[netfilter-cvslog] r6867 - in trunk/conntrack-tools: . src
pablo at netfilter.org
pablo at netfilter.org
Sat Jun 9 19:52:51 CEST 2007
Author: pablo at netfilter.org
Date: 2007-06-09 19:52:50 +0200 (Sat, 09 Jun 2007)
New Revision: 6867
Modified:
trunk/conntrack-tools/ChangeLog
trunk/conntrack-tools/conntrack.8
trunk/conntrack-tools/src/conntrack.c
Log:
- add support for `-L --src-nat' and `-L --dst-nat' to show natted connections
- update conntrack(8) manpage
Modified: trunk/conntrack-tools/ChangeLog
===================================================================
--- trunk/conntrack-tools/ChangeLog 2007-06-07 18:47:43 UTC (rev 6866)
+++ trunk/conntrack-tools/ChangeLog 2007-06-09 17:52:50 UTC (rev 6867)
@@ -18,6 +18,8 @@
o use NFCT_SOPT_SETUP_* facilities: nfct_setobjopt
o remove bogus option to get a conntrack in test.sh example file
o add aliases --sport and --dport to make it more iptables-like
+o add support for `-L --src-nat' and `-L --dst-nat' to show natted connections
+o update conntrack(8) manpage
version 0.9.3 (2006/05/22)
------------------------------
Modified: trunk/conntrack-tools/conntrack.8
===================================================================
--- trunk/conntrack-tools/conntrack.8 2007-06-07 18:47:43 UTC (rev 6866)
+++ trunk/conntrack-tools/conntrack.8 2007-06-09 17:52:50 UTC (rev 6867)
@@ -107,14 +107,15 @@
.BI "-t, --timeout " "TIMEOUT"
Specify the timeout.
.TP
-.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]"
+.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET][,...]"
Specify the conntrack status.
.TP
-.BI "-i, --id " "ID"
-Specify the conntrack ID.
-.
-This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs.
+.BI "-n, --src-nat "
+Filter source NAT connections.
.TP
+.BI "-g, --dst-nat "
+Filter destination NAT connections.
+.TP
.BI "--tuple-src " IP_ADDRESS
Specify the tuple source address of an expectation.
.TP
@@ -144,6 +145,9 @@
.B conntrack \-L -f ipv6 -o extended
Only dump IPv6 connections in /proc/net/nf_conntrack format
.TP
+.B conntrack \-L --src-nat
+Dump source NAT connections
+.TP
.B conntrack \-E \-o timestamp
Show connection events together with the timestamp
.SH BUGS
Modified: trunk/conntrack-tools/src/conntrack.c
===================================================================
--- trunk/conntrack-tools/src/conntrack.c 2007-06-07 18:47:43 UTC (rev 6866)
+++ trunk/conntrack-tools/src/conntrack.c 2007-06-09 17:52:50 UTC (rev 6867)
@@ -94,8 +94,8 @@
{"mark", 1, 0, 'm'},
{"id", 2, 0, 'i'}, /* deprecated */
{"family", 1, 0, 'f'},
- {"src-nat", 1, 0, 'n'},
- {"dst-nat", 1, 0, 'g'},
+ {"src-nat", 2, 0, 'n'},
+ {"dst-nat", 2, 0, 'g'},
{"output", 1, 0, 'o'},
{0, 0, 0, 0}
};
@@ -119,13 +119,13 @@
/* Well, it's better than "Re: Linux vs FreeBSD" */
{
/* s d r q p t u z e [ ] { } a m i f n g o */
-/*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,0,0,2},
+/*CT_LIST*/ {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,2,2,2},
/*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0,2,2,0},
/*CT_UPDATE*/ {2,2,2,2,1,2,2,0,0,0,0,0,0,0,2,2,0,0,0,0},
/*CT_DELETE*/ {2,2,2,2,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0},
/*CT_GET*/ {2,2,2,2,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2},
/*CT_FLUSH*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,0,0,2},
+/*CT_EVENT*/ {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2},
/*VERSION*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
/*HELP*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
/*EXP_LIST*/ {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0},
@@ -597,6 +597,18 @@
unsigned int output_type = NFCT_O_DEFAULT;
unsigned int output_flags = 0;
+ if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) {
+ if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
+ return NFCT_CB_CONTINUE;
+ } else if (options & CT_OPT_SRC_NAT &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) {
+ return NFCT_CB_CONTINUE;
+ } else if (options & CT_OPT_DST_NAT &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
+ return NFCT_CB_CONTINUE;
+ }
+
if (options & CT_COMPARISON && !nfct_compare(obj, ct))
return NFCT_CB_CONTINUE;
@@ -626,6 +638,18 @@
unsigned int output_type = NFCT_O_DEFAULT;
unsigned int output_flags = 0;
+ if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) {
+ if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
+ return NFCT_CB_CONTINUE;
+ } else if (options & CT_OPT_SRC_NAT &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) {
+ return NFCT_CB_CONTINUE;
+ } else if (options & CT_OPT_DST_NAT &&
+ !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
+ return NFCT_CB_CONTINUE;
+ }
+
if (options & CT_COMPARISON && !nfct_compare(obj, ct))
return NFCT_CB_CONTINUE;
@@ -930,11 +954,15 @@
break;
case 'n':
options |= CT_OPT_SRC_NAT;
+ if (!optarg)
+ break;
set_family(&family, AF_INET);
nat_parse(optarg, 1, obj, CT_OPT_SRC_NAT);
break;
case 'g':
options |= CT_OPT_DST_NAT;
+ if (!optarg)
+ break;
set_family(&family, AF_INET);
nat_parse(optarg, 1, obj, CT_OPT_DST_NAT);
case 'm':
More information about the netfilter-cvslog
mailing list