[libnetfilter_conntrack] remove slip through change in conntrack_event.c
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Wed Jul 2 15:44:51 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=7107f4493e9a4a7fb92fe4133c8a108eef0a82f7
commit 7107f4493e9a4a7fb92fe4133c8a108eef0a82f7
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Wed Jul 2 15:31:57 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Wed Jul 2 15:31:57 2008 +0200
remove slip through change in conntrack_event.c
via 7107f4493e9a4a7fb92fe4133c8a108eef0a82f7 (commit)
from 06b8c15ea6ab47ac660199303ea892a6fa60b890 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7107f4493e9a4a7fb92fe4133c8a108eef0a82f7
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed Jul 2 15:31:57 2008 +0200
remove slip through change in conntrack_event.c
-----------------------------------------------------------------------
utils/conntrack_events.c | 250 +---------------------------------------------
1 files changed, 1 insertions(+), 249 deletions(-)
diff --git a/utils/conntrack_events.c b/utils/conntrack_events.c
index 747cbdd..4be5d48 100644
--- a/utils/conntrack_events.c
+++ b/utils/conntrack_events.c
@@ -2,237 +2,7 @@
#include <stdlib.h>
#include <errno.h>
-#include <string.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
-#include <linux/netfilter/nfnetlink_conntrack.h>
-#include <linux/netfilter/nf_conntrack_tcp.h>
-#include <linux/filter.h>
-
-#define SKF_AD_NLATTR 12
-
-#define FILTER_REJECT 0x0000
-#define FILTER_ACCEPT 0xFFFF
-
-static int sk_set_filter(int fd)
-{
- struct sock_filter filt[] = {
- {
- /* A=sizeof(struct nlmsghdr)+sizeof(struct nfgenmsg) */
- .code = BPF_LD|BPF_IMM,
- .k = sizeof(struct nlmsghdr) + sizeof(struct nfgenmsg),
- },
- {
- /* X = CTA_PROTOINFO */
- .code = BPF_LDX|BPF_IMM,
- .k = CTA_PROTOINFO,
- },
- {
- /* A = netlink attribute offset */
- .code = BPF_LD|BPF_B|BPF_ABS,
- .k = SKF_AD_OFF + SKF_AD_NLATTR,
- },
- {
- /* Reject if not found (A == 0) */
- .code = BPF_JMP|BPF_JEQ|BPF_K,
- .k = 0,
- .jt = 20 - 3 - 1,
- },
-
- {
- /* A += sizeof(struct nlattr) */
- .code = BPF_ALU|BPF_ADD|BPF_K,
- .k = sizeof(struct nlattr),
- },
- {
- /* X = CTA_PROTOINFO_TCP */
- .code = BPF_LDX|BPF_IMM,
- .k = CTA_PROTOINFO_TCP,
- },
- {
- /* A = netlink attribute offset */
- .code = BPF_LD|BPF_B|BPF_ABS,
- .k = SKF_AD_OFF + SKF_AD_NLATTR,
- },
- {
- /* Reject if not found (A == 0) */
- .code = BPF_JMP|BPF_JEQ|BPF_K,
- .k = 0,
- .jt = 20 - 7 - 1,
- },
-
- {
- /* A += sizeof(struct nlattr) */
- .code = BPF_ALU|BPF_ADD|BPF_K,
- .k = sizeof(struct nlattr),
- },
- {
- /* X = CTA_PROTOINFO_TCP_STATE */
- .code = BPF_LDX|BPF_IMM,
- .k = CTA_PROTOINFO_TCP_STATE,
- },
- {
- /* A = netlink attribute offset */
- .code = BPF_LD|BPF_B|BPF_ABS,
- .k = SKF_AD_OFF + SKF_AD_NLATTR,
- },
- {
- /* Reject if not found (A == 0) */
- .code = BPF_JMP|BPF_JEQ|BPF_K,
- .k = 0,
- .jt = 20 - 11 - 1,
- },
-
- {
- /* X = A */
- .code = BPF_MISC|BPF_TAX,
- },
- {
- /* A = skb->data[X + k] */
- .code = BPF_LD|BPF_B|BPF_IND,
- .k = sizeof(struct nlattr),
- },
- {
- /* Reject if A != TCA_CONNTRACK_ESTABLISHED */
- .code = BPF_JMP|BPF_JEQ|BPF_K,
- .k = TCP_CONNTRACK_ESTABLISHED,
- .jt = 20 - 14 - 1,
- },
-
- {
- /* Reject */
- .code = BPF_RET|BPF_K,
- .k = 0,
- },
- [20] = {
- /* Accept */
- .code = BPF_RET|BPF_K,
- .k = 0xFFFF,
- },
- };
- struct sock_fprog fprog = {
- .len = sizeof(filt) / sizeof(filt[0]),
- .filter = filt,
- };
-
- return setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER,
- &fprog, sizeof(fprog));
-}
-
-#define LABEL_REJECT 29
-#define LABEL_ACCEPT 30
-
-struct sock_filter filter[] = {
- [0] = {
- /* A = sizeof(struct nlmsghdr) + sizeof(struct nfgenmsg) */
- .code = BPF_LD|BPF_IMM,
- .k = sizeof(struct nlmsghdr) + sizeof(struct nfgenmsg),
- },
- [1] = {
- /* X = CTA_PROTOINFO */
- .code = BPF_LDX|BPF_IMM,
- .k = CTA_PROTOINFO,
- },
- [2] = {
- /* A = netlink attribute offset */
- .code = BPF_LD|BPF_B|BPF_ABS,
- .k = SKF_AD_OFF + SKF_AD_NLATTR,
- },
- [3] = {
- /* Reject if not found (A == 0) */
- .code = BPF_JMP|BPF_JEQ|BPF_K,
- .k = 0,
- .jt = LABEL_REJECT - 3 - 1,
- },
- [4] = {
- /* A += sizeof(struct nlattr) */
- .code = BPF_ALU|BPF_ADD|BPF_K,
- .k = sizeof(struct nlattr),
- },
- [5] = {
- /* X = CTA_PROTOINFO_TCP */
- .code = BPF_LDX|BPF_IMM,
- .k = CTA_PROTOINFO_TCP,
- },
- [6] = {
- /* A = netlink attribute offset */
- .code = BPF_LD|BPF_B|BPF_ABS,
- .k = SKF_AD_OFF + SKF_AD_NLATTR,
- },
- [7] = {
- /* Reject if not found (A == 0) */
- .code = BPF_JMP|BPF_JEQ|BPF_K,
- .k = 0,
- .jt = LABEL_REJECT - 7 - 1,
- },
- [8] = {
- /* A += sizeof(struct nlattr) */
- .code = BPF_ALU|BPF_ADD|BPF_K,
- .k = sizeof(struct nlattr),
- },
- [9] = {
- /* X = CTA_PROTOINFO_TCP_STATE */
- .code = BPF_LDX|BPF_IMM,
- .k = CTA_PROTOINFO_TCP_STATE,
- },
- [10] = {
- /* A = netlink attribute offset */
- .code = BPF_LD|BPF_B|BPF_ABS,
- .k = SKF_AD_OFF + SKF_AD_NLATTR,
- },
- [11] = {
- /* Reject if not found (A == 0) */
- .code = BPF_JMP|BPF_JEQ|BPF_K,
- .k = 0,
- .jt = LABEL_REJECT - 11 - 1,
- },
- [12] = {
- /* X = A */
- .code = BPF_MISC|BPF_TAX,
- },
- [13] = {
- /* A = skb->data[X + k] */
- .code = BPF_LD|BPF_B|BPF_IND,
- .k = sizeof(struct nlattr),
- },
-#define FILTER_LINE 14
- /*
- *
- * We add TCP states matching code here
- *
- */
- [LABEL_REJECT] = {
- /* Reject */
- .code = BPF_RET|BPF_K,
- .k = FILTER_REJECT,
- },
- [LABEL_ACCEPT] = {
- /* Accept */
- .code = BPF_RET|BPF_K,
- .k = FILTER_ACCEPT,
- },
-};
-
-static void build_bsf_netlink(int *tcp_state_array, int len)
-{
- struct sock_filter reject = {
- /* Reject */
- .code = BPF_RET|BPF_K,
- .k = 0,
- };
- int i;
-
- for (i=0; i<len; i++) {
- struct sock_filter cmp = {
- .code = BPF_JMP|BPF_JEQ|BPF_K,
- .k = tcp_state_array[i],
- .jt = LABEL_ACCEPT - (i + FILTER_LINE) - 1,
- };
-
- memcpy(&filter[i+FILTER_LINE],&cmp,sizeof(struct sock_filter));
- }
-
-// memcpy(&filter[i+FILTER_LINE],&reject,sizeof(struct sock_filter));
-}
static int event_cb(enum nf_conntrack_msg_type type,
struct nf_conntrack *ct,
@@ -241,7 +11,7 @@ static int event_cb(enum nf_conntrack_msg_type type,
static int n = 0;
char buf[1024];
- nfct_snprintf(buf, 1024, ct, type, NFCT_O_PLAIN, NFCT_OF_TIME);
+ nfct_snprintf(buf, 1024, ct, type, NFCT_O_XML, NFCT_OF_TIME);
printf("%s\n", buf);
if (++n == 10)
@@ -258,30 +28,12 @@ int main()
struct nf_conntrack *ct;
char buf[1024];
- struct sock_fprog fprog = {
- .len = sizeof(filter) / sizeof(filter[0]),
- .filter = filter,
- };
-
- int i;
- int state[] = { TCP_CONNTRACK_ESTABLISHED,
- TCP_CONNTRACK_FIN_WAIT };
-
- build_bsf_netlink(state, sizeof(state)/sizeof(int));
-
h = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS);
if (!h) {
perror("nfct_open");
return 0;
}
- if (setsockopt(nfct_fd(h), SOL_SOCKET, SO_ATTACH_FILTER,
- &fprog, sizeof(fprog)) < 0) {
-// if (sk_set_filter(nfct_fd(h)) < 0) {
- perror("setsockopt");
- return -1;
- }
-
nfct_callback_register(h, NFCT_T_ALL, event_cb, NULL);
printf("TEST: waiting for 10 events...\n");
More information about the netfilter-cvslog
mailing list