
+ # conntrackd -S
+
+ Alternatively, you can run conntrackd in daemon mode:
+
+ # conntrackd -S -d
+
+ In order to dump the statistics, just type:
+
+ # conntrackd -s
Copied: trunk/conntrack-tools/Make_global.am (from rev 6792, trunk/conntrack-tools/daemon/Make_global.am)
===================================================================
--- trunk/conntrack-tools/Make_global.am (rev 0)
+++ trunk/conntrack-tools/Make_global.am 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1 @@
+INCLUDES=$(all_includes) -I$(top_srcdir)/include
Copied: trunk/conntrack-tools/Makefile.am (from rev 6792, trunk/conntrack-tools/daemon/Makefile.am)
===================================================================
--- trunk/conntrack-tools/Makefile.am (rev 0)
+++ trunk/conntrack-tools/Makefile.am 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,21 @@
+include Make_global.am
+
+# not a GNU package. You can remove this line, if
+# have all needed files, that a GNU package needs
+AUTOMAKE_OPTIONS = foreign dist-bzip2 1.6
+
+# man_MANS = ""
+# EXTRA_DIST = $(man_MANS) Make_global.am debian
+EXTRA_DIST = Make_global.am CHANGELOG TODO
+
+SUBDIRS = src extensions
+DIST_SUBDIRS = include src extensions examples
+LINKOPTS = -lnfnetlink -lnetfilter_conntrack -lpthread
+AM_CFLAGS = -g
+
+$(OBJECTS): libtool
+libtool: $(LIBTOOL_DEPS)
+ $(SHELL) ./config.status --recheck
+
+dist-hook:
+ rm -rf `find $(distdir)/debian -name .svn`
Copied: trunk/conntrack-tools/TODO (from rev 6792, trunk/conntrack-tools/daemon/TODO)
===================================================================
--- trunk/conntrack-tools/TODO (rev 0)
+++ trunk/conntrack-tools/TODO 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,18 @@
+There are several tasks that are pending to be done, I have classified them
+by dificulty levels:
+
+Relatively easy
+===============
+
+- test ipv6 support
+- improve shell scripts
+- test NACK based protocol
+- manpage for conntrackd
+
+Requires some work
+==================
+
+- study better keepalived transitions
+- implement support for TCP window tracking (patches are on the table)
+ - at the moment you have to disable it:
+ echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
Copied: trunk/conntrack-tools/autogen.sh (from rev 6792, trunk/conntrack-tools/daemon/autogen.sh)
===================================================================
--- trunk/conntrack-tools/autogen.sh (rev 0)
+++ trunk/conntrack-tools/autogen.sh 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+run ()
+{
+ echo "running: $*"
+ eval $*
+
+ if test $? != 0 ; then
+ echo "error: while running '$*'"
+ exit 1
+ fi
+}
+
+run aclocal
+run libtoolize -f
+#run autoheader
+run automake -a
+run autoconf
Deleted: trunk/conntrack-tools/cli/ChangeLog
===================================================================
--- trunk/conntrack-tools/cli/ChangeLog 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/cli/ChangeLog 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,243 +0,0 @@
-2006-03-20
-<hidden at sch.bme.hu>
- o fix ICMP protocol extension parse callback
-
-2006-01-15
-<pablo at netfilter.org>
- o Added missing parameters to set the ports of an expectation tuple
- o Add support to filter dumped entries.
- ie: conntrack -L -p tcp --orig-port-dst 993
- display all the connections to IMAPS servers
- conntrack -L -m 2
- display all the connection marked with 2
- o Bumped version to 1.00beta2
-
-2005-12-26
-<pablo at netfilter.org>
- o add IPv6 support: main change
- o removed dead code: iptables_insmod and get_modprobe
- o compact the commands vs. options table
- o move working vars from the stack to the BSS section
- o update manpage
- o Bumped version to 1.0beta1
-<yasuyuki.kozakai at toshiba.co.jp>
- o check address family mismatch
- o fix incomplete copying IPv6 addresses
-
-2005-12-19
-<pablo at netfilter.org>
- o We only support ipv4 at the moment: set l3protonum to AF_INET
- o Minor changes to prepare upcoming ipv6 support
-
-2005-12-03
-<pablo at netfilter.org>
- o Add support to filter events. ie: -p tcp --orig-port-dst 80 in
- conjuction with -E to get all the requests to HTTP servers
- o Update manpage
- o Missing static function declaration in the protocol handlers
- o Use protocol flags defined in libnetfilter_conntrack
- o Bumped version to 0.991
-
-2005-11-22
-<marcus at ingate.com>
- o Fix oversized number of options
-
-2005-11-11
-<laforge at netfilter.org>
- o don't check for kernel header path in configure, since we don't use
- kernel headers
- o don't check for libnfnetlink, we don't use it directly
- o move plugins into pkglibdir
- o remove 'lib' prefix of plugins, they're not really libraries
- o remove version information from plugin filenames
- o Bumped version to 0.99
-2005-11-09
-<pablo at netfilter.org>
- o set status to zero, libnetfilter_conntrack now activate
- IPS_CONFIRMED since all conntrack in hash must be confirmed.
- o Bumped version to 0.98
-
-2005-11-08
-<olenf at ans.pl>
- o Fix warnings generated by gcc -Wall
- o Fix conntrack exit value at error
- o Replace obsolete inet_addr by inet_aton
-
-2005-11-05
-<olenf at ans.pl>
- o Improved conntrack -h output
- o add htons for icmp id.
-<pablo at eurodev.net>
- o -t and -u are optional at update.
- o Fixed versioning :(
- o Bumped version to 0.97
-
-2005-11-03
-<laforge at netfilter.org>
- o Use extra 'data' argument of nfct_register_callback() function that
- I've introduced in libetfilter_conntrack.
-<olenf at ans.pl>
- o moves conntrack tool from bin to sbin directory since this
- application is an administration utility and it requires uid==0 or
- CAP_NET_ADMIN
-<pablo at eurodev.net>
- o check if --state missing when -p is passed
- o command type is passed to final_check: checkings based on the
- command can be done now.
- o kill duplicated definition of IPS_* bits: Already present in
- libnetfilter_conntrack.
- o Move action and command enum to conntrack.h
- o kill NIPQUAD macro
- o make conntrack handler cth static.
- o Bumped version to 0.96
-
-2005-11-01
-<pablo at eurodev.net>
- o Fix error message describing illegal option -E -i
- o -D -i ID requires tuple information: Display an error message
- o Use NFCT_ALL_CT_GROUPS flag instead of NFCT_ALL_GROUPS
- o Event mask doesn't make sense for expectations, kill dead code
- o Bumped version to 0.95
-<olenf at ans.pl>
- o Fix wrong formating in conntrack -h
-
-2005-10-30
-<pablo at eurodev.net>
- Special thanks to Deti Fiegl from the Leibniz Supercomputing Centre in
- Munich, Germany for providing the "fast" hardware to reproduce
- spurious bugs ;)
-
- o Replace misleading message "Not enough memory" by "Can't open handler"
- o New option -i for expectation dumping: conntrack -L expect [-i]
- o sed 's/VERSION/CONNTRACK_VERSION/g'
- o Fix nfct_open flags, now uses NFCT_ALL_GROUPS when needed
- o Bumped version to 0.94
-
-2005-10-28
-<pablo at eurodev.net>
- o New option -i for dumping: conntrack -L [-i]
- o Fixed warning in findproto due to a stupid wrong type definition
- o sed 's/nfct_set_callback/nfct_register_callback/g'
- o killed the 'retry' logic, *sigh* it is broken in some cases
- o killed broken and unneeded protocol handler destructors (fini)
- o killed unregister_proto
- o Fixed code indentation in the command selector
- o Bumped version to 0.93
-
-2005-10-27
-<pablo at eurodev.net>
- o Use conntrack VERSION instead of the old LIBCT_VERSION
- o proto_list and lib_dir are now static
- o kill dead code: function dump_tuple
- o Bumped version to 0.92
-
-2005-10-25
-<eleblond at inl.fr>
- o Add missing autogen.sh file
-
-2005-10-24
-<pablo at eurodev.net>
- o use NFCT_ANY_GROUP flag in nfct_open()
-
-2005-10-21
-<pablo at eurodev.net>
- o Bumped version to 0.90
- o Add support for id and marks
-
-2005-10-20
-<pablo at eurodev.net>
- o Kill some more files that generated by the autocrap
- o Resync with the lastest libnetfilter_conntrack API changes
-
-2005-10-16
-<pablo at netfilter.org>
- o Rename libct_proto.h to conntrack.h
- o Remove config.h.in from svn, it's autogenerated by the autocrap :)
- o Remove dead functions in the SCTP protocol helper
-
-2005-10-14
-<pablo at netfilter.org>
- o Kill config.h.in, it's generated by the autocrap
- o The conntrack tool now uses libnetfilter_conntrack :)
- o libct.c has been killed, now it's in libnetfilter_conntrack
- o Check if you're root or CAP_NET_ADMIN
- o Bumped version number to 0.86
-
-2005-10-07
-<chentschel at iplan.com.ar>
- o Fixed ICMP options
-<pablo at netfilter.org>
- o Multiple fixes for the ICMP protocol handler
- o Fix ICMP output: wrong output. type and code were set to zero.
-
-2005-10-05
-<pablo at netfilter.org>
- o Fix up counters
- o Fix up compilation (IPS_* stuff missing), still need a proper fix
- o Bumped version number to 0.82
-
-2005-09-24
-<laforge at netfilter.org>
- o Get rid of C++ style comments
- o Remove remaining bits of "-A --action", group-mask and dump-mask
- o Clean up #include's
- o Fix double-free when exiting via signal handler (Ctrl+C)
- o Add "version" member to plugins
- o Fix some Endianness issues when printing CTA_STATUS
-
-2005-08-31
-<pablo at netfilter.org>
- o Fix packet and bytes counters (use __be64_to_cpu)
- o Fix ip_conntrack_netlink load-on-demand
-
-2005-07-12
-<pablo at eurodev.net>
- o Use conntrack netlink attributes: Major change
- o Kill action setting: Mask based dumping
- o Fix ChangeLog
-
-2005-05-23
-<laforge at netfilter.org>
- o Fixed syntax error (tab/space issue) in help message
- o Fixed getopt handling on big endian machines
- o Fixed possible future read-over-end-of-array in TCP extension
- o Add manpage
- o Add missing space at output of libct_proto_icmp.c
- o Add status bits that were introduced in 2.6.11
- o Add SCTP extension
- o Add support for expect creation
- o Bump version number to 0.63
-
-2005-05-17
-<pablo at eurodev.net>
- o Added descriptive error messages.
- o Fix wrong flags check in [tcp|udp] proto helpers.
-
-2005-05-16
-<pablo at eurodev.net>
- o Implemented ICMP proto helper
- o Added help() and final_check() functions for proto helpers.
-
-2005-05-01
-<pablo at eurodev.net>
- o Created changelog file
- o Deleted libctnetlink.h and libnfnetlink.h from the include/ dir.
- o Added support for version (-V) and help (-h)
- o Added event mask based support
- o Added GPLv2 headers
- o Use fprintf instead of printf
- o Defined print_tuple and print_proto output interfaces
- o ctnl_[get|del]_conntrack handles return value from kernel via msgerr
- o Added support for conntrack table flushing
- o Added test case file (test.sh)
- o Improve dump output
-
-<azez at ufomechanic.net>
- o Autoconf stuff for conntrack + some pablo's modifications.
- o Fixed packet counters formatting (use %llu instead of %lu)
-
-2005-04-25
-<pablo at eurodev.net>
- o Added support for mask based event dumping
- o Added support for mask based event notification
- o On-demand autoload of ip_conntrack_netlink
Deleted: trunk/conntrack-tools/cli/conntrack.8
===================================================================
--- trunk/conntrack-tools/cli/conntrack.8 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/cli/conntrack.8 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,142 +0,0 @@
-.TH CONNTRACK 8 "Jun 23, 2005" "" ""
-
-.\" Man page written by Harald Welte <laforge at netfilter.org (Jun 2005)
-
-.SH NAME
-conntrack \- administration tool for netfilter connection tracking
-.SH SYNOPSIS
-.BR "conntrack -L [table] [-z]"
-.br
-.BR "conntrack -G [table] parameters"
-.br
-.BR "conntrack -D [table] paramaters"
-.br
-.BR "conntrack -I [table] parameters"
-.br
-.BR "conntrack -E [table] parameters"
-.br
-.BR "conntrack -F [table]"
-.SH DESCRIPTION
-.B conntrack
-is used to search, list, inspect and maintain the netfilter connection tracking
-subsystem of the Linux kernel.
-.PP
-Using
-.B conntrack
-, you can dump a list of all (or a filtered selection of) currently tracked
-connections, delete connections from the state table, and even add new ones.
-.PP
-In addition, you can also monitor connection tracking events, e.g. show an
-event message (one line) per newly established connection.
-.SH TABLES
-The connection tracking subsystem maintains two internal tables:
-.TP
-.BR "conntrack" :
-This is the default table. It contains a list of all currently tracked
-connections through the system. If you don't use connection tracking
-exemptions (NOTRACK iptables target), this means all connections that go
-through the system.
-.TP
-.BR "expect" :
-This is the table of expectations. Connection tracking expectations are the
-mechanism used to "expect" RELATED connections to existing ones. Expectations
-are generally used by "connection tracking helpers" (sometimes called
-application level gateways [ALGs]) for more complex protocols such as FTP,
-SIP, H.323.
-.SH OPTIONS
-The options recognized by
-.B conntrack
-can be divided into several different groups.
-.SS COMMANDS
-These options specify the particular operation to perform. Only one of them
-can be specified at any given time.
-.TP
-.BI "-L --dump "
-List connection tacking or expectation table
-.TP
-.BI "-G, --get "
-Search for and show a particular (matching) entry in the given table.
-.TP
-.BI "-D, --delete "
-Delete an entry from the given table.
-.TP
-.BI "-I, --create "
-Create a new entry from the given table.
-.TP
-.BI "-E, --event "
-Display a real-time event log.
-.TP
-.BI "-F, --flush "
-Flush the whole given table
-.SS PARAMETERS
-.TP
-.BI "-z, --zero "
-Atomically zero counters after reading them. This option is only valid in
-combination with the "-L, --dump" command options.
-.TP
-.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
-Set the bitmask of events that are to be generated by the in-kernel ctnetlink
-event code. Using this parameter, you can reduce the event messages generated
-by the kernel to those types to those that you are actually interested in.
-.
-This option can only be used in conjunction with "-E, --event".
-.SS FILTER PARAMETERS
-.TP
-.BI "-s, --orig-src " IP_ADDRESS
-Match only entries whose source address in the original direction equals the one specified as argument.
-.TP
-.BI "-d, --orig-dst " IP_ADDRESS
-Match only entries whose destination address in the original direction equals the one specified as argument.
-.TP
-.BI "-r, --reply-src " IP_ADDRESS
-Match only entries whose source address in the reply direction equals the one specified as argument.
-.TP
-.BI "-q, --reply-dst " IP_ADDRESS
-Match only entries whose destination address in the reply direction equals the one specified as argument.
-.TP
-.BI "-p, --proto " "PROTO "
-Specify layer four (TCP, UDP, ...) protocol.
-.TP
-.BI "-f, --family " "PROTO"
-Specify layer three (ipv4, ipv6) protocol
-This option is only required in conjunction with "-L, --dump". If this option is not passed, the default layer 3 protocol will be IPv4.
-.TP
-.BI "-t, --timeout " "TIMEOUT"
-Specify the timeout.
-.TP
-.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]"
-Specify the conntrack status.
-.TP
-.BI "-i, --id " "ID"
-Specify the conntrack ID.
-.
-This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs.
-.TP
-.BI "--tuple-src " IP_ADDRESS
-Specify the tuple source address of an expectation.
-.TP
-.BI "--tuple-dst " IP_ADDRESS
-Specify the tuple destination address of an expectation.
-.TP
-.BI "--mask-src " IP_ADDRESS
-Specify the source address mask of an expectation.
-.TP
-.BI "--mask-dst " IP_ADDRESS
-Specify the destination address mask of an expectation.
-.SH DIAGNOSTICS
-The exit code is 0 for correct function. Errors which appear to be caused by
-invalid command line parameters cause an exit code of 2. Any other errors
-cause an exit code of 1.
-.SH BUGS
-Bugs? What's this ;-)
-.SH SEE ALSO
-.BR iptables (8)
-.br
-See
-.BR "http://netfilter.org/" .
-.SH AUTHORS
-Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool.
-.PP
-Pablo Neira wrote the conntrack tool, Harald Welte added support for conntrack based accounting counters.
-.PP
-Man page written by Harald Welte <laforge at netfilter.org>.
Deleted: trunk/conntrack-tools/cli/include/conntrack.h
===================================================================
--- trunk/conntrack-tools/cli/include/conntrack.h 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/cli/include/conntrack.h 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,160 +0,0 @@
-#ifndef _CONNTRACK_H
-#define _CONNTRACK_H
-
-#ifdef HAVE_CONFIG_H
-#include "../config.h"
-#endif
-
-#include "linux_list.h"
-#include <getopt.h>
-#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
-
-#define PROGNAME "conntrack"
-
-#include <netinet/in.h>
-#ifndef IPPROTO_SCTP
-#define IPPROTO_SCTP 132
-#endif
-
-enum action {
- CT_NONE = 0,
-
- CT_LIST_BIT = 0,
- CT_LIST = (1 << CT_LIST_BIT),
-
- CT_CREATE_BIT = 1,
- CT_CREATE = (1 << CT_CREATE_BIT),
-
- CT_UPDATE_BIT = 2,
- CT_UPDATE = (1 << CT_UPDATE_BIT),
-
- CT_DELETE_BIT = 3,
- CT_DELETE = (1 << CT_DELETE_BIT),
-
- CT_GET_BIT = 4,
- CT_GET = (1 << CT_GET_BIT),
-
- CT_FLUSH_BIT = 5,
- CT_FLUSH = (1 << CT_FLUSH_BIT),
-
- CT_EVENT_BIT = 6,
- CT_EVENT = (1 << CT_EVENT_BIT),
-
- CT_VERSION_BIT = 7,
- CT_VERSION = (1 << CT_VERSION_BIT),
-
- CT_HELP_BIT = 8,
- CT_HELP = (1 << CT_HELP_BIT),
-
- EXP_LIST_BIT = 9,
- EXP_LIST = (1 << EXP_LIST_BIT),
-
- EXP_CREATE_BIT = 10,
- EXP_CREATE = (1 << EXP_CREATE_BIT),
-
- EXP_DELETE_BIT = 11,
- EXP_DELETE = (1 << EXP_DELETE_BIT),
-
- EXP_GET_BIT = 12,
- EXP_GET = (1 << EXP_GET_BIT),
-
- EXP_FLUSH_BIT = 13,
- EXP_FLUSH = (1 << EXP_FLUSH_BIT),
-
- EXP_EVENT_BIT = 14,
- EXP_EVENT = (1 << EXP_EVENT_BIT),
-};
-#define NUMBER_OF_CMD 15
-
-enum options {
- CT_OPT_ORIG_SRC_BIT = 0,
- CT_OPT_ORIG_SRC = (1 << CT_OPT_ORIG_SRC_BIT),
-
- CT_OPT_ORIG_DST_BIT = 1,
- CT_OPT_ORIG_DST = (1 << CT_OPT_ORIG_DST_BIT),
-
- CT_OPT_ORIG = (CT_OPT_ORIG_SRC | CT_OPT_ORIG_DST),
-
- CT_OPT_REPL_SRC_BIT = 2,
- CT_OPT_REPL_SRC = (1 << CT_OPT_REPL_SRC_BIT),
-
- CT_OPT_REPL_DST_BIT = 3,
- CT_OPT_REPL_DST = (1 << CT_OPT_REPL_DST_BIT),
-
- CT_OPT_REPL = (CT_OPT_REPL_SRC | CT_OPT_REPL_DST),
-
- CT_OPT_PROTO_BIT = 4,
- CT_OPT_PROTO = (1 << CT_OPT_PROTO_BIT),
-
- CT_OPT_TIMEOUT_BIT = 5,
- CT_OPT_TIMEOUT = (1 << CT_OPT_TIMEOUT_BIT),
-
- CT_OPT_STATUS_BIT = 6,
- CT_OPT_STATUS = (1 << CT_OPT_STATUS_BIT),
-
- CT_OPT_ZERO_BIT = 7,
- CT_OPT_ZERO = (1 << CT_OPT_ZERO_BIT),
-
- CT_OPT_EVENT_MASK_BIT = 8,
- CT_OPT_EVENT_MASK = (1 << CT_OPT_EVENT_MASK_BIT),
-
- CT_OPT_EXP_SRC_BIT = 9,
- CT_OPT_EXP_SRC = (1 << CT_OPT_EXP_SRC_BIT),
-
- CT_OPT_EXP_DST_BIT = 10,
- CT_OPT_EXP_DST = (1 << CT_OPT_EXP_DST_BIT),
-
- CT_OPT_MASK_SRC_BIT = 11,
- CT_OPT_MASK_SRC = (1 << CT_OPT_MASK_SRC_BIT),
-
- CT_OPT_MASK_DST_BIT = 12,
- CT_OPT_MASK_DST = (1 << CT_OPT_MASK_DST_BIT),
-
- CT_OPT_NATRANGE_BIT = 13,
- CT_OPT_NATRANGE = (1 << CT_OPT_NATRANGE_BIT),
-
- CT_OPT_MARK_BIT = 14,
- CT_OPT_MARK = (1 << CT_OPT_MARK_BIT),
-
- CT_OPT_ID_BIT = 15,
- CT_OPT_ID = (1 << CT_OPT_ID_BIT),
-
- CT_OPT_FAMILY_BIT = 16,
- CT_OPT_FAMILY = (1 << CT_OPT_FAMILY_BIT),
-
- CT_OPT_MAX_BIT = CT_OPT_FAMILY_BIT
-};
-#define NUMBER_OF_OPT CT_OPT_MAX_BIT+1
-
-struct ctproto_handler {
- struct list_head head;
-
- char *name;
- u_int16_t protonum;
- char *version;
-
- enum ctattr_protoinfo protoinfo_attr;
-
- int (*parse_opts)(char c, char *argv[],
- struct nfct_tuple *orig,
- struct nfct_tuple *reply,
- struct nfct_tuple *exptuple,
- struct nfct_tuple *mask,
- union nfct_protoinfo *proto,
- unsigned int *flags);
-
- int (*final_check)(unsigned int flags,
- unsigned int command,
- struct nfct_tuple *orig,
- struct nfct_tuple *reply);
-
- void (*help)();
-
- struct option *opts;
-
- unsigned int option_offset;
-};
-
-extern void register_proto(struct ctproto_handler *h);
-
-#endif
Deleted: trunk/conntrack-tools/cli/src/conntrack.c
===================================================================
--- trunk/conntrack-tools/cli/src/conntrack.c 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/cli/src/conntrack.c 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,1131 +0,0 @@
-/*
- * (C) 2005 by Pablo Neira Ayuso <pablo at netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- *
- * Note:
- * Yes, portions of this code has been stolen from iptables ;)
- * Special thanks to the the Netfilter Core Team.
- * Thanks to Javier de Miguel Rodriguez <jmiguel at talika.eii.us.es>
- * for introducing me to advanced firewalling stuff.
- *
- * --pablo 13/04/2005
- *
- * 2005-04-16 Harald Welte <laforge at netfilter.org>:
- * Add support for conntrack accounting and conntrack mark
- * 2005-06-23 Harald Welte <laforge at netfilter.org>:
- * Add support for expect creation
- * 2005-09-24 Harald Welte <laforge at netfilter.org>:
- * Remove remaints of "-A"
- *
- */
-#include <stdio.h>
-#include <sys/wait.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <errno.h>
-#include <unistd.h>
-#include <netinet/in.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-#include <fcntl.h>
-#include <dlfcn.h>
-#include <signal.h>
-#include <string.h>
-#include "linux_list.h"
-#include "conntrack.h"
-#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
-#include <libnetfilter_conntrack/libnetfilter_conntrack_ipv4.h>
-#include <libnetfilter_conntrack/libnetfilter_conntrack_ipv6.h>
-
-static const char cmdflags[NUMBER_OF_CMD]
-= {'L','I','U','D','G','F','E','V','h','L','I','D','G','F','E'};
-
-static const char cmd_need_param[NUMBER_OF_CMD]
-= { 2, 0, 0, 0, 0, 2, 2, 2, 2, 2, 0, 0, 0, 2, 2 };
-
-static const char optflags[NUMBER_OF_OPT]
-= {'s','d','r','q','p','t','u','z','e','[',']','{','}','a','m','i','f'};
-
-static struct option original_opts[] = {
- {"dump", 2, 0, 'L'},
- {"create", 1, 0, 'I'},
- {"delete", 1, 0, 'D'},
- {"update", 1, 0, 'U'},
- {"get", 1, 0, 'G'},
- {"flush", 1, 0, 'F'},
- {"event", 1, 0, 'E'},
- {"version", 0, 0, 'V'},
- {"help", 0, 0, 'h'},
- {"orig-src", 1, 0, 's'},
- {"orig-dst", 1, 0, 'd'},
- {"reply-src", 1, 0, 'r'},
- {"reply-dst", 1, 0, 'q'},
- {"protonum", 1, 0, 'p'},
- {"timeout", 1, 0, 't'},
- {"status", 1, 0, 'u'},
- {"zero", 0, 0, 'z'},
- {"event-mask", 1, 0, 'e'},
- {"tuple-src", 1, 0, '['},
- {"tuple-dst", 1, 0, ']'},
- {"mask-src", 1, 0, '{'},
- {"mask-dst", 1, 0, '}'},
- {"nat-range", 1, 0, 'a'},
- {"mark", 1, 0, 'm'},
- {"id", 2, 0, 'i'},
- {"family", 1, 0, 'f'},
- {0, 0, 0, 0}
-};
-
-#define OPTION_OFFSET 256
-
-static struct nfct_handle *cth;
-static struct option *opts = original_opts;
-static unsigned int global_option_offset = 0;
-
-/* Table of legal combinations of commands and options. If any of the
- * given commands make an option legal, that option is legal (applies to
- * CMD_LIST and CMD_ZERO only).
- * Key:
- * 0 illegal
- * 1 compulsory
- * 2 optional
- */
-
-static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
-/* Well, it's better than "Re: Linux vs FreeBSD" */
-{
- /* s d r q p t u z e x y k l a m i f*/
-/*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2},
-/*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0},
-/*CT_UPDATE*/ {2,2,2,2,1,2,2,0,0,0,0,0,0,0,2,2,0},
-/*CT_DELETE*/ {2,2,2,2,2,0,0,0,0,0,0,0,0,0,0,2,0},
-/*CT_GET*/ {2,2,2,2,1,0,0,0,0,0,0,0,0,0,0,2,0},
-/*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0},
-/*VERSION*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*HELP*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_LIST*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2},
-/*EXP_CREATE*/{1,1,2,2,1,1,2,0,0,1,1,1,1,0,0,0,0},
-/*EXP_DELETE*/{1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_GET*/ {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_EVENT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-};
-
-static char *lib_dir = CONNTRACK_LIB_DIR;
-
-static LIST_HEAD(proto_list);
-
-void register_proto(struct ctproto_handler *h)
-{
- if (strcmp(h->version, VERSION) != 0) {
- fprintf(stderr, "plugin `%s': version %s (I'm %s)\n",
- h->name, h->version, VERSION);
- exit(1);
- }
- list_add(&h->head, &proto_list);
-}
-
-static struct ctproto_handler *findproto(char *name)
-{
- struct list_head *i;
- struct ctproto_handler *cur = NULL, *handler = NULL;
-
- if (!name)
- return handler;
-
- lib_dir = getenv("CONNTRACK_LIB_DIR");
- if (!lib_dir)
- lib_dir = CONNTRACK_LIB_DIR;
-
- list_for_each(i, &proto_list) {
- cur = (struct ctproto_handler *) i;
- if (strcmp(cur->name, name) == 0) {
- handler = cur;
- break;
- }
- }
-
- if (!handler) {
- char path[sizeof("ct_proto_.so")
- + strlen(name) + strlen(lib_dir)];
- sprintf(path, "%s/ct_proto_%s.so", lib_dir, name);
- if (dlopen(path, RTLD_NOW))
- handler = findproto(name);
- else
- fprintf(stderr, "%s\n", dlerror());
- }
-
- return handler;
-}
-
-enum exittype {
- OTHER_PROBLEM = 1,
- PARAMETER_PROBLEM,
- VERSION_PROBLEM
-};
-
-void extension_help(struct ctproto_handler *h)
-{
- fprintf(stdout, "\n");
- fprintf(stdout, "Proto `%s' help:\n", h->name);
- h->help();
-}
-
-void
-exit_tryhelp(int status)
-{
- fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
- PROGNAME, PROGNAME);
- exit(status);
-}
-
-static void
-exit_error(enum exittype status, char *msg, ...)
-{
- va_list args;
-
- /* On error paths, make sure that we don't leak the memory
- * reserved during options merging */
- if (opts != original_opts) {
- free(opts);
- opts = original_opts;
- global_option_offset = 0;
- }
- va_start(args, msg);
- fprintf(stderr,"%s v%s: ", PROGNAME, VERSION);
- vfprintf(stderr, msg, args);
- va_end(args);
- fprintf(stderr, "\n");
- if (status == PARAMETER_PROBLEM)
- exit_tryhelp(status);
- exit(status);
-}
-
-static void
-generic_cmd_check(int command, int options)
-{
- int i;
-
- for (i = 0; i < NUMBER_OF_CMD; i++) {
- if (!(command & (1<<i)))
- continue;
-
- if (cmd_need_param[i] == 0 && !options)
- exit_error(PARAMETER_PROBLEM,
- "You need to supply parameters to `-%c'\n",
- cmdflags[i]);
- }
-}
-
-static void
-generic_opt_check(int command, int options)
-{
- int i, j, legal = 0;
-
- /* Check that commands are valid with options. Complicated by the
- * fact that if an option is legal with *any* command given, it is
- * legal overall (ie. -z and -l).
- */
- for (i = 0; i < NUMBER_OF_OPT; i++) {
- legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
-
- for (j = 0; j < NUMBER_OF_CMD; j++) {
- if (!(command & (1<<j)))
- continue;
-
- if (!(options & (1<<i))) {
- if (commands_v_options[j][i] == 1)
- exit_error(PARAMETER_PROBLEM,
- "You need to supply the "
- "`-%c' option for this "
- "command\n", optflags[i]);
- } else {
- if (commands_v_options[j][i] != 0)
- legal = 1;
- else if (legal == 0)
- legal = -1;
- }
- }
- if (legal == -1)
- exit_error(PARAMETER_PROBLEM, "Illegal option `-%c' "
- "with this command\n", optflags[i]);
- }
-}
-
-static struct option *
-merge_options(struct option *oldopts, const struct option *newopts,
- unsigned int *option_offset)
-{
- unsigned int num_old, num_new, i;
- struct option *merge;
-
- for (num_old = 0; oldopts[num_old].name; num_old++);
- for (num_new = 0; newopts[num_new].name; num_new++);
-
- global_option_offset += OPTION_OFFSET;
- *option_offset = global_option_offset;
-
- merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
- memcpy(merge, oldopts, num_old * sizeof(struct option));
- for (i = 0; i < num_new; i++) {
- merge[num_old + i] = newopts[i];
- merge[num_old + i].val += *option_offset;
- }
- memset(merge + num_old + num_new, 0, sizeof(struct option));
-
- return merge;
-}
-
-/* From linux/errno.h */
-#define ENOTSUPP 524 /* Operation is not supported */
-
-/* Translates errno numbers into more human-readable form than strerror. */
-const char *
-err2str(int err, enum action command)
-{
- unsigned int i;
- struct table_struct {
- enum action act;
- int err;
- const char *message;
- } table [] =
- { { CT_LIST, -ENOTSUPP, "function not implemented" },
- { 0xFFFF, -EINVAL, "invalid parameters" },
- { CT_CREATE, -EEXIST, "Such conntrack exists, try -U to update" },
- { CT_CREATE|CT_GET|CT_DELETE, -ENOENT,
- "such conntrack doesn't exist" },
- { CT_CREATE|CT_GET, -ENOMEM, "not enough memory" },
- { CT_GET, -EAFNOSUPPORT, "protocol not supported" },
- { CT_CREATE, -ETIME, "conntrack has expired" },
- { EXP_CREATE, -ENOENT, "master conntrack not found" },
- { EXP_CREATE, -EINVAL, "invalid parameters" },
- { ~0UL, -EPERM, "sorry, you must be root or get "
- "CAP_NET_ADMIN capability to do this"}
- };
-
- for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
- if ((table[i].act & command) && table[i].err == err)
- return table[i].message;
- }
-
- return strerror(err);
-}
-
-#define PARSE_STATUS 0
-#define PARSE_EVENT 1
-#define PARSE_MAX 2
-
-static struct parse_parameter {
- char *parameter[6];
- size_t size;
- unsigned int value[6];
-} parse_array[PARSE_MAX] = {
- { {"ASSURED", "SEEN_REPLY", "UNSET", "SRC_NAT", "DST_NAT","FIXED_TIMEOUT"}, 6,
- { IPS_ASSURED, IPS_SEEN_REPLY, 0,
- IPS_SRC_NAT_DONE, IPS_DST_NAT_DONE, IPS_FIXED_TIMEOUT} },
- { {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
- {~0U, NF_NETLINK_CONNTRACK_NEW, NF_NETLINK_CONNTRACK_UPDATE,
- NF_NETLINK_CONNTRACK_DESTROY} },
-};
-
-static int
-do_parse_parameter(const char *str, size_t strlen, unsigned int *value,
- int parse_type)
-{
- int i, ret = 0;
- struct parse_parameter *p = &parse_array[parse_type];
-
- for (i = 0; i < p->size; i++)
- if (strncasecmp(str, p->parameter[i], strlen) == 0) {
- *value |= p->value[i];
- ret = 1;
- break;
- }
-
- return ret;
-}
-
-static void
-parse_parameter(const char *arg, unsigned int *status, int parse_type)
-{
- const char *comma;
-
- while ((comma = strchr(arg, ',')) != NULL) {
- if (comma == arg
- || !do_parse_parameter(arg, comma-arg, status, parse_type))
- exit_error(PARAMETER_PROBLEM,"Bad parameter `%s'", arg);
- arg = comma+1;
- }
-
- if (strlen(arg) == 0
- || !do_parse_parameter(arg, strlen(arg), status, parse_type))
- exit_error(PARAMETER_PROBLEM, "Bad parameter `%s'", arg);
-}
-
-static void
-add_command(unsigned int *cmd, const int newcmd, const int othercmds)
-{
- if (*cmd & (~othercmds))
- exit_error(PARAMETER_PROBLEM, "Invalid commands combination\n");
- *cmd |= newcmd;
-}
-
-unsigned int check_type(int argc, char *argv[])
-{
- char *table = NULL;
-
- /* Nasty bug or feature in getopt_long ?
- * It seems that it behaves badly with optional arguments.
- * Fortunately, I just stole the fix from iptables ;) */
- if (optarg)
- return 0;
- else if (optind < argc && argv[optind][0] != '-'
- && argv[optind][0] != '!')
- table = argv[optind++];
-
- if (!table)
- return 0;
-
- if (strncmp("expect", table, 6) == 0)
- return 1;
- else if (strncmp("conntrack", table, 9) == 0)
- return 0;
- else
- exit_error(PARAMETER_PROBLEM, "unknown type `%s'\n", table);
-
- return 0;
-}
-
-static void set_family(int *family, int new)
-{
- if (*family == AF_UNSPEC)
- *family = new;
- else if (*family != new)
- exit_error(PARAMETER_PROBLEM, "mismatched address family\n");
-}
-
-struct addr_parse {
- struct in_addr addr;
- struct in6_addr addr6;
- unsigned int family;
-};
-
-int __parse_inetaddr(const char *cp, struct addr_parse *parse)
-{
- if (inet_aton(cp, &parse->addr))
- return AF_INET;
-#ifdef HAVE_INET_PTON_IPV6
- else if (inet_pton(AF_INET6, cp, &parse->addr6) > 0)
- return AF_INET6;
-#endif
-
- exit_error(PARAMETER_PROBLEM, "Invalid IP address `%s'.", cp);
-}
-
-int parse_inetaddr(const char *cp, union nfct_address *address)
-{
- struct addr_parse parse;
- int ret;
-
- if ((ret = __parse_inetaddr(cp, &parse)) == AF_INET)
- address->v4 = parse.addr.s_addr;
- else if (ret == AF_INET6)
- memcpy(address->v6, &parse.addr6, sizeof(parse.addr6));
-
- return ret;
-}
-
-/* Shamelessly stolen from libipt_DNAT ;). Ranges expected in network order. */
-static void
-nat_parse(char *arg, int portok, struct nfct_nat *range)
-{
- char *colon, *dash, *error;
- struct addr_parse parse;
-
- memset(range, 0, sizeof(range));
- colon = strchr(arg, ':');
-
- if (colon) {
- int port;
-
- if (!portok)
- exit_error(PARAMETER_PROBLEM,
- "Need TCP or UDP with port specification");
-
- port = atoi(colon+1);
- if (port == 0 || port > 65535)
- exit_error(PARAMETER_PROBLEM,
- "Port `%s' not valid\n", colon+1);
-
- error = strchr(colon+1, ':');
- if (error)
- exit_error(PARAMETER_PROBLEM,
- "Invalid port:port syntax - use dash\n");
-
- dash = strchr(colon, '-');
- if (!dash) {
- range->l4min.tcp.port
- = range->l4max.tcp.port
- = htons(port);
- } else {
- int maxport;
-
- maxport = atoi(dash + 1);
- if (maxport == 0 || maxport > 65535)
- exit_error(PARAMETER_PROBLEM,
- "Port `%s' not valid\n", dash+1);
- if (maxport < port)
- /* People are stupid. */
- exit_error(PARAMETER_PROBLEM,
- "Port range `%s' funky\n", colon+1);
- range->l4min.tcp.port = htons(port);
- range->l4max.tcp.port = htons(maxport);
- }
- /* Starts with a colon? No IP info... */
- if (colon == arg)
- return;
- *colon = '\0';
- }
-
- dash = strchr(arg, '-');
- if (colon && dash && dash > colon)
- dash = NULL;
-
- if (dash)
- *dash = '\0';
-
- if (__parse_inetaddr(arg, &parse) != AF_INET)
- return;
-
- range->min_ip = parse.addr.s_addr;
- if (dash) {
- if (__parse_inetaddr(dash+1, &parse) != AF_INET)
- return;
- range->max_ip = parse.addr.s_addr;
- } else
- range->max_ip = parse.addr.s_addr;
-}
-
-static void event_sighandler(int s)
-{
- fprintf(stdout, "Now closing conntrack event dumping...\n");
- nfct_close(cth);
- exit(0);
-}
-
-static const char usage_commands[] =
- "Commands:\n"
- " -L [table] [options]\t\tList conntrack or expectation table\n"
- " -G [table] parameters\t\tGet conntrack or expectation\n"
- " -D [table] parameters\t\tDelete conntrack or expectation\n"
- " -I [table] parameters\t\tCreate a conntrack or expectation\n"
- " -U [table] parameters\t\tUpdate a conntrack\n"
- " -E [table] [options]\t\tShow events\n"
- " -F [table]\t\t\tFlush table\n";
-
-static const char usage_tables[] =
- "Tables: conntrack, expect\n";
-
-static const char usage_conntrack_parameters[] =
- "Conntrack parameters and options:\n"
- " -a, --nat-range min_ip[-max_ip]\tNAT ip range\n"
- " -m, --mark mark\t\t\tSet mark\n"
- " -e, --event-mask eventmask\t\tEvent mask, eg. NEW,DESTROY\n"
- " -z, --zero \t\t\t\tZero counters while listing\n"
- ;
-
-static const char usage_expectation_parameters[] =
- "Expectation parameters and options:\n"
- " --tuple-src ip\tSource address in expect tuple\n"
- " --tuple-dst ip\tDestination address in expect tuple\n"
- " --mask-src ip\t\tSource mask address\n"
- " --mask-dst ip\t\tDestination mask address\n";
-
-static const char usage_parameters[] =
- "Common parameters and options:\n"
- " -s, --orig-src ip\t\tSource address from original direction\n"
- " -d, --orig-dst ip\t\tDestination address from original direction\n"
- " -r, --reply-src ip\t\tSource addres from reply direction\n"
- " -q, --reply-dst ip\t\tDestination address from reply direction\n"
- " -p, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n"
- " -f, --family proto\t\tLayer 3 Protocol, eg. 'ipv6'\n"
- " -t, --timeout timeout\t\tSet timeout\n"
- " -u, --status status\t\tSet status, eg. ASSURED\n"
- " -i, --id [id]\t\t\tShow or set conntrack ID\n"
- ;
-
-
-void usage(char *prog) {
- fprintf(stdout, "Tool to manipulate conntrack and expectations. Version %s\n", VERSION);
- fprintf(stdout, "Usage: %s [commands] [options]\n", prog);
-
- fprintf(stdout, "\n%s", usage_commands);
- fprintf(stdout, "\n%s", usage_tables);
- fprintf(stdout, "\n%s", usage_conntrack_parameters);
- fprintf(stdout, "\n%s", usage_expectation_parameters);
- fprintf(stdout, "\n%s", usage_parameters);
-}
-
-#define CT_COMPARISON (CT_OPT_PROTO | CT_OPT_ORIG | CT_OPT_REPL | CT_OPT_MARK)
-
-static struct nfct_tuple orig, reply, mask;
-static struct nfct_tuple exptuple;
-static struct ctproto_handler *h;
-static union nfct_protoinfo proto;
-static struct nfct_nat range;
-static struct nfct_conntrack *ct;
-static struct nfct_expect *exp;
-static unsigned long timeout;
-static unsigned int status;
-static unsigned int mark;
-static unsigned int id = NFCT_ANY_ID;
-static struct nfct_conntrack_compare cmp;
-
-int main(int argc, char *argv[])
-{
- int c;
- unsigned int command = 0, options = 0;
- unsigned int type = 0, event_mask = 0;
- unsigned int l3flags = 0, l4flags = 0, metaflags = 0;
- int res = 0;
- int family = AF_UNSPEC;
- struct nfct_conntrack_compare *pcmp;
-
- while ((c = getopt_long(argc, argv,
- "L::I::U::D::G::E::F::hVs:d:r:q:p:t:u:e:a:z[:]:{:}:m:i::f:",
- opts, NULL)) != -1) {
- switch(c) {
- case 'L':
- type = check_type(argc, argv);
- if (type == 0)
- add_command(&command, CT_LIST, CT_NONE);
- else if (type == 1)
- add_command(&command, EXP_LIST, CT_NONE);
- break;
- case 'I':
- type = check_type(argc, argv);
- if (type == 0)
- add_command(&command, CT_CREATE, CT_NONE);
- else if (type == 1)
- add_command(&command, EXP_CREATE, CT_NONE);
- break;
- case 'U':
- type = check_type(argc, argv);
- if (type == 0)
- add_command(&command, CT_UPDATE, CT_NONE);
- else
- exit_error(PARAMETER_PROBLEM, "Can't update "
- "expectations");
- break;
- case 'D':
- type = check_type(argc, argv);
- if (type == 0)
- add_command(&command, CT_DELETE, CT_NONE);
- else if (type == 1)
- add_command(&command, EXP_DELETE, CT_NONE);
- break;
- case 'G':
- type = check_type(argc, argv);
- if (type == 0)
- add_command(&command, CT_GET, CT_NONE);
- else if (type == 1)
- add_command(&command, EXP_GET, CT_NONE);
- break;
- case 'F':
- type = check_type(argc, argv);
- if (type == 0)
- add_command(&command, CT_FLUSH, CT_NONE);
- else if (type == 1)
- add_command(&command, EXP_FLUSH, CT_NONE);
- break;
- case 'E':
- type = check_type(argc, argv);
- if (type == 0)
- add_command(&command, CT_EVENT, CT_NONE);
- else if (type == 1)
- add_command(&command, EXP_EVENT, CT_NONE);
- break;
- case 'V':
- add_command(&command, CT_VERSION, CT_NONE);
- break;
- case 'h':
- add_command(&command, CT_HELP, CT_NONE);
- break;
- case 's':
- options |= CT_OPT_ORIG_SRC;
- if (optarg) {
- orig.l3protonum =
- parse_inetaddr(optarg, &orig.src);
- set_family(&family, orig.l3protonum);
- if (orig.l3protonum == AF_INET)
- l3flags |= IPV4_ORIG_SRC;
- else if (orig.l3protonum == AF_INET6)
- l3flags |= IPV6_ORIG_SRC;
- }
- break;
- case 'd':
- options |= CT_OPT_ORIG_DST;
- if (optarg) {
- orig.l3protonum =
- parse_inetaddr(optarg, &orig.dst);
- set_family(&family, orig.l3protonum);
- if (orig.l3protonum == AF_INET)
- l3flags |= IPV4_ORIG_DST;
- else if (orig.l3protonum == AF_INET6)
- l3flags |= IPV6_ORIG_DST;
- }
- break;
- case 'r':
- options |= CT_OPT_REPL_SRC;
- if (optarg) {
- reply.l3protonum =
- parse_inetaddr(optarg, &reply.src);
- set_family(&family, reply.l3protonum);
- if (orig.l3protonum == AF_INET)
- l3flags |= IPV4_REPL_SRC;
- else if (orig.l3protonum == AF_INET6)
- l3flags |= IPV6_REPL_SRC;
- }
- break;
- case 'q':
- options |= CT_OPT_REPL_DST;
- if (optarg) {
- reply.l3protonum =
- parse_inetaddr(optarg, &reply.dst);
- set_family(&family, reply.l3protonum);
- if (orig.l3protonum == AF_INET)
- l3flags |= IPV4_REPL_DST;
- else if (orig.l3protonum == AF_INET6)
- l3flags |= IPV6_REPL_DST;
- }
- break;
- case 'p':
- options |= CT_OPT_PROTO;
- h = findproto(optarg);
- if (!h)
- exit_error(PARAMETER_PROBLEM, "proto needed\n");
- orig.protonum = h->protonum;
- reply.protonum = h->protonum;
- exptuple.protonum = h->protonum;
- mask.protonum = h->protonum;
- opts = merge_options(opts, h->opts,
- &h->option_offset);
- break;
- case 't':
- options |= CT_OPT_TIMEOUT;
- if (optarg)
- timeout = atol(optarg);
- break;
- case 'u': {
- if (!optarg)
- continue;
-
- options |= CT_OPT_STATUS;
- parse_parameter(optarg, &status, PARSE_STATUS);
- break;
- }
- case 'e':
- options |= CT_OPT_EVENT_MASK;
- parse_parameter(optarg, &event_mask, PARSE_EVENT);
- break;
- case 'z':
- options |= CT_OPT_ZERO;
- break;
- case '{':
- options |= CT_OPT_MASK_SRC;
- if (optarg) {
- mask.l3protonum =
- parse_inetaddr(optarg, &mask.src);
- set_family(&family, mask.l3protonum);
- }
- break;
- case '}':
- options |= CT_OPT_MASK_DST;
- if (optarg) {
- mask.l3protonum =
- parse_inetaddr(optarg, &mask.dst);
- set_family(&family, mask.l3protonum);
- }
- break;
- case '[':
- options |= CT_OPT_EXP_SRC;
- if (optarg) {
- exptuple.l3protonum =
- parse_inetaddr(optarg, &exptuple.src);
- set_family(&family, exptuple.l3protonum);
- }
- break;
- case ']':
- options |= CT_OPT_EXP_DST;
- if (optarg) {
- exptuple.l3protonum =
- parse_inetaddr(optarg, &exptuple.dst);
- set_family(&family, exptuple.l3protonum);
- }
- break;
- case 'a':
- options |= CT_OPT_NATRANGE;
- set_family(&family, AF_INET);
- nat_parse(optarg, 1, &range);
- break;
- case 'm':
- options |= CT_OPT_MARK;
- mark = atol(optarg);
- metaflags |= NFCT_MARK;
- break;
- case 'i': {
- char *s = NULL;
- options |= CT_OPT_ID;
- if (optarg)
- break;
- else if (optind < argc && argv[optind][0] != '-'
- && argv[optind][0] != '!')
- s = argv[optind++];
-
- if (s)
- id = atol(s);
- break;
- }
- case 'f':
- options |= CT_OPT_FAMILY;
- if (strncmp(optarg, "ipv4", strlen("ipv4")) == 0)
- set_family(&family, AF_INET);
- else if (strncmp(optarg, "ipv6", strlen("ipv6")) == 0)
- set_family(&family, AF_INET6);
- else
- exit_error(PARAMETER_PROBLEM, "Unknown "
- "protocol family\n");
- break;
- default:
- if (h && h->parse_opts
- &&!h->parse_opts(c - h->option_offset, argv, &orig,
- &reply, &exptuple, &mask, &proto,
- &l4flags))
- exit_error(PARAMETER_PROBLEM, "parse error\n");
-
- /* Unknown argument... */
- if (!h) {
- usage(argv[0]);
- exit_error(PARAMETER_PROBLEM, "Missing "
- "arguments...\n");
- }
- break;
- }
- }
-
- /* default family */
- if (family == AF_UNSPEC)
- family = AF_INET;
-
- generic_cmd_check(command, options);
- generic_opt_check(command, options);
-
- if (!(command & CT_HELP)
- && h && h->final_check
- && !h->final_check(l4flags, command, &orig, &reply)) {
- usage(argv[0]);
- extension_help(h);
- exit_error(PARAMETER_PROBLEM, "Missing protocol arguments!\n");
- }
-
- switch(command) {
-
- case CT_LIST:
- cth = nfct_open(CONNTRACK, 0);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
-
- if (options & CT_COMPARISON) {
-
- if (options & CT_OPT_ZERO)
- exit_error(PARAMETER_PROBLEM, "Can't use -z "
- "with filtering parameters");
-
- ct = nfct_conntrack_alloc(&orig, &reply, timeout,
- &proto, status, mark, id,
- NULL);
- if (!ct)
- exit_error(OTHER_PROBLEM, "Not enough memory");
-
- cmp.ct = ct;
- cmp.flags = metaflags;
- cmp.l3flags = l3flags;
- cmp.l4flags = l4flags;
- pcmp = &cmp;
- }
-
- if (options & CT_OPT_ID)
- nfct_register_callback(cth,
- nfct_default_conntrack_display_id,
- (void *) pcmp);
- else
- nfct_register_callback(cth,
- nfct_default_conntrack_display,
- (void *) pcmp);
-
- if (options & CT_OPT_ZERO)
- res =
- nfct_dump_conntrack_table_reset_counters(cth, family);
- else
- res = nfct_dump_conntrack_table(cth, family);
- nfct_close(cth);
- break;
-
- case EXP_LIST:
- cth = nfct_open(EXPECT, 0);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
- if (options & CT_OPT_ID)
- nfct_register_callback(cth,
- nfct_default_expect_display_id,
- NULL);
- else
- nfct_register_callback(cth,
- nfct_default_expect_display,
- NULL);
- res = nfct_dump_expect_list(cth, family);
- nfct_close(cth);
- break;
-
- case CT_CREATE:
- if ((options & CT_OPT_ORIG)
- && !(options & CT_OPT_REPL)) {
- reply.l3protonum = orig.l3protonum;
- memcpy(&reply.src, &orig.dst, sizeof(reply.src));
- memcpy(&reply.dst, &orig.src, sizeof(reply.dst));
- } else if (!(options & CT_OPT_ORIG)
- && (options & CT_OPT_REPL)) {
- orig.l3protonum = reply.l3protonum;
- memcpy(&orig.src, &reply.dst, sizeof(orig.src));
- memcpy(&orig.dst, &reply.src, sizeof(orig.dst));
- }
- if (options & CT_OPT_NATRANGE)
- ct = nfct_conntrack_alloc(&orig, &reply, timeout,
- &proto, status, mark, id,
- &range);
- else
- ct = nfct_conntrack_alloc(&orig, &reply, timeout,
- &proto, status, mark, id,
- NULL);
- if (!ct)
- exit_error(OTHER_PROBLEM, "Not Enough memory");
-
- cth = nfct_open(CONNTRACK, 0);
- if (!cth) {
- nfct_conntrack_free(ct);
- exit_error(OTHER_PROBLEM, "Can't open handler");
- }
- res = nfct_create_conntrack(cth, ct);
- nfct_close(cth);
- nfct_conntrack_free(ct);
- break;
-
- case EXP_CREATE:
- if (options & CT_OPT_ORIG)
- exp = nfct_expect_alloc(&orig, &exptuple,
- &mask, timeout, id);
- else if (options & CT_OPT_REPL)
- exp = nfct_expect_alloc(&reply, &exptuple,
- &mask, timeout, id);
- if (!exp)
- exit_error(OTHER_PROBLEM, "Not enough memory");
-
- cth = nfct_open(EXPECT, 0);
- if (!cth) {
- nfct_expect_free(exp);
- exit_error(OTHER_PROBLEM, "Can't open handler");
- }
- res = nfct_create_expectation(cth, exp);
- nfct_expect_free(exp);
- nfct_close(cth);
- break;
-
- case CT_UPDATE:
- if ((options & CT_OPT_ORIG)
- && !(options & CT_OPT_REPL)) {
- reply.l3protonum = orig.l3protonum;
- memcpy(&reply.src, &orig.dst, sizeof(reply.src));
- memcpy(&reply.dst, &orig.src, sizeof(reply.dst));
- } else if (!(options & CT_OPT_ORIG)
- && (options & CT_OPT_REPL)) {
- orig.l3protonum = reply.l3protonum;
- memcpy(&orig.src, &reply.dst, sizeof(orig.src));
- memcpy(&orig.dst, &reply.src, sizeof(orig.dst));
- }
- ct = nfct_conntrack_alloc(&orig, &reply, timeout,
- &proto, status, mark, id,
- NULL);
- if (!ct)
- exit_error(OTHER_PROBLEM, "Not enough memory");
-
- cth = nfct_open(CONNTRACK, 0);
- if (!cth) {
- nfct_conntrack_free(ct);
- exit_error(OTHER_PROBLEM, "Can't open handler");
- }
- res = nfct_update_conntrack(cth, ct);
- nfct_conntrack_free(ct);
- nfct_close(cth);
- break;
-
- case CT_DELETE:
- if (!(options & CT_OPT_ORIG) && !(options & CT_OPT_REPL))
- exit_error(PARAMETER_PROBLEM, "Can't kill conntracks "
- "just by its ID");
- cth = nfct_open(CONNTRACK, 0);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
- if (options & CT_OPT_ORIG)
- res = nfct_delete_conntrack(cth, &orig,
- NFCT_DIR_ORIGINAL,
- id);
- else if (options & CT_OPT_REPL)
- res = nfct_delete_conntrack(cth, &reply,
- NFCT_DIR_REPLY,
- id);
- nfct_close(cth);
- break;
-
- case EXP_DELETE:
- cth = nfct_open(EXPECT, 0);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
- if (options & CT_OPT_ORIG)
- res = nfct_delete_expectation(cth, &orig, id);
- else if (options & CT_OPT_REPL)
- res = nfct_delete_expectation(cth, &reply, id);
- nfct_close(cth);
- break;
-
- case CT_GET:
- cth = nfct_open(CONNTRACK, 0);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
- nfct_register_callback(cth, nfct_default_conntrack_display,
- NULL);
- if (options & CT_OPT_ORIG)
- res = nfct_get_conntrack(cth, &orig,
- NFCT_DIR_ORIGINAL, id);
- else if (options & CT_OPT_REPL)
- res = nfct_get_conntrack(cth, &reply,
- NFCT_DIR_REPLY, id);
- nfct_close(cth);
- break;
-
- case EXP_GET:
- cth = nfct_open(EXPECT, 0);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
- nfct_register_callback(cth, nfct_default_expect_display,
- NULL);
- if (options & CT_OPT_ORIG)
- res = nfct_get_expectation(cth, &orig, id);
- else if (options & CT_OPT_REPL)
- res = nfct_get_expectation(cth, &reply, id);
- nfct_close(cth);
- break;
-
- case CT_FLUSH:
- cth = nfct_open(CONNTRACK, 0);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
- res = nfct_flush_conntrack_table(cth, AF_INET);
- nfct_close(cth);
- break;
-
- case EXP_FLUSH:
- cth = nfct_open(EXPECT, 0);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
- res = nfct_flush_expectation_table(cth, AF_INET);
- nfct_close(cth);
- break;
-
- case CT_EVENT:
- if (options & CT_OPT_EVENT_MASK)
- cth = nfct_open(CONNTRACK, event_mask);
- else
- cth = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS);
-
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
- signal(SIGINT, event_sighandler);
-
- if (options & CT_COMPARISON) {
- ct = nfct_conntrack_alloc(&orig, &reply, timeout,
- &proto, status, mark, id,
- NULL);
- if (!ct)
- exit_error(OTHER_PROBLEM, "Not enough memory");
-
- cmp.ct = ct;
- cmp.flags = metaflags;
- cmp.l3flags = l3flags;
- cmp.l4flags = l4flags;
- pcmp = &cmp;
- }
-
- nfct_register_callback(cth,
- nfct_default_conntrack_event_display,
- (void *) pcmp);
- res = nfct_event_conntrack(cth);
- nfct_close(cth);
- break;
-
- case EXP_EVENT:
- cth = nfct_open(EXPECT, NF_NETLINK_CONNTRACK_EXP_NEW);
- if (!cth)
- exit_error(OTHER_PROBLEM, "Can't open handler");
- signal(SIGINT, event_sighandler);
- nfct_register_callback(cth, nfct_default_expect_display,
- NULL);
- res = nfct_event_expectation(cth);
- nfct_close(cth);
- break;
-
- case CT_VERSION:
- fprintf(stdout, "%s v%s\n", PROGNAME, VERSION);
- break;
- case CT_HELP:
- usage(argv[0]);
- if (options & CT_OPT_PROTO)
- extension_help(h);
- break;
- default:
- usage(argv[0]);
- break;
- }
-
- if (opts != original_opts) {
- free(opts);
- opts = original_opts;
- global_option_offset = 0;
- }
-
- if (res < 0) {
- fprintf(stderr, "Operation failed: %s\n", err2str(res, command));
- exit(OTHER_PROBLEM);
- }
-
- return 0;
-}
Deleted: trunk/conntrack-tools/cli/test.sh
===================================================================
--- trunk/conntrack-tools/cli/test.sh 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/cli/test.sh 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,110 +0,0 @@
-CONNTRACK=conntrack
-
-SRC=1.1.1.1
-DST=2.2.2.2
-SPORT=2005
-DPORT=21
-
-case $1 in
- dump)
- echo "Dumping conntrack table"
- $CONNTRACK -L
- ;;
- flush)
- echo "Flushing conntrack table"
- $CONNTRACK -F
- ;;
- new)
- echo "creating a new conntrack"
- $CONNTRACK -I --orig-src $SRC --orig-dst $DST \
- --reply-src $DST --reply-dst $SRC -p tcp \
- --orig-port-src $SPORT --orig-port-dst $DPORT \
- --reply-port-src $DPORT --reply-port-dst $SPORT \
- --state LISTEN -u SEEN_REPLY -t 50
- ;;
- new-simple)
- echo "creating a new conntrack (simplified)"
- $CONNTRACK -I --orig-src $SRC --orig-dst $DST \
- -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
- --state LISTEN -u SEEN_REPLY -t 50
- ;;
- new-nat)
- echo "creating a new conntrack (NAT)"
- $CONNTRACK -I --orig-src $SRC --orig-dst $DST \
- -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
- --state LISTEN -u SEEN_REPLY,SRC_NAT -t 50 -a 8.8.8.8
- ;;
- get)
- echo "getting a conntrack"
- $CONNTRACK -G --orig-src $SRC --orig-dst $DST \
- -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
- --reply-port-src $DPORT --reply-port-dst $SPORT
- ;;
- change)
- echo "change a conntrack"
- $CONNTRACK -U --orig-src $SRC --orig-dst $DST \
- --reply-src $DST --reply-dst $SRC -p tcp \
- --orig-port-src $SPORT --orig-port-dst $DPORT \
- --reply-port-src $DPORT --reply-port-dst $SPORT \
- --state TIME_WAIT -u ASSURED,SEEN_REPLY -t 500
- ;;
- delete)
- $CONNTRACK -D --orig-src $SRC --orig-dst $DST \
- -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT
- ;;
- output)
- proc=$(cat /proc/net/ip_conntrack | wc -l)
- netl=$($CONNTRACK -L | wc -l)
- count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
- if [ $proc -ne $netl ]; then
- echo "proc is $proc and netl is $netl and count is $count"
- else
- if [ $proc -ne $count ]; then
- echo "proc is $proc and netl is $netl and count is $count"
- else
- echo "now $proc"
- fi
- fi
- ;;
- dump-expect)
- $CONNTRACK -L expect
- ;;
- flush-expect)
- $CONNTRACK -F expect
- ;;
- create-expect)
- # requires modprobe ip_conntrack_ftp
- $CONNTRACK -I expect --orig-src $SRC --orig-dst $DST \
- --tuple-src 4.4.4.4 --tuple-dst 5.5.5.5 \
- --mask-src 255.255.255.0 --mask-dst 255.255.255.255 \
- -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
- -t 200 --tuple-port-src 10 --tuple-port-dst 300 \
- --mask-port-src 10 --mask-port-dst 300
- ;;
- get-expect)
- $CONNTRACK -G expect --orig-src 4.4.4.4 --orig-dst 5.5.5.5 \
- --p tcp --orig-port-src 0 --orig-port-dst 0 \
- --mask-port-src 10 --mask-port-dst 11
- ;;
- delete-expect)
- $CONNTRACK -D expect --orig-src 4.4.4.4 \
- --orig-dst 5.5.5.5 -p tcp --orig-port-src 0 \
- --orig-port-dst 0 --mask-port-src 10 --mask-port-dst 11
- ;;
- *)
- echo "Usage: $0 [dump"
- echo " |new"
- echo " |new-simple"
- echo " |new-nat"
- echo " |get"
- echo " |change"
- echo " |delete"
- echo " |output"
- echo " |flush"
- echo " |dump-expect"
- echo " |flush-expect"
- echo " |create-expect"
- echo " |get-expect"
- echo " |delete-expect]"
- ;;
-esac
Copied: trunk/conntrack-tools/configure.in (from rev 6792, trunk/conntrack-tools/daemon/configure.in)
===================================================================
--- trunk/conntrack-tools/configure.in (rev 0)
+++ trunk/conntrack-tools/configure.in 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,106 @@
+AC_INIT(conntrackd, 0.9.2, pablo at netfilter.org)
+
+AC_CANONICAL_SYSTEM
+
+AM_INIT_AUTOMAKE
+
+AC_PROG_CC
+AM_PROG_LIBTOOL
+AC_PROG_INSTALL
+AC_PROG_LN_S
+AM_PROG_LEX
+AC_PROG_YACC
+
+case $target in
+*-*-linux*) ;;
+*) AC_MSG_ERROR([Linux only, dude!]);;
+esac
+
+AC_CHECK_PROGS(XYACC,$YACC bison yacc,none)
+if test "$XYACC" = "none"
+then
+ echo "*** Error: No suitable bison/yacc found. ***"
+ echo " Please install the 'bison' package."
+ exit 1
+fi
+AC_CHECK_PROGS(XLEX,$LEX flex lex,none)
+if test "$XLEX" = "none"
+then
+ echo "*** Error: No suitable bison/yacc found. ***"
+ echo " Please install the 'bison' package."
+ exit 1
+fi
+
+AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])])
+
+# Checks for libraries.
+# FIXME: Replace `main' with a function in `-lc':
+dnl AC_CHECK_LIB([c], [main])
+# FIXME: Replace `main' with a function in `-ldl':
+
+AC_CHECK_LIB([nfnetlink], [nfnl_talk] ,,,[-lnfnetlink])
+AC_CHECK_LIB([netfilter_conntrack], [nfct_dump_conntrack_table] ,,,[-lnetfilter_conntrack])
+AC_CHECK_LIB([pthread], [pthread_create] ,,,[-lpthread])
+
+AC_CHECK_HEADERS(arpa/inet.h)
+dnl check for inet_pton
+AC_CHECK_FUNCS(inet_pton)
+dnl Some systems have it, but not IPv6
+if test "$ac_cv_func_inet_pton" = "yes" ; then
+AC_MSG_CHECKING(if inet_pton supports IPv6)
+AC_TRY_RUN(
+ [
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int main()
+ {
+ struct in6_addr addr6;
+ if (inet_pton(AF_INET6, "::1", &addr6) < 1)
+ exit(1);
+ else
+ exit(0);
+ }
+ ], [ AC_MSG_RESULT(yes)
+ AC_DEFINE_UNQUOTED(HAVE_INET_PTON_IPV6, 1, [Define to 1 if inet_pton supports IPv6.])
+ ], AC_MSG_RESULT(no), AC_MSG_RESULT(no))
+fi
+
+# Checks for header files.
+dnl AC_HEADER_STDC
+dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
+
+# Checks for typedefs, structures, and compiler characteristics.
+dnl AC_C_CONST
+dnl AC_C_INLINE
+
+# Checks for library functions.
+dnl AC_FUNC_MALLOC
+dnl AC_FUNC_VPRINTF
+dnl AC_CHECK_FUNCS([memset])
+
+dnl--------------------------------
+
+if test ! -z "$libdir"; then
+ MODULE_DIR="\\\"$libdir/conntrack/\\\""
+ CFLAGS="$CFLAGS -DCONNTRACK_LIB_DIR=$MODULE_DIR"
+fi
+
+dnl--------------------------------
+
+dnl AC_CONFIG_FILES([Makefile
+dnl debug/Makefile
+dnl debug/src/Makefile
+dnl extensions/Makefile
+dnl src/Makefile])
+
+AC_OUTPUT(Makefile src/Makefile include/Makefile extensions/Makefile examples/Makefile examples/stats/Makefile examples/sync/Makefile examples/sync/persistent/Makefile examples/sync/nack/Makefile examples/sync/persistent/node1/Makefile examples/sync/persistent/node2/Makefile examples/sync/nack/node1/Makefile examples/sync/nack/node2/Makefile)
Copied: trunk/conntrack-tools/conntrack.8 (from rev 6792, trunk/conntrack-tools/cli/conntrack.8)
===================================================================
--- trunk/conntrack-tools/conntrack.8 (rev 0)
+++ trunk/conntrack-tools/conntrack.8 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,142 @@
+.TH CONNTRACK 8 "Jun 23, 2005" "" ""
+
+.\" Man page written by Harald Welte <laforge at netfilter.org (Jun 2005)
+
+.SH NAME
+conntrack \- administration tool for netfilter connection tracking
+.SH SYNOPSIS
+.BR "conntrack -L [table] [-z]"
+.br
+.BR "conntrack -G [table] parameters"
+.br
+.BR "conntrack -D [table] paramaters"
+.br
+.BR "conntrack -I [table] parameters"
+.br
+.BR "conntrack -E [table] parameters"
+.br
+.BR "conntrack -F [table]"
+.SH DESCRIPTION
+.B conntrack
+is used to search, list, inspect and maintain the netfilter connection tracking
+subsystem of the Linux kernel.
+.PP
+Using
+.B conntrack
+, you can dump a list of all (or a filtered selection of) currently tracked
+connections, delete connections from the state table, and even add new ones.
+.PP
+In addition, you can also monitor connection tracking events, e.g. show an
+event message (one line) per newly established connection.
+.SH TABLES
+The connection tracking subsystem maintains two internal tables:
+.TP
+.BR "conntrack" :
+This is the default table. It contains a list of all currently tracked
+connections through the system. If you don't use connection tracking
+exemptions (NOTRACK iptables target), this means all connections that go
+through the system.
+.TP
+.BR "expect" :
+This is the table of expectations. Connection tracking expectations are the
+mechanism used to "expect" RELATED connections to existing ones. Expectations
+are generally used by "connection tracking helpers" (sometimes called
+application level gateways [ALGs]) for more complex protocols such as FTP,
+SIP, H.323.
+.SH OPTIONS
+The options recognized by
+.B conntrack
+can be divided into several different groups.
+.SS COMMANDS
+These options specify the particular operation to perform. Only one of them
+can be specified at any given time.
+.TP
+.BI "-L --dump "
+List connection tacking or expectation table
+.TP
+.BI "-G, --get "
+Search for and show a particular (matching) entry in the given table.
+.TP
+.BI "-D, --delete "
+Delete an entry from the given table.
+.TP
+.BI "-I, --create "
+Create a new entry from the given table.
+.TP
+.BI "-E, --event "
+Display a real-time event log.
+.TP
+.BI "-F, --flush "
+Flush the whole given table
+.SS PARAMETERS
+.TP
+.BI "-z, --zero "
+Atomically zero counters after reading them. This option is only valid in
+combination with the "-L, --dump" command options.
+.TP
+.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
+Set the bitmask of events that are to be generated by the in-kernel ctnetlink
+event code. Using this parameter, you can reduce the event messages generated
+by the kernel to those types to those that you are actually interested in.
+.
+This option can only be used in conjunction with "-E, --event".
+.SS FILTER PARAMETERS
+.TP
+.BI "-s, --orig-src " IP_ADDRESS
+Match only entries whose source address in the original direction equals the one specified as argument.
+.TP
+.BI "-d, --orig-dst " IP_ADDRESS
+Match only entries whose destination address in the original direction equals the one specified as argument.
+.TP
+.BI "-r, --reply-src " IP_ADDRESS
+Match only entries whose source address in the reply direction equals the one specified as argument.
+.TP
+.BI "-q, --reply-dst " IP_ADDRESS
+Match only entries whose destination address in the reply direction equals the one specified as argument.
+.TP
+.BI "-p, --proto " "PROTO "
+Specify layer four (TCP, UDP, ...) protocol.
+.TP
+.BI "-f, --family " "PROTO"
+Specify layer three (ipv4, ipv6) protocol
+This option is only required in conjunction with "-L, --dump". If this option is not passed, the default layer 3 protocol will be IPv4.
+.TP
+.BI "-t, --timeout " "TIMEOUT"
+Specify the timeout.
+.TP
+.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]"
+Specify the conntrack status.
+.TP
+.BI "-i, --id " "ID"
+Specify the conntrack ID.
+.
+This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs.
+.TP
+.BI "--tuple-src " IP_ADDRESS
+Specify the tuple source address of an expectation.
+.TP
+.BI "--tuple-dst " IP_ADDRESS
+Specify the tuple destination address of an expectation.
+.TP
+.BI "--mask-src " IP_ADDRESS
+Specify the source address mask of an expectation.
+.TP
+.BI "--mask-dst " IP_ADDRESS
+Specify the destination address mask of an expectation.
+.SH DIAGNOSTICS
+The exit code is 0 for correct function. Errors which appear to be caused by
+invalid command line parameters cause an exit code of 2. Any other errors
+cause an exit code of 1.
+.SH BUGS
+Bugs? What's this ;-)
+.SH SEE ALSO
+.BR iptables (8)
+.br
+See
+.BR "http://netfilter.org/" .
+.SH AUTHORS
+Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool.
+.PP
+Pablo Neira wrote the conntrack tool, Harald Welte added support for conntrack based accounting counters.
+.PP
+Man page written by Harald Welte <laforge at netfilter.org>.
Deleted: trunk/conntrack-tools/daemon/AUTHORS
===================================================================
--- trunk/conntrack-tools/daemon/AUTHORS 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/daemon/AUTHORS 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1 +0,0 @@
-Pablo Neira Ayuso <pablo at netfilter.org>
Deleted: trunk/conntrack-tools/daemon/CHANGELOG
===================================================================
--- trunk/conntrack-tools/daemon/CHANGELOG 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/daemon/CHANGELOG 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,184 +0,0 @@
-version 0.9.3 (yet unreleased)
-------------------------------
-o fix commit of confirmed expectations (reported by Nishit Shah)
-o fix double increment of counters in cache_update_force() (Niko Tyni)
-o nl_dump_handler must return NFCT_CB_CONTINUE (Niko Tyni)
-o initialize buffer in nl_event_handler() and nl_dump_handler() (Niko Tyni)
-o CacheCommit value can be set via conntrackd.conf for the NACK approach
-o fix leaks in the hashtable/cache flush path (Niko Tyni)
-o fix leak if a connection already exists in the cache (Niko Tyni)
-o introduce a new header that encapsulates netlink messages
-o remove all '_entry' tail from all functions in cache.c
-o split cache.c: move cache iterators to file cache_iterators.c
-o fix inconsistencies in the cache API related to counters
-o cleanup 'usage' message
-o fix typo in examples/sync/nack/node1/conntrackd.conf
-o introduce message checksumming as described in RFC1071 (enabled by default)
-o major cleanups in the synchronization code
-o just warn once that the maximum netlink socket buffer has been reached
-o fix ignore conntrack entries by IP and introduce ignore pool abstraction layer
-o introduce netlink socket buffer overrun handler
-o constification of hash, compare and hashtable_test functions in hash.c
-o introduce ACKnowledgement mechanisms to reduce the size of the resend queue
-o remove OK messages at startup since provide useless data
-o fix compilation warning in mcast.c: recvfrom takes socklen_t not size_t
-o add a lock per buffer: makes buffer code thread safe
-o introduce 'Replicate' clause to explicitely set states to be replicated
-o kill cache feature abuse: introduce nicer cache hooks for sync algorithms
-o fix oversized buffer allocated in the stack in the cache functions
-o add support to dump internal/external cache in XML format '-x'
-
-version 0.9.2 (2006/01/17)
---------------------------
-o remove spamming packet lost messages
-o generalize network netlink sequence tracking
-o fix bogus error message on resync `-R'
-o fix endianess issues in the network netlink message
-o introduce generic netlink multicast primitives to send and receive
-o fix bogus replayed multicast message due to sequence numbering wraparound
-o introduce counter for malformed netlink messages received
-o introduce a new syntax for the `Sync' section in the configuration file
-o several cleanups and remove unused variables
-o add autostuff to include examples in the tarball (reported by Victor Lozano)
-o use the new API available in libnetfilter_conntrack-0.0.50
-o implement a NACK based protocol for replication
-
-version 0.9.1 (2006/11/06)
---------------------------
-o conntrackd requires kernel >= 2.6.18
-o remove bogus TIMERS_MODE constant
-o implement bulk mode '-B': first works to address the preemption issue
-o fix minor reduction conflicts in the configfile grammar
-o check for CAP_NET_ADMIN instead of requiring root privileges
-o check that linux/capability.h exists
-o fix formatting at dump statistics '-s'
-o move dump traffic stats before multicast traffic stats
-o move event and dump handler to a generic infrastructure: kill events.c file
-o kill unused function inc_ct_stats
-o kill file resync.h
-o cleanup broadcast_sync: renamed to mcast_send_sync
-o sed 's/perror/debug/g' local.c
-o fix bogus increment of update_fail stats at dump stage
-o display descriptive error if we can't connect to conntrackd via UNIX socket
-o remove debugging message from alarm.c
-o move dump_mcast_stats to mcast.c where it really belongs
-o rename stats.c to traffic_stats.c
-o check for replayed/lost multicast message: simple seq tracking w/o recovery
-o reissue nfnl_catch on ENOENT error: a message for other subsystem
-o remove test/ directory in tree
-o improve cache commit stats
-o kill last_commit and last_flush from cache statistics: use the logfile
-o recover cache naming for dump stats `-s'
-o display multicast sequence tracking statistics: packets lost and replayed
-o zero ct_sync_state and ct_stats_state structures after allocation
-o improve keepalived scripts:
- - resync with conntrack table on transition to master
- - send bulk on transition to backup
-o implement alarm cascade of ten levels
-o implement timer cache flavour: limited life of entries in the external cache
-o implement a global lock that protects operation with conntrack entries
-o remove debug checking in cache_del_entry
-o set a reduced timeout for committed entries: 180 seconds by default
-o update comments on the sync-mode code
-o introduce delay destroy messages facility
-o increase timer for external states from 60 to 180 seconds
-o remove unused replicate/dont_replicated constants
-o fix cache entry clashing issue (reported by Maik Hentsche)
-o fix bogus increment of error stats in the external cache
-o remove pollution generated by `[REQ] cache dump' message from logfile
-
-version 0.9.0 (2006/09/17)
---------------------------
-o implement initial for IPv6 (untested)
-o implement generic extensible cache: kill the internal and external caches
-o implement persistence cache feature
-o implement lifetime cache feature
-o modify UNIX facilities identification numbers:
- separate master conntrack facilities and internal plugin facilities
-o break backward compatibility of configuration file:
- remove IgnoreLoopback, use IgnoreTrafficFor instead
- remove IgnoreMulticastTraffic, use IgnoreTrafficFor instead
-o merge event/event_subsys and sync/sync_subsys initialization to run.c
-o improve control of the iteration process in the hashtables
-o fix wrong locking in the alarm thread
-o supersede AcceptNAT by StripNAT clause
-o replace ignore traffic array by a hashtable
-o move lockfile checking before daemonization
-o on initialization error give a descriptive error
-o introduce netlink socket size grown limitator
-o introduce force resync with master conntrack table facility '-R'
-o ignore SIGPIPE signal
-o kill post_step since it is not used anymore
-
-version 0.8.3 (2006/09/03)
---------------------------
-Author: Maik Hentsche <maik mm-double net>
-
-o Fix typo in conntrackd -h
-o Disable debugging messages by default
-o No signals while signals handlings
-o Add extra checkings at forking
-o Check maximum size for file passed via -C
-
-Author: Pablo Neira Ayuso <pablo netfilter org>
-
-o retry select() if EINTR is returned (Reported by Maik Hentsche)
-o Fix bug in slist_for_each_entry (Reported by Maik Hetsche)
-o Signal handler registration done after intialization
-o Implement alarm thread (based on Maik Hentsche's patch)
-o Fix segfault on conntrackd -k (Reported by Maik Hentsche)
-o Fix bug on alarm removal (Reported by Maik Hentsche)
-o configure stops if bison, flex or yacc are not installed
-
-version 0.8.2 (2006/07/05)
---------------------------
-o RelaxTransitions clause introduced in Sync mode
-o multicast messages sequence tracking
-o SocketBufferSize clause to set up the netlink socket buffer
-o use new libnfnetlink API to solve limitations of nfnl_listen
-o extra sanity checkings for netlink multicast messages
-o improve statistics
-o tons of cleanups 8)
-
-version 0.8.1 (2006/06/13)
---------------------------
-o -f now just flushes the internal and external caches
-o -F flushes the master conntrack table
-o fix segfault under heavy load and signal received
-o added -S mode for statistics: still needs more thinking
-
-version 0.8.0 (2006/06/11)
---------------------------
-o more work to generalize the daemon: now it's ready to implement
-modular support for adaptive timers and conntrack statistics, time
-to implement them ;). This is *still* a work in progress.
-
-version 0.7.2 (2006/06/05)
---------------------------
-o stupid bug in normal and alarm caches initialization: flush unset
-o fix racy signal handling
-
-version 0.7.1 (2006/06/05)
---------------------------
-o Bugfix for multicast sockets communication
-
-version 0.7 (2006/06/01)
-------------------------
-o Major code re-structuration: internal and external cache abstraction
-o sequence tracking for event messages
-o expect more changes, I still dislike some stuff in its current status ;)
-
-version 0.6 (2006/05/31)
-------------------------
-o Lock file support
-o use new API nfct_conntrack_event_raw
-o major code clean ups
-
-version 0.5 (2006/05/30)
--------------------------
-o Fix multicast server binds to wrong interface
-o Include clause `IgnoreProtocol', deprecates IgnoreUDP and IgnoreICMP
-
-version 0.4 (2006/05/29)
-------------------------
-o Initial release
Deleted: trunk/conntrack-tools/daemon/CONTRIBUTORS
===================================================================
--- trunk/conntrack-tools/daemon/CONTRIBUTORS 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/daemon/CONTRIBUTORS 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,3 +0,0 @@
-Maik Hentsche <netfilter at mm-double.de>:
- - Feedback & Brainstorming
- - Bug hunting
Deleted: trunk/conntrack-tools/daemon/INSTALL
===================================================================
--- trunk/conntrack-tools/daemon/INSTALL 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/daemon/INSTALL 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,199 +0,0 @@
-Copyright (C) 2006-2007 Pablo Neira Ayuso <pablo netfilter org>
-
-1.Basic Installation
-====================
-
- To compile and install 'conntrackd' just follow the classical steps:
-
- $ ./configure
- $ make
- # make install
- # mkdir /etc/conntrackd/
-
-2.1. Synchronization Mode
-=========================
-
- Conntrackd can replicate the status of the connections that are currently
- being processed by your stateful firewall based on Linux. This section
- describes how to setup the daemon in synchronization mode:
-
-2.1.1. Requirements
-
- You have to install the following software in order to get conntrackd working,
- make sure that you have installed them correctly before going forward:
-
- o linux kernel version >= 2.6.18 (http://www.kernel.org) with support for:
- - connection tracking system (quite obvious ;)
- - nfnetlink
- - ctnetlink (ip_conntrack_netlink)
- - connection tracking event notification API
-
- o libnfnetlink: the netfilter netlink library
-
- Since conntrackd version 0.9.2 you can used the official release availble at
- http://www.netfilter.org/projects/libnfnetlink/files/
-
- Up to conntrackd version 0.9.1 use the unofficial release available at the
- download section
-
- o libnetfilter_conntrack: the netfilter conntrack library
-
- Since conntrackd version 0.9.2 you can used the official release availble at
- http://www.netfilter.org/projects/libnetfilter_conntrack/files/
-
- Up to conntrackd version 0.9.1 use the unnoficial release available at the
- download section
-
- o Keepalived version 1.x (http://www.keepalived.org)
- check if your distribution comes with a recent version
-
-2.1.2. Configuration
-
- 1) Setting up keepalived
-
- There is an example file available inside the conntrackd tarball:
-
- For node 1: conntrackd-x.x.x/examples/sync/node1/keepalived.conf
- For node 2: conntrackd-x.x.x/examples/sync/node2/keepalived.conf
-
- These files can be used to set up a simple VRRP cluster composed of
- two machines that hold the virtual IPs 192.168.0.100 on eth0 and
- 192.168.1.100 on eth1.
-
- If you are not familiar with keepalived, please read the official
- docs available at http://www.keepalived.org
-
- Please, make sure that keepalived is correctly working before passing
- to step 2)
-
- 2) Setting up conntrackd
-
- To setup 'conntrackd' in synchronization mode, you have to put the
- configuration file in the directory /etc/conntrackd.
-
- On node 1:
- # cp examples/sync/_type_/node1/conntrackd.conf /etc/conntrackd.conf
-
- On node 2:
- # cp examples/sync/_type_/node1/conntrackd.conf /etc/conntrackd.conf
-
- Where _type_ is the synchronization type selected, currently there are
- two: the persistent mode and the NACK mode. The persistent mode consumes
- more resources than the NACK mode, however the NACK mode is still
- experimental
-
- Do not forget to edit the files in order to adapt them to the
- setting that you are deploying.
-
- Note: If you don't want to put the config file under /etc/conntrackd,
- just tell conntrackd where to find it passing the option -C
-
- 3) Running conntrackd
-
- Conntrackd can run in console mode, in that case just type 'conntrackd',
- otherwise, if you want to run it in daemon mode the type 'conntrackd -d'.
-
- 4) Checking that conntrackd is working fine
-
- Conntrackd comes with several facilities to check its status:
-
- - Dump the cache of connections that are currently being processed by
- this node (aka. internal cache):
-
- # conntrackd -i
-
- - Dump the cache of connections that has been transfered from
- others active nodes in the network (aka. external cache)
-
- # conntrackd -e
-
- - Dump statistics collected by the replication daemon:
-
- # conntrackd -s
-
- 5) Setting up interaction with keepalived
-
- If keepalived detects the failure of the active node, then it designates
- a candidate node that will replace the failing active. On such event,
- the external cache, eg. the cache that contains the connections processed
- by other nodes, must be commited. To commit the external cache, just type:
-
- # conntrackd -c
-
- See that keepalived provides a shell script interface to interact with
- other programs, so we can automate the process of commiting the external
- cache by introducing the following line in the keepalived file:
-
- notify_master /etc/conntrackd/script_master.sh
-
- The script 'script_master.sh' just the following:
-
- #!/bin/sh
- /usr/sbin/conntrackd -c
-
- Therefore, on failure event, the candidate node takes over the virtual
- IPs and the connections that the failing active was processing. Observe
- that this file differs for the NACK mode.
-
- 6) Disable TCP window tracking
-
- Until the appropiate patches don't go into kernel mainline, you will have
- to disable TCP window tracking, consider this as a temporary solution:
-
- # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
-
-2.2. Statistics mode
-====================
-
- Conntrackd can also run as statistics daemon, if you are not interested in
- this mode, just skip it. It is not required in order to get the
- synchronization mode working. This section details how to setup the daemon
- in statistics mode:
-
-2.2.1. Requirements
-
- You have to install the following software in order to get conntrackd working,
- make sure that you have them installed correctly before going forward:
-
- o linux kernel version >= 2.6.18 (http://www.kernel.org) with support for:
- - connection tracking system
- - nfnetlink
- - ctnetlink (ip_conntrack_netlink)
- - connection tracking event notification API
-
- o libnfnetlink: the netfilter netlink library
-
- Since conntrackd version 0.9.2 you can used the official release availble at
- http://www.netfilter.org/projects/libnfnetlink/files/
-
- Up to conntrackd version 0.9.1 use the unofficial release available at the
- download section
-
- o libnetfilter_conntrack: the netfilter conntrack library
-
- Since conntrackd version 0.9.2 you can used the official release availble at
- http://www.netfilter.org/projects/libnetfilter_conntrack/files/
-
- Up to conntrackd version 0.9.1 use the unnoficial release available at the
- download section
-
-2.2.2. Configuration
-
- Setting up conntrackd in statistics mode is rather easy. Just copy the
- configuration file
-
- # cp examples/stats/conntrackd.conf /etc/conntrackd.conf
-
-2.2.3. Running conntrackd in statistics mode
-
- To run conntrackd in statistics mode:
-
- # conntrackd -S
-
- Alternatively, you can run conntrackd in daemon mode:
-
- # conntrackd -S -d
-
- In order to dump the statistics, just type:
-
- # conntrackd -s
Deleted: trunk/conntrack-tools/daemon/Make_global.am
===================================================================
--- trunk/conntrack-tools/daemon/Make_global.am 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/daemon/Make_global.am 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1 +0,0 @@
-INCLUDES=$(all_includes) -I$(top_srcdir)/include
Deleted: trunk/conntrack-tools/daemon/Makefile.am
===================================================================
--- trunk/conntrack-tools/daemon/Makefile.am 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/daemon/Makefile.am 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,21 +0,0 @@
-include Make_global.am
-
-# not a GNU package. You can remove this line, if
-# have all needed files, that a GNU package needs
-AUTOMAKE_OPTIONS = foreign dist-bzip2 1.6
-
-# man_MANS = ""
-# EXTRA_DIST = $(man_MANS) Make_global.am debian
-EXTRA_DIST = Make_global.am CHANGELOG TODO
-
-SUBDIRS = src
-DIST_SUBDIRS = include src examples
-LINKOPTS = -lnfnetlink -lnetfilter_conntrack -lpthread
-AM_CFLAGS = -g
-
-$(OBJECTS): libtool
-libtool: $(LIBTOOL_DEPS)
- $(SHELL) ./config.status --recheck
-
-dist-hook:
- rm -rf `find $(distdir)/debian -name .svn`
Deleted: trunk/conntrack-tools/daemon/TODO
===================================================================
--- trunk/conntrack-tools/daemon/TODO 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/daemon/TODO 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,18 +0,0 @@
-There are several tasks that are pending to be done, I have classified them
-by dificulty levels:
-
-Relatively easy
-===============
-
-- test ipv6 support
-- improve shell scripts
-- test NACK based protocol
-- manpage for conntrackd
-
-Requires some work
-==================
-
-- study better keepalived transitions
-- implement support for TCP window tracking (patches are on the table)
- - at the moment you have to disable it:
- echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
Deleted: trunk/conntrack-tools/daemon/autogen.sh
===================================================================
--- trunk/conntrack-tools/daemon/autogen.sh 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/daemon/autogen.sh 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-run ()
-{
- echo "running: $*"
- eval $*
-
- if test $? != 0 ; then
- echo "error: while running '$*'"
- exit 1
- fi
-}
-
-run aclocal
-run libtoolize -f
-#run autoheader
-run automake -a
-run autoconf
Deleted: trunk/conntrack-tools/daemon/configure.in
===================================================================
--- trunk/conntrack-tools/daemon/configure.in 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/daemon/configure.in 2007-04-16 19:08:42 UTC (rev 6793)
@@ -1,106 +0,0 @@
-AC_INIT(conntrackd, 0.9.2, pablo at netfilter.org)
-
-AC_CANONICAL_SYSTEM
-
-AM_INIT_AUTOMAKE
-
-AC_PROG_CC
-AM_PROG_LIBTOOL
-AC_PROG_INSTALL
-AC_PROG_LN_S
-AM_PROG_LEX
-AC_PROG_YACC
-
-case $target in
-*-*-linux*) ;;
-*) AC_MSG_ERROR([Linux only, dude!]);;
-esac
-
-AC_CHECK_PROGS(XYACC,$YACC bison yacc,none)
-if test "$XYACC" = "none"
-then
- echo "*** Error: No suitable bison/yacc found. ***"
- echo " Please install the 'bison' package."
- exit 1
-fi
-AC_CHECK_PROGS(XLEX,$LEX flex lex,none)
-if test "$XLEX" = "none"
-then
- echo "*** Error: No suitable bison/yacc found. ***"
- echo " Please install the 'bison' package."
- exit 1
-fi
-
-AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])])
-
-# Checks for libraries.
-# FIXME: Replace `main' with a function in `-lc':
-dnl AC_CHECK_LIB([c], [main])
-# FIXME: Replace `main' with a function in `-ldl':
-
-AC_CHECK_LIB([nfnetlink], [nfnl_talk] ,,,[-lnfnetlink])
-AC_CHECK_LIB([netfilter_conntrack], [nfct_dump_conntrack_table] ,,,[-lnetfilter_conntrack])
-AC_CHECK_LIB([pthread], [pthread_create] ,,,[-lpthread])
-
-AC_CHECK_HEADERS(arpa/inet.h)
-dnl check for inet_pton
-AC_CHECK_FUNCS(inet_pton)
-dnl Some systems have it, but not IPv6
-if test "$ac_cv_func_inet_pton" = "yes" ; then
-AC_MSG_CHECKING(if inet_pton supports IPv6)
-AC_TRY_RUN(
- [
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-int main()
- {
- struct in6_addr addr6;
- if (inet_pton(AF_INET6, "::1", &addr6) < 1)
- exit(1);
- else
- exit(0);
- }
- ], [ AC_MSG_RESULT(yes)
- AC_DEFINE_UNQUOTED(HAVE_INET_PTON_IPV6, 1, [Define to 1 if inet_pton supports IPv6.])
- ], AC_MSG_RESULT(no), AC_MSG_RESULT(no))
-fi
-
-# Checks for header files.
-dnl AC_HEADER_STDC
-dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
-
-# Checks for typedefs, structures, and compiler characteristics.
-dnl AC_C_CONST
-dnl AC_C_INLINE
-
-# Checks for library functions.
-dnl AC_FUNC_MALLOC
-dnl AC_FUNC_VPRINTF
-dnl AC_CHECK_FUNCS([memset])
-
-dnl--------------------------------
-
-dnl if test ! -z "$libdir"; then
-dnl MODULE_DIR="\\\"$libdir/conntrack/\\\""
-dnl CFLAGS="$CFLAGS -DCONNTRACK_LIB_DIR=$MODULE_DIR"
-dnl fi
-
-dnl--------------------------------
-
-dnl AC_CONFIG_FILES([Makefile
-dnl debug/Makefile
-dnl debug/src/Makefile
-dnl extensions/Makefile
-dnl src/Makefile])
-
-AC_OUTPUT(Makefile src/Makefile include/Makefile examples/Makefile examples/stats/Makefile examples/sync/Makefile examples/sync/persistent/Makefile examples/sync/nack/Makefile examples/sync/persistent/node1/Makefile examples/sync/persistent/node2/Makefile examples/sync/nack/node1/Makefile examples/sync/nack/node2/Makefile)
Copied: trunk/conntrack-tools/examples (from rev 6792, trunk/conntrack-tools/daemon/examples)
Copied: trunk/conntrack-tools/extensions (from rev 6792, trunk/conntrack-tools/cli/extensions)
Copied: trunk/conntrack-tools/include (from rev 6792, trunk/conntrack-tools/daemon/include)
Copied: trunk/conntrack-tools/include/conntrack.h (from rev 6792, trunk/conntrack-tools/cli/include/conntrack.h)
===================================================================
--- trunk/conntrack-tools/include/conntrack.h (rev 0)
+++ trunk/conntrack-tools/include/conntrack.h 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,160 @@
+#ifndef _CONNTRACK_H
+#define _CONNTRACK_H
+
+#ifdef HAVE_CONFIG_H
+#include "../config.h"
+#endif
+
+#include "linux_list.h"
+#include <getopt.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+#define PROGNAME "conntrack"
+
+#include <netinet/in.h>
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
+
+enum action {
+ CT_NONE = 0,
+
+ CT_LIST_BIT = 0,
+ CT_LIST = (1 << CT_LIST_BIT),
+
+ CT_CREATE_BIT = 1,
+ CT_CREATE = (1 << CT_CREATE_BIT),
+
+ CT_UPDATE_BIT = 2,
+ CT_UPDATE = (1 << CT_UPDATE_BIT),
+
+ CT_DELETE_BIT = 3,
+ CT_DELETE = (1 << CT_DELETE_BIT),
+
+ CT_GET_BIT = 4,
+ CT_GET = (1 << CT_GET_BIT),
+
+ CT_FLUSH_BIT = 5,
+ CT_FLUSH = (1 << CT_FLUSH_BIT),
+
+ CT_EVENT_BIT = 6,
+ CT_EVENT = (1 << CT_EVENT_BIT),
+
+ CT_VERSION_BIT = 7,
+ CT_VERSION = (1 << CT_VERSION_BIT),
+
+ CT_HELP_BIT = 8,
+ CT_HELP = (1 << CT_HELP_BIT),
+
+ EXP_LIST_BIT = 9,
+ EXP_LIST = (1 << EXP_LIST_BIT),
+
+ EXP_CREATE_BIT = 10,
+ EXP_CREATE = (1 << EXP_CREATE_BIT),
+
+ EXP_DELETE_BIT = 11,
+ EXP_DELETE = (1 << EXP_DELETE_BIT),
+
+ EXP_GET_BIT = 12,
+ EXP_GET = (1 << EXP_GET_BIT),
+
+ EXP_FLUSH_BIT = 13,
+ EXP_FLUSH = (1 << EXP_FLUSH_BIT),
+
+ EXP_EVENT_BIT = 14,
+ EXP_EVENT = (1 << EXP_EVENT_BIT),
+};
+#define NUMBER_OF_CMD 15
+
+enum options {
+ CT_OPT_ORIG_SRC_BIT = 0,
+ CT_OPT_ORIG_SRC = (1 << CT_OPT_ORIG_SRC_BIT),
+
+ CT_OPT_ORIG_DST_BIT = 1,
+ CT_OPT_ORIG_DST = (1 << CT_OPT_ORIG_DST_BIT),
+
+ CT_OPT_ORIG = (CT_OPT_ORIG_SRC | CT_OPT_ORIG_DST),
+
+ CT_OPT_REPL_SRC_BIT = 2,
+ CT_OPT_REPL_SRC = (1 << CT_OPT_REPL_SRC_BIT),
+
+ CT_OPT_REPL_DST_BIT = 3,
+ CT_OPT_REPL_DST = (1 << CT_OPT_REPL_DST_BIT),
+
+ CT_OPT_REPL = (CT_OPT_REPL_SRC | CT_OPT_REPL_DST),
+
+ CT_OPT_PROTO_BIT = 4,
+ CT_OPT_PROTO = (1 << CT_OPT_PROTO_BIT),
+
+ CT_OPT_TIMEOUT_BIT = 5,
+ CT_OPT_TIMEOUT = (1 << CT_OPT_TIMEOUT_BIT),
+
+ CT_OPT_STATUS_BIT = 6,
+ CT_OPT_STATUS = (1 << CT_OPT_STATUS_BIT),
+
+ CT_OPT_ZERO_BIT = 7,
+ CT_OPT_ZERO = (1 << CT_OPT_ZERO_BIT),
+
+ CT_OPT_EVENT_MASK_BIT = 8,
+ CT_OPT_EVENT_MASK = (1 << CT_OPT_EVENT_MASK_BIT),
+
+ CT_OPT_EXP_SRC_BIT = 9,
+ CT_OPT_EXP_SRC = (1 << CT_OPT_EXP_SRC_BIT),
+
+ CT_OPT_EXP_DST_BIT = 10,
+ CT_OPT_EXP_DST = (1 << CT_OPT_EXP_DST_BIT),
+
+ CT_OPT_MASK_SRC_BIT = 11,
+ CT_OPT_MASK_SRC = (1 << CT_OPT_MASK_SRC_BIT),
+
+ CT_OPT_MASK_DST_BIT = 12,
+ CT_OPT_MASK_DST = (1 << CT_OPT_MASK_DST_BIT),
+
+ CT_OPT_NATRANGE_BIT = 13,
+ CT_OPT_NATRANGE = (1 << CT_OPT_NATRANGE_BIT),
+
+ CT_OPT_MARK_BIT = 14,
+ CT_OPT_MARK = (1 << CT_OPT_MARK_BIT),
+
+ CT_OPT_ID_BIT = 15,
+ CT_OPT_ID = (1 << CT_OPT_ID_BIT),
+
+ CT_OPT_FAMILY_BIT = 16,
+ CT_OPT_FAMILY = (1 << CT_OPT_FAMILY_BIT),
+
+ CT_OPT_MAX_BIT = CT_OPT_FAMILY_BIT
+};
+#define NUMBER_OF_OPT CT_OPT_MAX_BIT+1
+
+struct ctproto_handler {
+ struct list_head head;
+
+ char *name;
+ u_int16_t protonum;
+ char *version;
+
+ enum ctattr_protoinfo protoinfo_attr;
+
+ int (*parse_opts)(char c, char *argv[],
+ struct nfct_tuple *orig,
+ struct nfct_tuple *reply,
+ struct nfct_tuple *exptuple,
+ struct nfct_tuple *mask,
+ union nfct_protoinfo *proto,
+ unsigned int *flags);
+
+ int (*final_check)(unsigned int flags,
+ unsigned int command,
+ struct nfct_tuple *orig,
+ struct nfct_tuple *reply);
+
+ void (*help)();
+
+ struct option *opts;
+
+ unsigned int option_offset;
+};
+
+extern void register_proto(struct ctproto_handler *h);
+
+#endif
Copied: trunk/conntrack-tools/src (from rev 6792, trunk/conntrack-tools/daemon/src)
Modified: trunk/conntrack-tools/src/Makefile.am
===================================================================
--- trunk/conntrack-tools/daemon/src/Makefile.am 2007-04-16 17:55:00 UTC (rev 6792)
+++ trunk/conntrack-tools/src/Makefile.am 2007-04-16 19:08:42 UTC (rev 6793)
@@ -4,7 +4,11 @@
CLEANFILES = read_config_yy.c read_config_lex.c
-sbin_PROGRAMS = conntrackd
+sbin_PROGRAMS = conntrack conntrackd
+
+conntrack_SOURCES = conntrack.c
+conntrack_LDFLAGS = -rdynamic
+
conntrackd_SOURCES = alarm.c main.c run.c hash.c buffer.c \
local.c log.c mcast.c netlink.c proxy.c lock.c \
ignore_pool.c \
Copied: trunk/conntrack-tools/src/conntrack.c (from rev 6792, trunk/conntrack-tools/cli/src/conntrack.c)
===================================================================
--- trunk/conntrack-tools/src/conntrack.c (rev 0)
+++ trunk/conntrack-tools/src/conntrack.c 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,1131 @@
+/*
+ * (C) 2005 by Pablo Neira Ayuso <pablo at netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * Note:
+ * Yes, portions of this code has been stolen from iptables ;)
+ * Special thanks to the the Netfilter Core Team.
+ * Thanks to Javier de Miguel Rodriguez <jmiguel at talika.eii.us.es>
+ * for introducing me to advanced firewalling stuff.
+ *
+ * --pablo 13/04/2005
+ *
+ * 2005-04-16 Harald Welte <laforge at netfilter.org>:
+ * Add support for conntrack accounting and conntrack mark
+ * 2005-06-23 Harald Welte <laforge at netfilter.org>:
+ * Add support for expect creation
+ * 2005-09-24 Harald Welte <laforge at netfilter.org>:
+ * Remove remaints of "-A"
+ *
+ */
+#include <stdio.h>
+#include <sys/wait.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#include <fcntl.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <string.h>
+#include "linux_list.h"
+#include "conntrack.h"
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_ipv4.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack_ipv6.h>
+
+static const char cmdflags[NUMBER_OF_CMD]
+= {'L','I','U','D','G','F','E','V','h','L','I','D','G','F','E'};
+
+static const char cmd_need_param[NUMBER_OF_CMD]
+= { 2, 0, 0, 0, 0, 2, 2, 2, 2, 2, 0, 0, 0, 2, 2 };
+
+static const char optflags[NUMBER_OF_OPT]
+= {'s','d','r','q','p','t','u','z','e','[',']','{','}','a','m','i','f'};
+
+static struct option original_opts[] = {
+ {"dump", 2, 0, 'L'},
+ {"create", 1, 0, 'I'},
+ {"delete", 1, 0, 'D'},
+ {"update", 1, 0, 'U'},
+ {"get", 1, 0, 'G'},
+ {"flush", 1, 0, 'F'},
+ {"event", 1, 0, 'E'},
+ {"version", 0, 0, 'V'},
+ {"help", 0, 0, 'h'},
+ {"orig-src", 1, 0, 's'},
+ {"orig-dst", 1, 0, 'd'},
+ {"reply-src", 1, 0, 'r'},
+ {"reply-dst", 1, 0, 'q'},
+ {"protonum", 1, 0, 'p'},
+ {"timeout", 1, 0, 't'},
+ {"status", 1, 0, 'u'},
+ {"zero", 0, 0, 'z'},
+ {"event-mask", 1, 0, 'e'},
+ {"tuple-src", 1, 0, '['},
+ {"tuple-dst", 1, 0, ']'},
+ {"mask-src", 1, 0, '{'},
+ {"mask-dst", 1, 0, '}'},
+ {"nat-range", 1, 0, 'a'},
+ {"mark", 1, 0, 'm'},
+ {"id", 2, 0, 'i'},
+ {"family", 1, 0, 'f'},
+ {0, 0, 0, 0}
+};
+
+#define OPTION_OFFSET 256
+
+static struct nfct_handle *cth;
+static struct option *opts = original_opts;
+static unsigned int global_option_offset = 0;
+
+/* Table of legal combinations of commands and options. If any of the
+ * given commands make an option legal, that option is legal (applies to
+ * CMD_LIST and CMD_ZERO only).
+ * Key:
+ * 0 illegal
+ * 1 compulsory
+ * 2 optional
+ */
+
+static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
+/* Well, it's better than "Re: Linux vs FreeBSD" */
+{
+ /* s d r q p t u z e x y k l a m i f*/
+/*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2},
+/*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0},
+/*CT_UPDATE*/ {2,2,2,2,1,2,2,0,0,0,0,0,0,0,2,2,0},
+/*CT_DELETE*/ {2,2,2,2,2,0,0,0,0,0,0,0,0,0,0,2,0},
+/*CT_GET*/ {2,2,2,2,1,0,0,0,0,0,0,0,0,0,0,2,0},
+/*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0},
+/*VERSION*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*HELP*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_LIST*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2},
+/*EXP_CREATE*/{1,1,2,2,1,1,2,0,0,1,1,1,1,0,0,0,0},
+/*EXP_DELETE*/{1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_GET*/ {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+/*EXP_EVENT*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+};
+
+static char *lib_dir = CONNTRACK_LIB_DIR;
+
+static LIST_HEAD(proto_list);
+
+void register_proto(struct ctproto_handler *h)
+{
+ if (strcmp(h->version, VERSION) != 0) {
+ fprintf(stderr, "plugin `%s': version %s (I'm %s)\n",
+ h->name, h->version, VERSION);
+ exit(1);
+ }
+ list_add(&h->head, &proto_list);
+}
+
+static struct ctproto_handler *findproto(char *name)
+{
+ struct list_head *i;
+ struct ctproto_handler *cur = NULL, *handler = NULL;
+
+ if (!name)
+ return handler;
+
+ lib_dir = getenv("CONNTRACK_LIB_DIR");
+ if (!lib_dir)
+ lib_dir = CONNTRACK_LIB_DIR;
+
+ list_for_each(i, &proto_list) {
+ cur = (struct ctproto_handler *) i;
+ if (strcmp(cur->name, name) == 0) {
+ handler = cur;
+ break;
+ }
+ }
+
+ if (!handler) {
+ char path[sizeof("ct_proto_.so")
+ + strlen(name) + strlen(lib_dir)];
+ sprintf(path, "%s/ct_proto_%s.so", lib_dir, name);
+ if (dlopen(path, RTLD_NOW))
+ handler = findproto(name);
+ else
+ fprintf(stderr, "%s\n", dlerror());
+ }
+
+ return handler;
+}
+
+enum exittype {
+ OTHER_PROBLEM = 1,
+ PARAMETER_PROBLEM,
+ VERSION_PROBLEM
+};
+
+void extension_help(struct ctproto_handler *h)
+{
+ fprintf(stdout, "\n");
+ fprintf(stdout, "Proto `%s' help:\n", h->name);
+ h->help();
+}
+
+void
+exit_tryhelp(int status)
+{
+ fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
+ PROGNAME, PROGNAME);
+ exit(status);
+}
+
+static void
+exit_error(enum exittype status, char *msg, ...)
+{
+ va_list args;
+
+ /* On error paths, make sure that we don't leak the memory
+ * reserved during options merging */
+ if (opts != original_opts) {
+ free(opts);
+ opts = original_opts;
+ global_option_offset = 0;
+ }
+ va_start(args, msg);
+ fprintf(stderr,"%s v%s: ", PROGNAME, VERSION);
+ vfprintf(stderr, msg, args);
+ va_end(args);
+ fprintf(stderr, "\n");
+ if (status == PARAMETER_PROBLEM)
+ exit_tryhelp(status);
+ exit(status);
+}
+
+static void
+generic_cmd_check(int command, int options)
+{
+ int i;
+
+ for (i = 0; i < NUMBER_OF_CMD; i++) {
+ if (!(command & (1<<i)))
+ continue;
+
+ if (cmd_need_param[i] == 0 && !options)
+ exit_error(PARAMETER_PROBLEM,
+ "You need to supply parameters to `-%c'\n",
+ cmdflags[i]);
+ }
+}
+
+static void
+generic_opt_check(int command, int options)
+{
+ int i, j, legal = 0;
+
+ /* Check that commands are valid with options. Complicated by the
+ * fact that if an option is legal with *any* command given, it is
+ * legal overall (ie. -z and -l).
+ */
+ for (i = 0; i < NUMBER_OF_OPT; i++) {
+ legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
+
+ for (j = 0; j < NUMBER_OF_CMD; j++) {
+ if (!(command & (1<<j)))
+ continue;
+
+ if (!(options & (1<<i))) {
+ if (commands_v_options[j][i] == 1)
+ exit_error(PARAMETER_PROBLEM,
+ "You need to supply the "
+ "`-%c' option for this "
+ "command\n", optflags[i]);
+ } else {
+ if (commands_v_options[j][i] != 0)
+ legal = 1;
+ else if (legal == 0)
+ legal = -1;
+ }
+ }
+ if (legal == -1)
+ exit_error(PARAMETER_PROBLEM, "Illegal option `-%c' "
+ "with this command\n", optflags[i]);
+ }
+}
+
+static struct option *
+merge_options(struct option *oldopts, const struct option *newopts,
+ unsigned int *option_offset)
+{
+ unsigned int num_old, num_new, i;
+ struct option *merge;
+
+ for (num_old = 0; oldopts[num_old].name; num_old++);
+ for (num_new = 0; newopts[num_new].name; num_new++);
+
+ global_option_offset += OPTION_OFFSET;
+ *option_offset = global_option_offset;
+
+ merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
+ memcpy(merge, oldopts, num_old * sizeof(struct option));
+ for (i = 0; i < num_new; i++) {
+ merge[num_old + i] = newopts[i];
+ merge[num_old + i].val += *option_offset;
+ }
+ memset(merge + num_old + num_new, 0, sizeof(struct option));
+
+ return merge;
+}
+
+/* From linux/errno.h */
+#define ENOTSUPP 524 /* Operation is not supported */
+
+/* Translates errno numbers into more human-readable form than strerror. */
+const char *
+err2str(int err, enum action command)
+{
+ unsigned int i;
+ struct table_struct {
+ enum action act;
+ int err;
+ const char *message;
+ } table [] =
+ { { CT_LIST, -ENOTSUPP, "function not implemented" },
+ { 0xFFFF, -EINVAL, "invalid parameters" },
+ { CT_CREATE, -EEXIST, "Such conntrack exists, try -U to update" },
+ { CT_CREATE|CT_GET|CT_DELETE, -ENOENT,
+ "such conntrack doesn't exist" },
+ { CT_CREATE|CT_GET, -ENOMEM, "not enough memory" },
+ { CT_GET, -EAFNOSUPPORT, "protocol not supported" },
+ { CT_CREATE, -ETIME, "conntrack has expired" },
+ { EXP_CREATE, -ENOENT, "master conntrack not found" },
+ { EXP_CREATE, -EINVAL, "invalid parameters" },
+ { ~0UL, -EPERM, "sorry, you must be root or get "
+ "CAP_NET_ADMIN capability to do this"}
+ };
+
+ for (i = 0; i < sizeof(table)/sizeof(struct table_struct); i++) {
+ if ((table[i].act & command) && table[i].err == err)
+ return table[i].message;
+ }
+
+ return strerror(err);
+}
+
+#define PARSE_STATUS 0
+#define PARSE_EVENT 1
+#define PARSE_MAX 2
+
+static struct parse_parameter {
+ char *parameter[6];
+ size_t size;
+ unsigned int value[6];
+} parse_array[PARSE_MAX] = {
+ { {"ASSURED", "SEEN_REPLY", "UNSET", "SRC_NAT", "DST_NAT","FIXED_TIMEOUT"}, 6,
+ { IPS_ASSURED, IPS_SEEN_REPLY, 0,
+ IPS_SRC_NAT_DONE, IPS_DST_NAT_DONE, IPS_FIXED_TIMEOUT} },
+ { {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
+ {~0U, NF_NETLINK_CONNTRACK_NEW, NF_NETLINK_CONNTRACK_UPDATE,
+ NF_NETLINK_CONNTRACK_DESTROY} },
+};
+
+static int
+do_parse_parameter(const char *str, size_t strlen, unsigned int *value,
+ int parse_type)
+{
+ int i, ret = 0;
+ struct parse_parameter *p = &parse_array[parse_type];
+
+ for (i = 0; i < p->size; i++)
+ if (strncasecmp(str, p->parameter[i], strlen) == 0) {
+ *value |= p->value[i];
+ ret = 1;
+ break;
+ }
+
+ return ret;
+}
+
+static void
+parse_parameter(const char *arg, unsigned int *status, int parse_type)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg
+ || !do_parse_parameter(arg, comma-arg, status, parse_type))
+ exit_error(PARAMETER_PROBLEM,"Bad parameter `%s'", arg);
+ arg = comma+1;
+ }
+
+ if (strlen(arg) == 0
+ || !do_parse_parameter(arg, strlen(arg), status, parse_type))
+ exit_error(PARAMETER_PROBLEM, "Bad parameter `%s'", arg);
+}
+
+static void
+add_command(unsigned int *cmd, const int newcmd, const int othercmds)
+{
+ if (*cmd & (~othercmds))
+ exit_error(PARAMETER_PROBLEM, "Invalid commands combination\n");
+ *cmd |= newcmd;
+}
+
+unsigned int check_type(int argc, char *argv[])
+{
+ char *table = NULL;
+
+ /* Nasty bug or feature in getopt_long ?
+ * It seems that it behaves badly with optional arguments.
+ * Fortunately, I just stole the fix from iptables ;) */
+ if (optarg)
+ return 0;
+ else if (optind < argc && argv[optind][0] != '-'
+ && argv[optind][0] != '!')
+ table = argv[optind++];
+
+ if (!table)
+ return 0;
+
+ if (strncmp("expect", table, 6) == 0)
+ return 1;
+ else if (strncmp("conntrack", table, 9) == 0)
+ return 0;
+ else
+ exit_error(PARAMETER_PROBLEM, "unknown type `%s'\n", table);
+
+ return 0;
+}
+
+static void set_family(int *family, int new)
+{
+ if (*family == AF_UNSPEC)
+ *family = new;
+ else if (*family != new)
+ exit_error(PARAMETER_PROBLEM, "mismatched address family\n");
+}
+
+struct addr_parse {
+ struct in_addr addr;
+ struct in6_addr addr6;
+ unsigned int family;
+};
+
+int __parse_inetaddr(const char *cp, struct addr_parse *parse)
+{
+ if (inet_aton(cp, &parse->addr))
+ return AF_INET;
+#ifdef HAVE_INET_PTON_IPV6
+ else if (inet_pton(AF_INET6, cp, &parse->addr6) > 0)
+ return AF_INET6;
+#endif
+
+ exit_error(PARAMETER_PROBLEM, "Invalid IP address `%s'.", cp);
+}
+
+int parse_inetaddr(const char *cp, union nfct_address *address)
+{
+ struct addr_parse parse;
+ int ret;
+
+ if ((ret = __parse_inetaddr(cp, &parse)) == AF_INET)
+ address->v4 = parse.addr.s_addr;
+ else if (ret == AF_INET6)
+ memcpy(address->v6, &parse.addr6, sizeof(parse.addr6));
+
+ return ret;
+}
+
+/* Shamelessly stolen from libipt_DNAT ;). Ranges expected in network order. */
+static void
+nat_parse(char *arg, int portok, struct nfct_nat *range)
+{
+ char *colon, *dash, *error;
+ struct addr_parse parse;
+
+ memset(range, 0, sizeof(range));
+ colon = strchr(arg, ':');
+
+ if (colon) {
+ int port;
+
+ if (!portok)
+ exit_error(PARAMETER_PROBLEM,
+ "Need TCP or UDP with port specification");
+
+ port = atoi(colon+1);
+ if (port == 0 || port > 65535)
+ exit_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", colon+1);
+
+ error = strchr(colon+1, ':');
+ if (error)
+ exit_error(PARAMETER_PROBLEM,
+ "Invalid port:port syntax - use dash\n");
+
+ dash = strchr(colon, '-');
+ if (!dash) {
+ range->l4min.tcp.port
+ = range->l4max.tcp.port
+ = htons(port);
+ } else {
+ int maxport;
+
+ maxport = atoi(dash + 1);
+ if (maxport == 0 || maxport > 65535)
+ exit_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", dash+1);
+ if (maxport < port)
+ /* People are stupid. */
+ exit_error(PARAMETER_PROBLEM,
+ "Port range `%s' funky\n", colon+1);
+ range->l4min.tcp.port = htons(port);
+ range->l4max.tcp.port = htons(maxport);
+ }
+ /* Starts with a colon? No IP info... */
+ if (colon == arg)
+ return;
+ *colon = '\0';
+ }
+
+ dash = strchr(arg, '-');
+ if (colon && dash && dash > colon)
+ dash = NULL;
+
+ if (dash)
+ *dash = '\0';
+
+ if (__parse_inetaddr(arg, &parse) != AF_INET)
+ return;
+
+ range->min_ip = parse.addr.s_addr;
+ if (dash) {
+ if (__parse_inetaddr(dash+1, &parse) != AF_INET)
+ return;
+ range->max_ip = parse.addr.s_addr;
+ } else
+ range->max_ip = parse.addr.s_addr;
+}
+
+static void event_sighandler(int s)
+{
+ fprintf(stdout, "Now closing conntrack event dumping...\n");
+ nfct_close(cth);
+ exit(0);
+}
+
+static const char usage_commands[] =
+ "Commands:\n"
+ " -L [table] [options]\t\tList conntrack or expectation table\n"
+ " -G [table] parameters\t\tGet conntrack or expectation\n"
+ " -D [table] parameters\t\tDelete conntrack or expectation\n"
+ " -I [table] parameters\t\tCreate a conntrack or expectation\n"
+ " -U [table] parameters\t\tUpdate a conntrack\n"
+ " -E [table] [options]\t\tShow events\n"
+ " -F [table]\t\t\tFlush table\n";
+
+static const char usage_tables[] =
+ "Tables: conntrack, expect\n";
+
+static const char usage_conntrack_parameters[] =
+ "Conntrack parameters and options:\n"
+ " -a, --nat-range min_ip[-max_ip]\tNAT ip range\n"
+ " -m, --mark mark\t\t\tSet mark\n"
+ " -e, --event-mask eventmask\t\tEvent mask, eg. NEW,DESTROY\n"
+ " -z, --zero \t\t\t\tZero counters while listing\n"
+ ;
+
+static const char usage_expectation_parameters[] =
+ "Expectation parameters and options:\n"
+ " --tuple-src ip\tSource address in expect tuple\n"
+ " --tuple-dst ip\tDestination address in expect tuple\n"
+ " --mask-src ip\t\tSource mask address\n"
+ " --mask-dst ip\t\tDestination mask address\n";
+
+static const char usage_parameters[] =
+ "Common parameters and options:\n"
+ " -s, --orig-src ip\t\tSource address from original direction\n"
+ " -d, --orig-dst ip\t\tDestination address from original direction\n"
+ " -r, --reply-src ip\t\tSource addres from reply direction\n"
+ " -q, --reply-dst ip\t\tDestination address from reply direction\n"
+ " -p, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n"
+ " -f, --family proto\t\tLayer 3 Protocol, eg. 'ipv6'\n"
+ " -t, --timeout timeout\t\tSet timeout\n"
+ " -u, --status status\t\tSet status, eg. ASSURED\n"
+ " -i, --id [id]\t\t\tShow or set conntrack ID\n"
+ ;
+
+
+void usage(char *prog) {
+ fprintf(stdout, "Tool to manipulate conntrack and expectations. Version %s\n", VERSION);
+ fprintf(stdout, "Usage: %s [commands] [options]\n", prog);
+
+ fprintf(stdout, "\n%s", usage_commands);
+ fprintf(stdout, "\n%s", usage_tables);
+ fprintf(stdout, "\n%s", usage_conntrack_parameters);
+ fprintf(stdout, "\n%s", usage_expectation_parameters);
+ fprintf(stdout, "\n%s", usage_parameters);
+}
+
+#define CT_COMPARISON (CT_OPT_PROTO | CT_OPT_ORIG | CT_OPT_REPL | CT_OPT_MARK)
+
+static struct nfct_tuple orig, reply, mask;
+static struct nfct_tuple exptuple;
+static struct ctproto_handler *h;
+static union nfct_protoinfo proto;
+static struct nfct_nat range;
+static struct nfct_conntrack *ct;
+static struct nfct_expect *exp;
+static unsigned long timeout;
+static unsigned int status;
+static unsigned int mark;
+static unsigned int id = NFCT_ANY_ID;
+static struct nfct_conntrack_compare cmp;
+
+int main(int argc, char *argv[])
+{
+ int c;
+ unsigned int command = 0, options = 0;
+ unsigned int type = 0, event_mask = 0;
+ unsigned int l3flags = 0, l4flags = 0, metaflags = 0;
+ int res = 0;
+ int family = AF_UNSPEC;
+ struct nfct_conntrack_compare *pcmp;
+
+ while ((c = getopt_long(argc, argv,
+ "L::I::U::D::G::E::F::hVs:d:r:q:p:t:u:e:a:z[:]:{:}:m:i::f:",
+ opts, NULL)) != -1) {
+ switch(c) {
+ case 'L':
+ type = check_type(argc, argv);
+ if (type == 0)
+ add_command(&command, CT_LIST, CT_NONE);
+ else if (type == 1)
+ add_command(&command, EXP_LIST, CT_NONE);
+ break;
+ case 'I':
+ type = check_type(argc, argv);
+ if (type == 0)
+ add_command(&command, CT_CREATE, CT_NONE);
+ else if (type == 1)
+ add_command(&command, EXP_CREATE, CT_NONE);
+ break;
+ case 'U':
+ type = check_type(argc, argv);
+ if (type == 0)
+ add_command(&command, CT_UPDATE, CT_NONE);
+ else
+ exit_error(PARAMETER_PROBLEM, "Can't update "
+ "expectations");
+ break;
+ case 'D':
+ type = check_type(argc, argv);
+ if (type == 0)
+ add_command(&command, CT_DELETE, CT_NONE);
+ else if (type == 1)
+ add_command(&command, EXP_DELETE, CT_NONE);
+ break;
+ case 'G':
+ type = check_type(argc, argv);
+ if (type == 0)
+ add_command(&command, CT_GET, CT_NONE);
+ else if (type == 1)
+ add_command(&command, EXP_GET, CT_NONE);
+ break;
+ case 'F':
+ type = check_type(argc, argv);
+ if (type == 0)
+ add_command(&command, CT_FLUSH, CT_NONE);
+ else if (type == 1)
+ add_command(&command, EXP_FLUSH, CT_NONE);
+ break;
+ case 'E':
+ type = check_type(argc, argv);
+ if (type == 0)
+ add_command(&command, CT_EVENT, CT_NONE);
+ else if (type == 1)
+ add_command(&command, EXP_EVENT, CT_NONE);
+ break;
+ case 'V':
+ add_command(&command, CT_VERSION, CT_NONE);
+ break;
+ case 'h':
+ add_command(&command, CT_HELP, CT_NONE);
+ break;
+ case 's':
+ options |= CT_OPT_ORIG_SRC;
+ if (optarg) {
+ orig.l3protonum =
+ parse_inetaddr(optarg, &orig.src);
+ set_family(&family, orig.l3protonum);
+ if (orig.l3protonum == AF_INET)
+ l3flags |= IPV4_ORIG_SRC;
+ else if (orig.l3protonum == AF_INET6)
+ l3flags |= IPV6_ORIG_SRC;
+ }
+ break;
+ case 'd':
+ options |= CT_OPT_ORIG_DST;
+ if (optarg) {
+ orig.l3protonum =
+ parse_inetaddr(optarg, &orig.dst);
+ set_family(&family, orig.l3protonum);
+ if (orig.l3protonum == AF_INET)
+ l3flags |= IPV4_ORIG_DST;
+ else if (orig.l3protonum == AF_INET6)
+ l3flags |= IPV6_ORIG_DST;
+ }
+ break;
+ case 'r':
+ options |= CT_OPT_REPL_SRC;
+ if (optarg) {
+ reply.l3protonum =
+ parse_inetaddr(optarg, &reply.src);
+ set_family(&family, reply.l3protonum);
+ if (orig.l3protonum == AF_INET)
+ l3flags |= IPV4_REPL_SRC;
+ else if (orig.l3protonum == AF_INET6)
+ l3flags |= IPV6_REPL_SRC;
+ }
+ break;
+ case 'q':
+ options |= CT_OPT_REPL_DST;
+ if (optarg) {
+ reply.l3protonum =
+ parse_inetaddr(optarg, &reply.dst);
+ set_family(&family, reply.l3protonum);
+ if (orig.l3protonum == AF_INET)
+ l3flags |= IPV4_REPL_DST;
+ else if (orig.l3protonum == AF_INET6)
+ l3flags |= IPV6_REPL_DST;
+ }
+ break;
+ case 'p':
+ options |= CT_OPT_PROTO;
+ h = findproto(optarg);
+ if (!h)
+ exit_error(PARAMETER_PROBLEM, "proto needed\n");
+ orig.protonum = h->protonum;
+ reply.protonum = h->protonum;
+ exptuple.protonum = h->protonum;
+ mask.protonum = h->protonum;
+ opts = merge_options(opts, h->opts,
+ &h->option_offset);
+ break;
+ case 't':
+ options |= CT_OPT_TIMEOUT;
+ if (optarg)
+ timeout = atol(optarg);
+ break;
+ case 'u': {
+ if (!optarg)
+ continue;
+
+ options |= CT_OPT_STATUS;
+ parse_parameter(optarg, &status, PARSE_STATUS);
+ break;
+ }
+ case 'e':
+ options |= CT_OPT_EVENT_MASK;
+ parse_parameter(optarg, &event_mask, PARSE_EVENT);
+ break;
+ case 'z':
+ options |= CT_OPT_ZERO;
+ break;
+ case '{':
+ options |= CT_OPT_MASK_SRC;
+ if (optarg) {
+ mask.l3protonum =
+ parse_inetaddr(optarg, &mask.src);
+ set_family(&family, mask.l3protonum);
+ }
+ break;
+ case '}':
+ options |= CT_OPT_MASK_DST;
+ if (optarg) {
+ mask.l3protonum =
+ parse_inetaddr(optarg, &mask.dst);
+ set_family(&family, mask.l3protonum);
+ }
+ break;
+ case '[':
+ options |= CT_OPT_EXP_SRC;
+ if (optarg) {
+ exptuple.l3protonum =
+ parse_inetaddr(optarg, &exptuple.src);
+ set_family(&family, exptuple.l3protonum);
+ }
+ break;
+ case ']':
+ options |= CT_OPT_EXP_DST;
+ if (optarg) {
+ exptuple.l3protonum =
+ parse_inetaddr(optarg, &exptuple.dst);
+ set_family(&family, exptuple.l3protonum);
+ }
+ break;
+ case 'a':
+ options |= CT_OPT_NATRANGE;
+ set_family(&family, AF_INET);
+ nat_parse(optarg, 1, &range);
+ break;
+ case 'm':
+ options |= CT_OPT_MARK;
+ mark = atol(optarg);
+ metaflags |= NFCT_MARK;
+ break;
+ case 'i': {
+ char *s = NULL;
+ options |= CT_OPT_ID;
+ if (optarg)
+ break;
+ else if (optind < argc && argv[optind][0] != '-'
+ && argv[optind][0] != '!')
+ s = argv[optind++];
+
+ if (s)
+ id = atol(s);
+ break;
+ }
+ case 'f':
+ options |= CT_OPT_FAMILY;
+ if (strncmp(optarg, "ipv4", strlen("ipv4")) == 0)
+ set_family(&family, AF_INET);
+ else if (strncmp(optarg, "ipv6", strlen("ipv6")) == 0)
+ set_family(&family, AF_INET6);
+ else
+ exit_error(PARAMETER_PROBLEM, "Unknown "
+ "protocol family\n");
+ break;
+ default:
+ if (h && h->parse_opts
+ &&!h->parse_opts(c - h->option_offset, argv, &orig,
+ &reply, &exptuple, &mask, &proto,
+ &l4flags))
+ exit_error(PARAMETER_PROBLEM, "parse error\n");
+
+ /* Unknown argument... */
+ if (!h) {
+ usage(argv[0]);
+ exit_error(PARAMETER_PROBLEM, "Missing "
+ "arguments...\n");
+ }
+ break;
+ }
+ }
+
+ /* default family */
+ if (family == AF_UNSPEC)
+ family = AF_INET;
+
+ generic_cmd_check(command, options);
+ generic_opt_check(command, options);
+
+ if (!(command & CT_HELP)
+ && h && h->final_check
+ && !h->final_check(l4flags, command, &orig, &reply)) {
+ usage(argv[0]);
+ extension_help(h);
+ exit_error(PARAMETER_PROBLEM, "Missing protocol arguments!\n");
+ }
+
+ switch(command) {
+
+ case CT_LIST:
+ cth = nfct_open(CONNTRACK, 0);
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+
+ if (options & CT_COMPARISON) {
+
+ if (options & CT_OPT_ZERO)
+ exit_error(PARAMETER_PROBLEM, "Can't use -z "
+ "with filtering parameters");
+
+ ct = nfct_conntrack_alloc(&orig, &reply, timeout,
+ &proto, status, mark, id,
+ NULL);
+ if (!ct)
+ exit_error(OTHER_PROBLEM, "Not enough memory");
+
+ cmp.ct = ct;
+ cmp.flags = metaflags;
+ cmp.l3flags = l3flags;
+ cmp.l4flags = l4flags;
+ pcmp = &cmp;
+ }
+
+ if (options & CT_OPT_ID)
+ nfct_register_callback(cth,
+ nfct_default_conntrack_display_id,
+ (void *) pcmp);
+ else
+ nfct_register_callback(cth,
+ nfct_default_conntrack_display,
+ (void *) pcmp);
+
+ if (options & CT_OPT_ZERO)
+ res =
+ nfct_dump_conntrack_table_reset_counters(cth, family);
+ else
+ res = nfct_dump_conntrack_table(cth, family);
+ nfct_close(cth);
+ break;
+
+ case EXP_LIST:
+ cth = nfct_open(EXPECT, 0);
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ if (options & CT_OPT_ID)
+ nfct_register_callback(cth,
+ nfct_default_expect_display_id,
+ NULL);
+ else
+ nfct_register_callback(cth,
+ nfct_default_expect_display,
+ NULL);
+ res = nfct_dump_expect_list(cth, family);
+ nfct_close(cth);
+ break;
+
+ case CT_CREATE:
+ if ((options & CT_OPT_ORIG)
+ && !(options & CT_OPT_REPL)) {
+ reply.l3protonum = orig.l3protonum;
+ memcpy(&reply.src, &orig.dst, sizeof(reply.src));
+ memcpy(&reply.dst, &orig.src, sizeof(reply.dst));
+ } else if (!(options & CT_OPT_ORIG)
+ && (options & CT_OPT_REPL)) {
+ orig.l3protonum = reply.l3protonum;
+ memcpy(&orig.src, &reply.dst, sizeof(orig.src));
+ memcpy(&orig.dst, &reply.src, sizeof(orig.dst));
+ }
+ if (options & CT_OPT_NATRANGE)
+ ct = nfct_conntrack_alloc(&orig, &reply, timeout,
+ &proto, status, mark, id,
+ &range);
+ else
+ ct = nfct_conntrack_alloc(&orig, &reply, timeout,
+ &proto, status, mark, id,
+ NULL);
+ if (!ct)
+ exit_error(OTHER_PROBLEM, "Not Enough memory");
+
+ cth = nfct_open(CONNTRACK, 0);
+ if (!cth) {
+ nfct_conntrack_free(ct);
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ }
+ res = nfct_create_conntrack(cth, ct);
+ nfct_close(cth);
+ nfct_conntrack_free(ct);
+ break;
+
+ case EXP_CREATE:
+ if (options & CT_OPT_ORIG)
+ exp = nfct_expect_alloc(&orig, &exptuple,
+ &mask, timeout, id);
+ else if (options & CT_OPT_REPL)
+ exp = nfct_expect_alloc(&reply, &exptuple,
+ &mask, timeout, id);
+ if (!exp)
+ exit_error(OTHER_PROBLEM, "Not enough memory");
+
+ cth = nfct_open(EXPECT, 0);
+ if (!cth) {
+ nfct_expect_free(exp);
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ }
+ res = nfct_create_expectation(cth, exp);
+ nfct_expect_free(exp);
+ nfct_close(cth);
+ break;
+
+ case CT_UPDATE:
+ if ((options & CT_OPT_ORIG)
+ && !(options & CT_OPT_REPL)) {
+ reply.l3protonum = orig.l3protonum;
+ memcpy(&reply.src, &orig.dst, sizeof(reply.src));
+ memcpy(&reply.dst, &orig.src, sizeof(reply.dst));
+ } else if (!(options & CT_OPT_ORIG)
+ && (options & CT_OPT_REPL)) {
+ orig.l3protonum = reply.l3protonum;
+ memcpy(&orig.src, &reply.dst, sizeof(orig.src));
+ memcpy(&orig.dst, &reply.src, sizeof(orig.dst));
+ }
+ ct = nfct_conntrack_alloc(&orig, &reply, timeout,
+ &proto, status, mark, id,
+ NULL);
+ if (!ct)
+ exit_error(OTHER_PROBLEM, "Not enough memory");
+
+ cth = nfct_open(CONNTRACK, 0);
+ if (!cth) {
+ nfct_conntrack_free(ct);
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ }
+ res = nfct_update_conntrack(cth, ct);
+ nfct_conntrack_free(ct);
+ nfct_close(cth);
+ break;
+
+ case CT_DELETE:
+ if (!(options & CT_OPT_ORIG) && !(options & CT_OPT_REPL))
+ exit_error(PARAMETER_PROBLEM, "Can't kill conntracks "
+ "just by its ID");
+ cth = nfct_open(CONNTRACK, 0);
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ if (options & CT_OPT_ORIG)
+ res = nfct_delete_conntrack(cth, &orig,
+ NFCT_DIR_ORIGINAL,
+ id);
+ else if (options & CT_OPT_REPL)
+ res = nfct_delete_conntrack(cth, &reply,
+ NFCT_DIR_REPLY,
+ id);
+ nfct_close(cth);
+ break;
+
+ case EXP_DELETE:
+ cth = nfct_open(EXPECT, 0);
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ if (options & CT_OPT_ORIG)
+ res = nfct_delete_expectation(cth, &orig, id);
+ else if (options & CT_OPT_REPL)
+ res = nfct_delete_expectation(cth, &reply, id);
+ nfct_close(cth);
+ break;
+
+ case CT_GET:
+ cth = nfct_open(CONNTRACK, 0);
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ nfct_register_callback(cth, nfct_default_conntrack_display,
+ NULL);
+ if (options & CT_OPT_ORIG)
+ res = nfct_get_conntrack(cth, &orig,
+ NFCT_DIR_ORIGINAL, id);
+ else if (options & CT_OPT_REPL)
+ res = nfct_get_conntrack(cth, &reply,
+ NFCT_DIR_REPLY, id);
+ nfct_close(cth);
+ break;
+
+ case EXP_GET:
+ cth = nfct_open(EXPECT, 0);
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ nfct_register_callback(cth, nfct_default_expect_display,
+ NULL);
+ if (options & CT_OPT_ORIG)
+ res = nfct_get_expectation(cth, &orig, id);
+ else if (options & CT_OPT_REPL)
+ res = nfct_get_expectation(cth, &reply, id);
+ nfct_close(cth);
+ break;
+
+ case CT_FLUSH:
+ cth = nfct_open(CONNTRACK, 0);
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ res = nfct_flush_conntrack_table(cth, AF_INET);
+ nfct_close(cth);
+ break;
+
+ case EXP_FLUSH:
+ cth = nfct_open(EXPECT, 0);
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ res = nfct_flush_expectation_table(cth, AF_INET);
+ nfct_close(cth);
+ break;
+
+ case CT_EVENT:
+ if (options & CT_OPT_EVENT_MASK)
+ cth = nfct_open(CONNTRACK, event_mask);
+ else
+ cth = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS);
+
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ signal(SIGINT, event_sighandler);
+
+ if (options & CT_COMPARISON) {
+ ct = nfct_conntrack_alloc(&orig, &reply, timeout,
+ &proto, status, mark, id,
+ NULL);
+ if (!ct)
+ exit_error(OTHER_PROBLEM, "Not enough memory");
+
+ cmp.ct = ct;
+ cmp.flags = metaflags;
+ cmp.l3flags = l3flags;
+ cmp.l4flags = l4flags;
+ pcmp = &cmp;
+ }
+
+ nfct_register_callback(cth,
+ nfct_default_conntrack_event_display,
+ (void *) pcmp);
+ res = nfct_event_conntrack(cth);
+ nfct_close(cth);
+ break;
+
+ case EXP_EVENT:
+ cth = nfct_open(EXPECT, NF_NETLINK_CONNTRACK_EXP_NEW);
+ if (!cth)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+ signal(SIGINT, event_sighandler);
+ nfct_register_callback(cth, nfct_default_expect_display,
+ NULL);
+ res = nfct_event_expectation(cth);
+ nfct_close(cth);
+ break;
+
+ case CT_VERSION:
+ fprintf(stdout, "%s v%s\n", PROGNAME, VERSION);
+ break;
+ case CT_HELP:
+ usage(argv[0]);
+ if (options & CT_OPT_PROTO)
+ extension_help(h);
+ break;
+ default:
+ usage(argv[0]);
+ break;
+ }
+
+ if (opts != original_opts) {
+ free(opts);
+ opts = original_opts;
+ global_option_offset = 0;
+ }
+
+ if (res < 0) {
+ fprintf(stderr, "Operation failed: %s\n", err2str(res, command));
+ exit(OTHER_PROBLEM);
+ }
+
+ return 0;
+}
Copied: trunk/conntrack-tools/test.sh (from rev 6792, trunk/conntrack-tools/cli/test.sh)
===================================================================
--- trunk/conntrack-tools/test.sh (rev 0)
+++ trunk/conntrack-tools/test.sh 2007-04-16 19:08:42 UTC (rev 6793)
@@ -0,0 +1,110 @@
+CONNTRACK=conntrack
+
+SRC=1.1.1.1
+DST=2.2.2.2
+SPORT=2005
+DPORT=21
+
+case $1 in
+ dump)
+ echo "Dumping conntrack table"
+ $CONNTRACK -L
+ ;;
+ flush)
+ echo "Flushing conntrack table"
+ $CONNTRACK -F
+ ;;
+ new)
+ echo "creating a new conntrack"
+ $CONNTRACK -I --orig-src $SRC --orig-dst $DST \
+ --reply-src $DST --reply-dst $SRC -p tcp \
+ --orig-port-src $SPORT --orig-port-dst $DPORT \
+ --reply-port-src $DPORT --reply-port-dst $SPORT \
+ --state LISTEN -u SEEN_REPLY -t 50
+ ;;
+ new-simple)
+ echo "creating a new conntrack (simplified)"
+ $CONNTRACK -I --orig-src $SRC --orig-dst $DST \
+ -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
+ --state LISTEN -u SEEN_REPLY -t 50
+ ;;
+ new-nat)
+ echo "creating a new conntrack (NAT)"
+ $CONNTRACK -I --orig-src $SRC --orig-dst $DST \
+ -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
+ --state LISTEN -u SEEN_REPLY,SRC_NAT -t 50 -a 8.8.8.8
+ ;;
+ get)
+ echo "getting a conntrack"
+ $CONNTRACK -G --orig-src $SRC --orig-dst $DST \
+ -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
+ --reply-port-src $DPORT --reply-port-dst $SPORT
+ ;;
+ change)
+ echo "change a conntrack"
+ $CONNTRACK -U --orig-src $SRC --orig-dst $DST \
+ --reply-src $DST --reply-dst $SRC -p tcp \
+ --orig-port-src $SPORT --orig-port-dst $DPORT \
+ --reply-port-src $DPORT --reply-port-dst $SPORT \
+ --state TIME_WAIT -u ASSURED,SEEN_REPLY -t 500
+ ;;
+ delete)
+ $CONNTRACK -D --orig-src $SRC --orig-dst $DST \
+ -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT
+ ;;
+ output)
+ proc=$(cat /proc/net/ip_conntrack | wc -l)
+ netl=$($CONNTRACK -L | wc -l)
+ count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
+ if [ $proc -ne $netl ]; then
+ echo "proc is $proc and netl is $netl and count is $count"
+ else
+ if [ $proc -ne $count ]; then
+ echo "proc is $proc and netl is $netl and count is $count"
+ else
+ echo "now $proc"
+ fi
+ fi
+ ;;
+ dump-expect)
+ $CONNTRACK -L expect
+ ;;
+ flush-expect)
+ $CONNTRACK -F expect
+ ;;
+ create-expect)
+ # requires modprobe ip_conntrack_ftp
+ $CONNTRACK -I expect --orig-src $SRC --orig-dst $DST \
+ --tuple-src 4.4.4.4 --tuple-dst 5.5.5.5 \
+ --mask-src 255.255.255.0 --mask-dst 255.255.255.255 \
+ -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
+ -t 200 --tuple-port-src 10 --tuple-port-dst 300 \
+ --mask-port-src 10 --mask-port-dst 300
+ ;;
+ get-expect)
+ $CONNTRACK -G expect --orig-src 4.4.4.4 --orig-dst 5.5.5.5 \
+ --p tcp --orig-port-src 0 --orig-port-dst 0 \
+ --mask-port-src 10 --mask-port-dst 11
+ ;;
+ delete-expect)
+ $CONNTRACK -D expect --orig-src 4.4.4.4 \
+ --orig-dst 5.5.5.5 -p tcp --orig-port-src 0 \
+ --orig-port-dst 0 --mask-port-src 10 --mask-port-dst 11
+ ;;
+ *)
+ echo "Usage: $0 [dump"
+ echo " |new"
+ echo " |new-simple"
+ echo " |new-nat"
+ echo " |get"
+ echo " |change"
+ echo " |delete"
+ echo " |output"
+ echo " |flush"
+ echo " |dump-expect"
+ echo " |flush-expect"
+ echo " |create-expect"
+ echo " |get-expect"
+ echo " |delete-expect]"
+ ;;
+esac
More information about the netfilter-cvslog
mailing list