[netfilter-cvslog] r6867 - in trunk/conntrack-tools: . src

pablo at netfilter.org pablo at netfilter.org
Sat Jun 9 19:52:51 CEST 2007


Author: pablo at netfilter.org
Date: 2007-06-09 19:52:50 +0200 (Sat, 09 Jun 2007)
New Revision: 6867

Modified:
   trunk/conntrack-tools/ChangeLog
   trunk/conntrack-tools/conntrack.8
   trunk/conntrack-tools/src/conntrack.c
Log:
- add support for `-L --src-nat' and `-L --dst-nat' to show natted connections
- update conntrack(8) manpage


Modified: trunk/conntrack-tools/ChangeLog
===================================================================
--- trunk/conntrack-tools/ChangeLog	2007-06-07 18:47:43 UTC (rev 6866)
+++ trunk/conntrack-tools/ChangeLog	2007-06-09 17:52:50 UTC (rev 6867)
@@ -18,6 +18,8 @@
 o use NFCT_SOPT_SETUP_* facilities: nfct_setobjopt
 o remove bogus option to get a conntrack in test.sh example file
 o add aliases --sport and --dport to make it more iptables-like
+o add support for `-L --src-nat' and `-L --dst-nat' to show natted connections
+o update conntrack(8) manpage
 
 version 0.9.3 (2006/05/22)
 ------------------------------

Modified: trunk/conntrack-tools/conntrack.8
===================================================================
--- trunk/conntrack-tools/conntrack.8	2007-06-07 18:47:43 UTC (rev 6866)
+++ trunk/conntrack-tools/conntrack.8	2007-06-09 17:52:50 UTC (rev 6867)
@@ -107,14 +107,15 @@
 .BI "-t, --timeout " "TIMEOUT"
 Specify the timeout.
 .TP
-.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]"
+.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET][,...]"
 Specify the conntrack status.
 .TP
-.BI "-i, --id " "ID"
-Specify the conntrack ID. 
-.
-This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs.
+.BI "-n, --src-nat "
+Filter source NAT connections. 
 .TP
+.BI "-g, --dst-nat "
+Filter destination NAT connections. 
+.TP
 .BI "--tuple-src " IP_ADDRESS
 Specify the tuple source address of an expectation.
 .TP
@@ -144,6 +145,9 @@
 .B conntrack \-L -f ipv6 -o extended
 Only dump IPv6 connections in /proc/net/nf_conntrack format
 .TP
+.B conntrack \-L --src-nat
+Dump source NAT connections
+.TP
 .B conntrack \-E \-o timestamp
 Show connection events together with the timestamp
 .SH BUGS

Modified: trunk/conntrack-tools/src/conntrack.c
===================================================================
--- trunk/conntrack-tools/src/conntrack.c	2007-06-07 18:47:43 UTC (rev 6866)
+++ trunk/conntrack-tools/src/conntrack.c	2007-06-09 17:52:50 UTC (rev 6867)
@@ -94,8 +94,8 @@
 	{"mark", 1, 0, 'm'},
 	{"id", 2, 0, 'i'},		/* deprecated */
 	{"family", 1, 0, 'f'},
-	{"src-nat", 1, 0, 'n'},
-	{"dst-nat", 1, 0, 'g'},
+	{"src-nat", 2, 0, 'n'},
+	{"dst-nat", 2, 0, 'g'},
 	{"output", 1, 0, 'o'},
 	{0, 0, 0, 0}
 };
@@ -119,13 +119,13 @@
 /* Well, it's better than "Re: Linux vs FreeBSD" */
 {
           /*   s d r q p t u z e [ ] { } a m i f n g o */
-/*CT_LIST*/   {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,0,0,2},
+/*CT_LIST*/   {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,2,2,2},
 /*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0,2,2,0},
 /*CT_UPDATE*/ {2,2,2,2,1,2,2,0,0,0,0,0,0,0,2,2,0,0,0,0},
 /*CT_DELETE*/ {2,2,2,2,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0},
 /*CT_GET*/    {2,2,2,2,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2},
 /*CT_FLUSH*/  {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*CT_EVENT*/  {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,0,0,2},
+/*CT_EVENT*/  {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2},
 /*VERSION*/   {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
 /*HELP*/      {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
 /*EXP_LIST*/  {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0},
@@ -597,6 +597,18 @@
 	unsigned int output_type = NFCT_O_DEFAULT;
 	unsigned int output_flags = 0;
 
+	if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) {
+		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) &&
+		    !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
+			return NFCT_CB_CONTINUE;
+	} else if (options & CT_OPT_SRC_NAT && 
+		   !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) {
+	 	return NFCT_CB_CONTINUE;
+	} else if (options & CT_OPT_DST_NAT &&
+		   !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
+		return NFCT_CB_CONTINUE;
+	}
+
 	if (options & CT_COMPARISON && !nfct_compare(obj, ct))
 		return NFCT_CB_CONTINUE;
 
@@ -626,6 +638,18 @@
 	unsigned int output_type = NFCT_O_DEFAULT;
 	unsigned int output_flags = 0;
 
+	if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) {
+		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) &&
+		    !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
+			return NFCT_CB_CONTINUE;
+	} else if (options & CT_OPT_SRC_NAT && 
+		   !nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) {
+	 	return NFCT_CB_CONTINUE;
+	} else if (options & CT_OPT_DST_NAT &&
+		   !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
+		return NFCT_CB_CONTINUE;
+	}
+
 	if (options & CT_COMPARISON && !nfct_compare(obj, ct))
 		return NFCT_CB_CONTINUE;
 
@@ -930,11 +954,15 @@
 			break;
 		case 'n':
 			options |= CT_OPT_SRC_NAT;
+			if (!optarg)
+				break;
 			set_family(&family, AF_INET);
 			nat_parse(optarg, 1, obj, CT_OPT_SRC_NAT);
 			break;
 		case 'g':
 			options |= CT_OPT_DST_NAT;
+			if (!optarg)
+				break;
 			set_family(&family, AF_INET);
 			nat_parse(optarg, 1, obj, CT_OPT_DST_NAT);
 		case 'm':




More information about the netfilter-cvslog mailing list