[netfilter-cvslog] r7495 - in trunk/libnetfilter_conntrack: . include/libnetfilter_conntrack src/conntrack
pablo at netfilter.org
pablo at netfilter.org
Wed Apr 16 16:46:18 CEST 2008
Author: pablo at netfilter.org
Date: 2008-04-16 16:46:17 +0200 (Wed, 16 Apr 2008)
New Revision: 7495
Modified:
trunk/libnetfilter_conntrack/configure.in
trunk/libnetfilter_conntrack/include/libnetfilter_conntrack/libnetfilter_conntrack.h
trunk/libnetfilter_conntrack/src/conntrack/api.c
trunk/libnetfilter_conntrack/src/conntrack/compare.c
trunk/libnetfilter_conntrack/src/conntrack/setter.c
trunk/libnetfilter_conntrack/src/conntrack/snprintf_default.c
trunk/libnetfilter_conntrack/src/conntrack/snprintf_xml.c
Log:
- bump version to 0.0.92
- recover the ID support
- add support for timeout comparison
- ignore set operation for counters and use attributes
- fix broken status comparison
- statify several __snprintf functions
Modified: trunk/libnetfilter_conntrack/configure.in
===================================================================
--- trunk/libnetfilter_conntrack/configure.in 2008-04-15 15:54:15 UTC (rev 7494)
+++ trunk/libnetfilter_conntrack/configure.in 2008-04-16 14:46:17 UTC (rev 7495)
@@ -4,7 +4,7 @@
AC_CANONICAL_SYSTEM
-AM_INIT_AUTOMAKE(libnetfilter_conntrack, 0.0.91)
+AM_INIT_AUTOMAKE(libnetfilter_conntrack, 0.0.92)
AC_PROG_CC
AM_PROG_LIBTOOL
Modified: trunk/libnetfilter_conntrack/include/libnetfilter_conntrack/libnetfilter_conntrack.h
===================================================================
--- trunk/libnetfilter_conntrack/include/libnetfilter_conntrack/libnetfilter_conntrack.h 2008-04-15 15:54:15 UTC (rev 7494)
+++ trunk/libnetfilter_conntrack/include/libnetfilter_conntrack/libnetfilter_conntrack.h 2008-04-16 14:46:17 UTC (rev 7495)
@@ -1,5 +1,5 @@
/*
- * (C) 2005-2007 by Pablo Neira Ayuso <pablo at netfilter.org>
+ * (C) 2005-2008 by Pablo Neira Ayuso <pablo at netfilter.org>
*
* This software may be used and distributed according to the terms
* of the GNU General Public License, incorporated herein by reference.
@@ -251,6 +251,9 @@
NFCT_OF_TIME_BIT = 1,
NFCT_OF_TIME = (1 << NFCT_OF_TIME_BIT),
+
+ NFCT_OF_ID_BIT = 2,
+ NFCT_OF_ID = (1 << NFCT_OF_ID_BIT),
};
extern int nfct_snprintf(char *buf,
@@ -268,6 +271,11 @@
NFCT_CMP_ALL = 0,
NFCT_CMP_ORIG = (1 << 0),
NFCT_CMP_REPL = (1 << 1),
+ NFCT_CMP_TIMEOUT_EQ = (1 << 2),
+ NFCT_CMP_TIMEOUT_GT = (1 << 3),
+ NFCT_CMP_TIMEOUT_GE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_GT),
+ NFCT_CMP_TIMEOUT_LT = (1 << 4),
+ NFCT_CMP_TIMEOUT_LE = (NFCT_CMP_TIMEOUT_EQ | NFCT_CMP_TIMEOUT_LT),
};
extern int nfct_cmp(const struct nf_conntrack *ct1,
Modified: trunk/libnetfilter_conntrack/src/conntrack/api.c
===================================================================
--- trunk/libnetfilter_conntrack/src/conntrack/api.c 2008-04-15 15:54:15 UTC (rev 7494)
+++ trunk/libnetfilter_conntrack/src/conntrack/api.c 2008-04-16 14:46:17 UTC (rev 7495)
@@ -697,11 +697,19 @@
*
* - NFCT_CMP_ALL: full comparison of both objects
* - NFCT_CMP_ORIG: it only compares the source and destination address;
- * source and destination ports; and the layer 3 and 4 protocol numbers
- * of the original direction.
+ * source and destination ports; the layer 3 and 4 protocol numbers
+ * of the original direction; and the id (if present).
* - NFCT_CMP_REPL: like NFCT_CMP_REPL but it compares the flow
* information that goes in the reply direction.
+ * - NFCT_CMP_TIMEOUT_EQ: timeout(ct1) == timeout(ct2)
+ * - NFCT_CMP_TIMEOUT_GT: timeout(ct1) > timeout(ct2)
+ * - NFCT_CMP_TIMEOUT_LT: timeout(ct1) < timeout(ct2)
+ * - NFCT_CMP_TIMEOUT_GE: timeout(ct1) >= timeout(ct2)
+ * - NFCT_CMP_TIMEOUT_LE: timeout(ct1) <= timeout(ct2)
*
+ * The default status bits comparison consists of the following operation:
+ * status(ct1) & status(ct2) == status(ct1).
+ *
* If both conntrack object are equal, this function returns 1, otherwise
* 0 is returned.
*/
Modified: trunk/libnetfilter_conntrack/src/conntrack/compare.c
===================================================================
--- trunk/libnetfilter_conntrack/src/conntrack/compare.c 2008-04-15 15:54:15 UTC (rev 7494)
+++ trunk/libnetfilter_conntrack/src/conntrack/compare.c 2008-04-16 14:46:17 UTC (rev 7495)
@@ -100,21 +100,47 @@
}
static int cmp_meta(const struct nf_conntrack *ct1,
- const struct nf_conntrack *ct2)
+ const struct nf_conntrack *ct2,
+ unsigned int flags)
{
+ if (test_bit(ATTR_ID, ct1->set) &&
+ test_bit(ATTR_ID, ct2->set) &&
+ ct1->id != ct2->id)
+ return 0;
+
if (test_bit(ATTR_MARK, ct1->set) &&
test_bit(ATTR_MARK, ct2->set) &&
ct1->mark != ct2->mark)
return 0;
if (test_bit(ATTR_TIMEOUT, ct1->set) &&
- test_bit(ATTR_TIMEOUT, ct2->set) &&
- ct1->timeout != ct2->timeout)
- return 0;
+ test_bit(ATTR_TIMEOUT, ct2->set)) {
+ int ret = 0;
+#define __NFCT_CMP_TIMEOUT (NFCT_CMP_TIMEOUT_LE | NFCT_CMP_TIMEOUT_GT)
+
+ if (!(flags & __NFCT_CMP_TIMEOUT) &&
+ ct1->timeout != ct2->timeout)
+ return 0;
+ else {
+ if (flags & NFCT_CMP_TIMEOUT_GT &&
+ ct1->timeout > ct2->timeout)
+ ret = 1;
+ else if (flags & NFCT_CMP_TIMEOUT_LT &&
+ ct1->timeout < ct2->timeout)
+ ret = 1;
+ else if (flags & NFCT_CMP_TIMEOUT_EQ &&
+ ct1->timeout == ct2->timeout)
+ ret = 1;
+
+ if (ret == 0)
+ return 0;
+ }
+ }
+
if (test_bit(ATTR_STATUS, ct1->set) &&
test_bit(ATTR_STATUS, ct2->set) &&
- ct1->status == ct2->status)
+ !((ct1->status & ct2->status) == ct1->status))
return 0;
if (test_bit(ATTR_TCP_STATE, ct1->set) &&
@@ -130,9 +156,9 @@
unsigned int flags)
{
if (flags == NFCT_CMP_ALL)
- return cmp_orig(ct1, ct2) &&
- cmp_repl(ct1, ct2) &&
- cmp_meta(ct1, ct2);
+ return cmp_meta(ct1, ct2, flags) &&
+ cmp_orig(ct1, ct2) &&
+ cmp_repl(ct1, ct2);
if (flags & NFCT_CMP_ORIG && !cmp_orig(ct1, ct2))
return 0;
Modified: trunk/libnetfilter_conntrack/src/conntrack/setter.c
===================================================================
--- trunk/libnetfilter_conntrack/src/conntrack/setter.c 2008-04-15 15:54:15 UTC (rev 7494)
+++ trunk/libnetfilter_conntrack/src/conntrack/setter.c 2008-04-16 14:46:17 UTC (rev 7495)
@@ -1,5 +1,5 @@
/*
- * (C) 2006 by Pablo Neira Ayuso <pablo at netfilter.org>
+ * (C) 2006-2008 by Pablo Neira Ayuso <pablo at netfilter.org>
*
* This software may be used and distributed according to the terms
* of the GNU General Public License, incorporated herein by reference.
@@ -210,6 +210,11 @@
ct->status = *((u_int32_t *) value);
}
+static void set_attr_id(struct nf_conntrack *ct, const void *value)
+{
+ ct->id = *((u_int32_t *) value);
+}
+
static void set_attr_master_ipv4_src(struct nf_conntrack *ct, const void *value)
{
ct->tuple[__DIR_MASTER].src.v4 = *((u_int32_t *) value);
@@ -280,6 +285,8 @@
ct->tuple[__DIR_REPL].natseq.offset_after = *((u_int32_t *) value);
}
+static void set_attr_do_nothing(struct nf_conntrack *ct, const void *value) {}
+
set_attr set_attr_array[] = {
[ATTR_ORIG_IPV4_SRC] = set_attr_orig_ipv4_src,
[ATTR_ORIG_IPV4_DST] = set_attr_orig_ipv4_dst,
@@ -307,6 +314,12 @@
[ATTR_DNAT_PORT] = set_attr_dnat_port,
[ATTR_TIMEOUT] = set_attr_timeout,
[ATTR_MARK] = set_attr_mark,
+ [ATTR_ORIG_COUNTER_PACKETS] = set_attr_do_nothing,
+ [ATTR_REPL_COUNTER_PACKETS] = set_attr_do_nothing,
+ [ATTR_ORIG_COUNTER_BYTES] = set_attr_do_nothing,
+ [ATTR_REPL_COUNTER_BYTES] = set_attr_do_nothing,
+ [ATTR_USE] = set_attr_do_nothing,
+ [ATTR_ID] = set_attr_id,
[ATTR_STATUS] = set_attr_status,
[ATTR_TCP_FLAGS_ORIG] = set_attr_tcp_flags_orig,
[ATTR_TCP_FLAGS_REPL] = set_attr_tcp_flags_repl,
Modified: trunk/libnetfilter_conntrack/src/conntrack/snprintf_default.c
===================================================================
--- trunk/libnetfilter_conntrack/src/conntrack/snprintf_default.c 2008-04-15 15:54:15 UTC (rev 7494)
+++ trunk/libnetfilter_conntrack/src/conntrack/snprintf_default.c 2008-04-16 14:46:17 UTC (rev 7495)
@@ -1,5 +1,5 @@
/*
- * (C) 2006 by Pablo Neira Ayuso <pablo at netfilter.org>
+ * (C) 2006-2008 by Pablo Neira Ayuso <pablo at netfilter.org>
*
* This software may be used and distributed according to the terms
* of the GNU General Public License, incorporated herein by reference.
@@ -194,26 +194,28 @@
(unsigned long long) ct->counters[dir].bytes));
}
-int __snprintf_mark(char *buf, unsigned int len, const struct nf_conntrack *ct)
+static int
+__snprintf_mark(char *buf, unsigned int len, const struct nf_conntrack *ct)
{
return (snprintf(buf, len, "mark=%u ", ct->mark));
}
-int __snprintf_secmark(char *buf,
- unsigned int len,
- const struct nf_conntrack *ct)
+static int
+__snprintf_secmark(char *buf, unsigned int len, const struct nf_conntrack *ct)
{
return (snprintf(buf, len, "secmark=%u ", ct->secmark));
}
-int __snprintf_use(char *buf, unsigned int len, const struct nf_conntrack *ct)
+static int
+__snprintf_use(char *buf, unsigned int len, const struct nf_conntrack *ct)
{
return (snprintf(buf, len, "use=%u ", ct->use));
}
-int __snprintf_id(char *buf, unsigned int len, u_int32_t id)
+static int
+__snprintf_id(char *buf, unsigned int len, const struct nf_conntrack *ct)
{
- return (snprintf(buf, len, "id=%u ", id));
+ return (snprintf(buf, len, "id=%u ", ct->id));
}
int __snprintf_conntrack_default(char *buf,
@@ -307,6 +309,11 @@
BUFFER_SIZE(ret, size, len, offset);
}
+ if (flags & NFCT_OF_ID && test_bit(ATTR_ID, ct->set)) {
+ ret = __snprintf_id(buf+offset, len, ct);
+ BUFFER_SIZE(ret, size, len, offset);
+ }
+
/* Delete the last blank space */
size--;
Modified: trunk/libnetfilter_conntrack/src/conntrack/snprintf_xml.c
===================================================================
--- trunk/libnetfilter_conntrack/src/conntrack/snprintf_xml.c 2008-04-15 15:54:15 UTC (rev 7494)
+++ trunk/libnetfilter_conntrack/src/conntrack/snprintf_xml.c 2008-04-16 14:46:17 UTC (rev 7495)
@@ -46,6 +46,7 @@
* <timeout>100</timeout>
* <mark>1</mark>
* <secmark>0</secmark>
+ * <id>453281439</id>
* <use>1</use>
* <assured/>
* </meta>
@@ -322,6 +323,11 @@
BUFFER_SIZE(ret, size, len, offset);
}
+ if (test_bit(ATTR_ID, ct->set)) {
+ ret = snprintf(buf+offset, len, "<id>%u</id>", ct->id);
+ BUFFER_SIZE(ret, size, len, offset);
+ }
+
if (test_bit(ATTR_STATUS, ct->set)
&& ct->status & IPS_ASSURED) {
ret = snprintf(buf+offset, len, "<assured/>");
More information about the netfilter-cvslog
mailing list