[netfilter-cvslog] r7496 - in trunk/conntrack-tools: . include qa qa/testsuite src

Wed Apr 16 16:54:24 CEST 2008

Author: pablo at netfilter.org
Date: 2008-04-16 16:54:24 +0200 (Wed, 16 Apr 2008)
New Revision: 7496

Added:
   trunk/conntrack-tools/qa/testsuite/02filter
Modified:
   trunk/conntrack-tools/ChangeLog
   trunk/conntrack-tools/configure.in
   trunk/conntrack-tools/conntrack.8
   trunk/conntrack-tools/include/conntrack.h
   trunk/conntrack-tools/qa/test-conntrack.c
   trunk/conntrack-tools/qa/testsuite/00create
   trunk/conntrack-tools/qa/testsuite/01delete
   trunk/conntrack-tools/src/conntrack.c
Log:
o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki)
o recover the ID support
o show display counters to stderr
o enable filtering by status and ID


Modified: trunk/conntrack-tools/ChangeLog
===================================================================

--- trunk/conntrack-tools/ChangeLog	2008-04-16 14:46:17 UTC (rev 7495)
+++ trunk/conntrack-tools/ChangeLog	2008-04-16 14:54:24 UTC (rev 7496)
@@ -14,7 +14,10 @@
 o check for missing source/address IP/ports in creation and get operations
 o way more flexible conntrack updates and deletions
 o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki)
+o recover the ID support
 o show display counters to stderr
+o enable filtering by status and ID
+o update manpage
 o minor cleanups
 
 = conntrackd =

Modified: trunk/conntrack-tools/configure.in
===================================================================
--- trunk/conntrack-tools/configure.in	2008-04-16 14:46:17 UTC (rev 7495)
+++ trunk/conntrack-tools/configure.in	2008-04-16 14:54:24 UTC (rev 7496)
@@ -18,7 +18,7 @@
 
 dnl Dependencies
 LIBNFNETLINK_REQUIRED=0.0.32
-LIBNETFILTER_CONNTRACK_REQUIRED=0.0.91
+LIBNETFILTER_CONNTRACK_REQUIRED=0.0.92
 
 AC_CHECK_PROG(HAVE_PKG_CONFIG, pkg-config, yes)
 if test "x$HAVE_PKG_CONFIG" = "x"

Modified: trunk/conntrack-tools/conntrack.8
===================================================================
--- trunk/conntrack-tools/conntrack.8	2008-04-16 14:46:17 UTC (rev 7495)
+++ trunk/conntrack-tools/conntrack.8	2008-04-16 14:54:24 UTC (rev 7496)
@@ -73,9 +73,8 @@
 Atomically zero counters after reading them.  This option is only valid in
 combination with the "-L, --dump" command options.
 .TP
-.BI "-o, --output [extended,xml,timestamp] "
-Display output in a certain format. This option is only valid in combination
-with the "-L, --dump", "-E, --event" and "-G, --get" command options.
+.BI "-o, --output [extended,xml,timestamp,id] "
+Display output in a certain format. 
 .TP
 .BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
 Set the bitmask of events that are to be generated by the in-kernel ctnetlink
@@ -136,10 +135,10 @@
 .TP
 TCP-specific fields:
 .TP
-.BI "--orig-port-src " "PORT"
+.BI "--sport, --orig-port-src " "PORT"
 Source port in original direction
 .TP
-.BI "--orig-port-dst " "PORT"
+.BI "--dport, --orig-port-dst " "PORT"
 Destination port in original direction
 .TP
 .BI "--reply-port-src " "PORT"
@@ -153,10 +152,10 @@
 .TP
 UDP-specific fields:
 .TP
-.BI "--orig-port-src " "PORT"
+.BI "--sport, --orig-port-src " "PORT"
 Source port in original direction
 .TP
-.BI "--orig-port-dst " "PORT"
+.BI "--dport, --orig-port-dst " "PORT"
 Destination port in original direction
 .TP
 .BI "--reply-port-src " "PORT"
@@ -182,22 +181,28 @@
 .SH EXAMPLES
 .TP
 .B conntrack \-L
-Dump the connection tracking table in /proc/net/ip_conntrack format
+Show the connection tracking table in /proc/net/ip_conntrack format
 .TP
 .B conntrack \-L -o extended
-Dump the connection tracking table in /proc/net/nf_conntrack format
+Show the connection tracking table in /proc/net/nf_conntrack format
 .TP
 .B conntrack \-L \-o xml
-Dump the connection tracking table in XML
+Show the connection tracking table in XML
 .TP
 .B conntrack \-L -f ipv6 -o extended
 Only dump IPv6 connections in /proc/net/nf_conntrack format
 .TP
 .B conntrack \-L --src-nat
-Dump source NAT connections
+Show source NAT connections
 .TP
 .B conntrack \-E \-o timestamp
 Show connection events together with the timestamp
+.TP
+.B conntrack \-D \-s 1.2.3.4
+Delete all flow whose source address is 1.2.3.4
+.TP
+.B conntrack \-U \-s 1.2.3.4 \-m 1
+Set connmark to 1 of all the flows whose source address is 1.2.3.4
 .SH BUGS
 Bugs? What's this ;-)
 .SH SEE ALSO

Modified: trunk/conntrack-tools/include/conntrack.h
===================================================================
--- trunk/conntrack-tools/include/conntrack.h	2008-04-16 14:46:17 UTC (rev 7495)
+++ trunk/conntrack-tools/include/conntrack.h	2008-04-16 14:54:24 UTC (rev 7496)
@@ -138,14 +138,10 @@
 #define NUMBER_OF_OPT	CT_OPT_MAX+1
 
 enum {
-	_O_XML_BIT		= 0,
-	_O_XML			= (1 << _O_XML_BIT),
-
-	_O_EXT_BIT		= 1,
-	_O_EXT			= (1 << _O_EXT_BIT),
-
-	_O_TMS_BIT		= 2,
-	_O_TMS			= (1 << _O_TMS_BIT),
+	_O_XML			= (1 << 0),
+	_O_EXT			= (1 << 1),
+	_O_TMS			= (1 << 2),
+	_O_ID			= (1 << 3),
 };
 
 struct ctproto_handler {

Modified: trunk/conntrack-tools/qa/test-conntrack.c
===================================================================
--- trunk/conntrack-tools/qa/test-conntrack.c	2008-04-16 14:46:17 UTC (rev 7495)
+++ trunk/conntrack-tools/qa/test-conntrack.c	2008-04-16 14:54:24 UTC (rev 7496)
@@ -21,7 +21,7 @@
 
 int main()
 {
-	int ret, ok = 0, bad = 0;
+	int ret, ok = 0, bad = 0, line;
 	FILE *fp;
 	DIR *d;
 	char buf[1024];
@@ -34,6 +34,8 @@
 
 		sprintf(file, "testsuite/%s", dent->d_name);
 
+		line = 0;
+
 		fp = fopen(file, "r");
 		if (fp == NULL) {
 			perror("cannot find testsuite file");
@@ -44,15 +46,22 @@
 			char tmp[1024] = CT_PROG, *res;
 			tmp[strlen(CT_PROG)] = ' ';
 
+			line++;
+
 			if (buf[0] == '#' || buf[0] == ' ')
 				continue;
 
 			res = strchr(buf, ';');
+			if (!res) {
+				printf("malformed file %s at line %d\n", 
+					dent->d_name, line);
+				exit(EXIT_FAILURE);
+			}
 			*res = '\0';
 			res+=2;
 
 			strcpy(tmp + strlen(CT_PROG) + 1, buf);
-			printf("Executing: %s\n", tmp);
+			printf("(%d) Executing: %s\n", line, tmp);
 
 			ret = system(tmp);
 
@@ -75,10 +84,11 @@
 					printf("^----- BAD\n");
 				}
 			}
+			printf("=====\n");
 		}
+		fclose(fp);
 	}
+	closedir(d);
 
 	fprintf(stdout, "OK: %d BAD: %d\n", ok, bad);
-
-	fclose(fp);
 }

Modified: trunk/conntrack-tools/qa/testsuite/00create
===================================================================
--- trunk/conntrack-tools/qa/testsuite/00create	2008-04-16 14:46:17 UTC (rev 7495)
+++ trunk/conntrack-tools/qa/testsuite/00create	2008-04-16 14:54:24 UTC (rev 7496)
@@ -12,5 +12,9 @@
 -I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
 # create again
 -I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD
+# delete
+-D -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 ; OK
 # create from reply
 -I -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; OK
+# delete reverse
+-D -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK

Modified: trunk/conntrack-tools/qa/testsuite/01delete
===================================================================
--- trunk/conntrack-tools/qa/testsuite/01delete	2008-04-16 14:46:17 UTC (rev 7495)
+++ trunk/conntrack-tools/qa/testsuite/01delete	2008-04-16 14:54:24 UTC (rev 7496)
@@ -1,2 +1,6 @@
-# delete
--D -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 ; OK
+# create dummy
+-I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
+# delete bad source
+-D -s 2.2.2.2 -p tcp --sport 10 --dport 20 ; BAD
+# delete by source
+-D -s 1.1.1.1 ; OK

Added: trunk/conntrack-tools/qa/testsuite/02filter
===================================================================
--- trunk/conntrack-tools/qa/testsuite/02filter	                        (rev 0)
+++ trunk/conntrack-tools/qa/testsuite/02filter	2008-04-16 14:54:24 UTC (rev 7496)
@@ -0,0 +1,20 @@
+# create dummy
+conntrack -I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
+# filter by source
+conntrack -L -s 1.1.1.1 ; OK
+# filter by destination
+conntrack -L -d 2.2.2.2 ; OK
+# filter by protocol
+conntrack -L -p tcp ; OK
+# filter by status
+conntrack -L -u SEEN_REPLY ; OK
+# filter by TCP protocol state
+conntrack -L -p tcp --state LISTEN ; OK
+# update mark of dummy conntrack
+conntrack -U -s 1.1.1.1 -m 1 ; OK
+# filter by mark
+conntrack -L -m 1 ; OK
+# filter by layer 3 protocol
+conntrack -L -f ipv4 ; OK
+# delete dummy
+conntrack -D -d 2.2.2.2 ; OK

Modified: trunk/conntrack-tools/src/conntrack.c
===================================================================
--- trunk/conntrack-tools/src/conntrack.c	2008-04-16 14:46:17 UTC (rev 7495)
+++ trunk/conntrack-tools/src/conntrack.c	2008-04-16 14:54:24 UTC (rev 7496)
@@ -121,7 +121,7 @@
 /* Well, it's better than "Re: Linux vs FreeBSD" */
 {
           /*   s d r q p t u z e [ ] { } a m i f n g o c */
-/*CT_LIST*/   {2,2,2,2,2,0,0,2,0,0,0,0,0,0,2,2,2,2,2,2,2},
+/*CT_LIST*/   {2,2,2,2,2,0,2,2,0,0,0,0,0,0,2,0,2,2,2,2,2},
 /*CT_CREATE*/ {2,2,2,2,1,1,1,0,0,0,0,0,0,2,2,0,0,2,2,0,2},
 /*CT_UPDATE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,2},
 /*CT_DELETE*/ {2,2,2,2,2,2,2,0,0,0,0,0,0,0,2,2,2,2,2,2,2},
@@ -130,7 +130,7 @@
 /*CT_EVENT*/  {2,2,2,2,2,0,0,0,2,0,0,0,0,0,2,0,0,2,2,2,2},
 /*VERSION*/   {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
 /*HELP*/      {0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-/*EXP_LIST*/  {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0},
+/*EXP_LIST*/  {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0},
 /*EXP_CREATE*/{1,1,2,2,1,1,2,0,0,1,1,1,1,0,0,0,0,0,0,0,0},
 /*EXP_DELETE*/{1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
 /*EXP_GET*/   {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
@@ -143,7 +143,7 @@
 static unsigned int options;
 
 #define CT_COMPARISON (CT_OPT_PROTO | CT_OPT_ORIG | CT_OPT_REPL | CT_OPT_MARK |\
-		       CT_OPT_SECMARK)
+		       CT_OPT_SECMARK |  CT_OPT_STATUS | CT_OPT_ID)
 
 void register_proto(struct ctproto_handler *h)
 {
@@ -328,8 +328,8 @@
 	{ {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
 	  {~0U, NF_NETLINK_CONNTRACK_NEW, NF_NETLINK_CONNTRACK_UPDATE, 
 	   NF_NETLINK_CONNTRACK_DESTROY} },
-	{ {"xml", "extended", "timestamp" }, 3, 
-	  { _O_XML, _O_EXT, _O_TMS },
+	{ {"xml", "extended", "timestamp", "id" }, 4, 
+	  { _O_XML, _O_EXT, _O_TMS, _O_ID },
 	},
 };
 
@@ -603,13 +603,13 @@
 	return 0;
 }
 
-static int events_counter;
+static int counter;
 
 static void __attribute__((noreturn))
 event_sighandler(int s)
 {
 	fprintf(stderr, "%s v%s: ", PROGNAME, VERSION);
-	fprintf(stderr, "%d flow events has been shown.\n", events_counter);
+	fprintf(stderr, "%d flow events has been shown.\n", counter);
 	nfct_close(cth);
 	exit(0);
 }
@@ -640,19 +640,19 @@
 			printf("[%-8ld.%-6ld]\t", tv.tv_sec, tv.tv_usec);
 		} else
 			op_flags |= NFCT_OF_TIME;
-	}	
+	}
+	if (output_mask & _O_ID)
+		op_flags |= NFCT_OF_ID;
 
 	nfct_snprintf(buf, 1024, ct, type, op_type, op_flags);
 	printf("%s\n", buf);
 	fflush(stdout);
 
-	events_counter++;
+	counter++;
 
 	return NFCT_CB_CONTINUE;
 }
 
-static int list_counter;
-
 static int dump_cb(enum nf_conntrack_msg_type type,
 		   struct nf_conntrack *ct,
 		   void *data)
@@ -672,17 +672,17 @@
 		op_type = NFCT_O_XML;
 	if (output_mask & _O_EXT)
 		op_flags = NFCT_OF_SHOW_LAYER3;
+	if (output_mask & _O_ID)
+		op_flags |= NFCT_OF_ID;
 
 	nfct_snprintf(buf, 1024, ct, NFCT_T_UNKNOWN, op_type, op_flags);
 	printf("%s\n", buf);
 
-	list_counter++;
+	counter++;
 
 	return NFCT_CB_CONTINUE;
 }
 
-static int delete_counter;
-
 static int delete_cb(enum nf_conntrack_msg_type type,
 		     struct nf_conntrack *ct,
 		     void *data)
@@ -709,17 +709,17 @@
 		op_type = NFCT_O_XML;
 	if (output_mask & _O_EXT)
 		op_flags = NFCT_OF_SHOW_LAYER3;
+	if (output_mask & _O_ID)
+		op_flags |= NFCT_OF_ID;
 
 	nfct_snprintf(buf, 1024, ct, NFCT_T_UNKNOWN, op_type, op_flags);
 	printf("%s\n", buf);
 
-	delete_counter++;
+	counter++;
 
 	return NFCT_CB_CONTINUE;
 }
 
-static int update_counter;
-
 static int update_cb(enum nf_conntrack_msg_type type,
 		     struct nf_conntrack *ct,
 		     void *data)
@@ -737,6 +737,10 @@
 	if (ignore_nat(tmp, ct))
 		return NFCT_CB_CONTINUE;
 
+	if (nfct_attr_is_set(obj, ATTR_ID) && nfct_attr_is_set(ct, ATTR_ID) &&
+	    nfct_get_attr_u32(obj, ATTR_ID) != nfct_get_attr_u32(ct, ATTR_ID))
+	    	return NFCT_CB_CONTINUE;
+
 	if (options & CT_OPT_TUPLE_ORIG && !nfct_cmp(tmp, ct, NFCT_CMP_ORIG))
 		return NFCT_CB_CONTINUE;
 	if (options & CT_OPT_TUPLE_REPL && !nfct_cmp(tmp, ct, NFCT_CMP_REPL))
@@ -754,11 +758,13 @@
 		op_type = NFCT_O_XML;
 	if (output_mask & _O_EXT)
 		op_flags = NFCT_OF_SHOW_LAYER3;
+	if (output_mask & _O_ID)
+		op_flags |= NFCT_OF_ID;
 
 	nfct_snprintf(buf, 1024, ct, NFCT_T_UNKNOWN, op_type, op_flags);
 	printf("%s\n", buf);
 
-	update_counter++;
+	counter++;
 
 	return NFCT_CB_CONTINUE;
 }
@@ -801,6 +807,7 @@
 	['g']	= CT_OPT_DST_NAT,
 	['m']	= CT_OPT_MARK,
 	['c']	= CT_OPT_SECMARK,
+	['i']	= CT_OPT_ID,
 };
 
 static const int opt2family_attr[][2] = {
@@ -821,8 +828,20 @@
 	['q']	= ATTR_REPL_L3PROTO,
 	['m']	= ATTR_MARK,
 	['c']	= ATTR_SECMARK,
+	['i']	= ATTR_ID,
 };
 
+static char exit_msg[][64] = {
+	[CT_LIST_BIT] 		= "%d flow entries has been shown.\n",
+	[CT_CREATE_BIT]		= "%d flow entries has been created.\n",
+	[CT_UPDATE_BIT]		= "%d flow entries has been updated.\n",
+	[CT_DELETE_BIT]		= "%d flow entries has been deleted.\n",
+	[CT_GET_BIT] 		= "%d flow entries has been shown.\n",
+	[CT_EVENT_BIT]		= "%d flow events has been shown.\n",
+	[EXP_LIST_BIT]		= "%d expectations has been shown.\n",
+	[EXP_DELETE_BIT]	= "%d expectations has been shown.\n",
+};
+
 int main(int argc, char *argv[])
 {
 	int c, cmd;
@@ -853,7 +872,7 @@
 	register_icmpv6();
 
 	while ((c = getopt_long(argc, argv, "L::I::U::D::G::E::F::hVs:d:r:q:"
-					    "p:t:u:e:a:z[:]:{:}:m:i::f:o:n::"
+					    "p:t:u:e:a:z[:]:{:}:m:i:f:o:n::"
 					    "g::c:", 
 					    opts, NULL)) != -1) {
 	switch(c) {
@@ -999,6 +1018,7 @@
 			nat_parse(tmp, 1, obj, opt2type[c]);
 			break;
 		}
+		case 'i':
 		case 'm':
 		case 'c':
 			options |= opt2type[c];
@@ -1006,9 +1026,10 @@
 				exit_error(PARAMETER_PROBLEM, 
 					   "-%c requires value", c);
 
-			nfct_set_attr_u32(obj, opt2attr[c], atol(optarg));
+			nfct_set_attr_u32(obj,
+					  opt2attr[c],
+					  strtoul(optarg, NULL, 0));
 			break;
-		case 'i':
 		case 'a':
 			fprintf(stderr, "WARNING: ignoring -%c, "
 					"deprecated option.\n", c);
@@ -1084,10 +1105,6 @@
 			res = nfct_query(cth, NFCT_Q_DUMP, &family);
 
 		nfct_close(cth);
-
-		fprintf(stderr, "%s v%s: ", PROGNAME, VERSION);
-		fprintf(stderr, "%d flow entries has been shown.\n",
-			list_counter);
 		break;
 
 	case EXP_LIST:
@@ -1111,10 +1128,9 @@
 			exit_error(OTHER_PROBLEM, "Can't open handler");
 
 		res = nfct_query(cth, NFCT_Q_CREATE, obj);
+		if (res != -1)
+			counter++;
 		nfct_close(cth);
-		fprintf(stderr, "%s v%s: ", PROGNAME, VERSION);
-		fprintf(stderr, "%d flow entry has been created.\n",
-			res == -1 ? 0 : 1);
 		break;
 
 	case EXP_CREATE:
@@ -1142,10 +1158,6 @@
 		res = nfct_query(cth, NFCT_Q_DUMP, &family);
 		nfct_close(ith);
 		nfct_close(cth);
-
-		fprintf(stderr, "%s v%s: ", PROGNAME, VERSION);
-		fprintf(stderr, "%d flow entries has been updated.\n",
-			update_counter);
 		break;
 		
 	case CT_DELETE:
@@ -1159,10 +1171,6 @@
 		res = nfct_query(cth, NFCT_Q_DUMP, &family);
 		nfct_close(ith);
 		nfct_close(cth);
-
-		fprintf(stderr, "%s v%s: ", PROGNAME, VERSION);
-		fprintf(stderr, "%d flow entries has been deleted.\n", 
-			delete_counter);
 		break;
 
 	case EXP_DELETE:
@@ -1184,9 +1192,6 @@
 		nfct_callback_register(cth, NFCT_T_ALL, dump_cb, obj);
 		res = nfct_query(cth, NFCT_Q_GET, obj);
 		nfct_close(cth);
-		fprintf(stderr, "%s v%s: ", PROGNAME, VERSION);
-		fprintf(stderr, "%d flow entry has been shown.\n",
-			res == -1 ? 0 : 1);
 		break;
 
 	case EXP_GET:
@@ -1268,5 +1273,12 @@
 		exit_error(OTHER_PROBLEM, "Operation failed: %s",
 			   err2str(errno, command));
 
-	return 0;
+	if (exit_msg[cmd][0]) {
+		fprintf(stderr, "%s v%s: ", PROGNAME, VERSION);
+		fprintf(stderr, exit_msg[cmd], counter);
+		if (counter == 0 && !(command & (CT_LIST | EXP_LIST)))
+			return EXIT_FAILURE;
+	}
+
+	return EXIT_SUCCESS;
 }


