[netfilter-cvslog] [libnetfilter_conntrack] branch, master, updated. svn_t_libnetfilter_conntrack-0.0.89-12-g3dedd39
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Fri May 16 16:52:51 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=3dedd39ac8c3f4c9b3503e6a9b602fdf0341c7ed
Commit: 3dedd39ac8c3f4c9b3503e6a9b602fdf0341c7ed
Parent: 71006b474001e697a30719d1ae3e66fefa9f181b
The branch, master has been updated
via 3dedd39ac8c3f4c9b3503e6a9b602fdf0341c7ed (commit)
from 71006b474001e697a30719d1ae3e66fefa9f181b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3dedd39ac8c3f4c9b3503e6a9b602fdf0341c7ed
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Fri May 16 15:50:08 2008 +0200
fix __nfct_l4 structure layout (specifically, ICMP)
fix nfct_cmp(): add port comparison, better ICMP support
-----------------------------------------------------------------------
commit 3dedd39ac8c3f4c9b3503e6a9b602fdf0341c7ed
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Fri May 16 15:50:08 2008 +0200
fix __nfct_l4 structure layout (specifically, ICMP)
fix nfct_cmp(): add port comparison, better ICMP support
diff --git a/configure.in b/configure.in
index 0f895d7..a238a3f 100644
--- a/configure.in
+++ b/configure.in
@@ -4,7 +4,7 @@ AC_INIT
AC_CANONICAL_SYSTEM
-AM_INIT_AUTOMAKE(libnetfilter_conntrack, 0.0.93)
+AM_INIT_AUTOMAKE(libnetfilter_conntrack, 0.0.94)
AC_PROG_CC
AM_PROG_LIBTOOL
diff --git a/include/internal.h b/include/internal.h
index ae1bd9d..039c64c 100644
--- a/include/internal.h
+++ b/include/internal.h
@@ -62,7 +62,7 @@ struct nfct_handle {
void *data);
};
-union __nfct_l4 {
+union __nfct_l4_src {
/* Add other protocols here. */
u_int16_t all;
struct {
@@ -72,7 +72,6 @@ union __nfct_l4 {
u_int16_t port;
} udp;
struct {
- u_int8_t type, code;
u_int16_t id;
} icmp;
struct {
@@ -80,6 +79,23 @@ union __nfct_l4 {
} sctp;
};
+union __nfct_l4_dst {
+ /* Add other protocols here. */
+ u_int16_t all;
+ struct {
+ u_int16_t port;
+ } tcp;
+ struct {
+ u_int16_t port;
+ } udp;
+ struct {
+ u_int8_t type, code;
+ } icmp;
+ struct {
+ u_int16_t port;
+ } sctp;
+};
+
union __nfct_address {
u_int32_t v4;
struct in6_addr v6;
@@ -91,8 +107,8 @@ struct __nfct_tuple {
u_int8_t l3protonum;
u_int8_t protonum;
- union __nfct_l4 l4src;
- union __nfct_l4 l4dst;
+ union __nfct_l4_src l4src;
+ union __nfct_l4_dst l4dst;
struct {
u_int32_t correction_pos;
@@ -123,7 +139,7 @@ struct __nfct_counters {
struct __nfct_nat {
u_int32_t min_ip, max_ip;
- union __nfct_l4 l4min, l4max;
+ union __nfct_l4_src l4min, l4max;
};
struct nf_conntrack {
diff --git a/src/conntrack/compare.c b/src/conntrack/compare.c
index d1597c3..cd51f9d 100644
--- a/src/conntrack/compare.c
+++ b/src/conntrack/compare.c
@@ -19,10 +19,47 @@ static int cmp_orig(const struct nf_conntrack *ct1,
return 0;
if (test_bit(ATTR_ORIG_L4PROTO, ct1->set) &&
- test_bit(ATTR_ORIG_L4PROTO, ct2->set) &&
- ct1->tuple[__DIR_ORIG].protonum !=
- ct2->tuple[__DIR_ORIG].protonum)
- return 0;
+ test_bit(ATTR_ORIG_L4PROTO, ct2->set)) {
+
+ if (ct1->tuple[__DIR_ORIG].protonum !=
+ ct2->tuple[__DIR_ORIG].protonum)
+ return 0;
+
+ switch(ct1->tuple[__DIR_ORIG].protonum) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ if (test_bit(ATTR_ICMP_ID, ct1->set) &&
+ test_bit(ATTR_ICMP_ID, ct2->set) &&
+ ct1->tuple[__DIR_ORIG].l4src.icmp.id !=
+ ct2->tuple[__DIR_ORIG].l4src.icmp.id)
+ return 0;
+
+ if (test_bit(ATTR_ICMP_TYPE, ct1->set) &&
+ test_bit(ATTR_ICMP_TYPE, ct2->set) &&
+ ct1->tuple[__DIR_ORIG].l4dst.icmp.type !=
+ ct2->tuple[__DIR_ORIG].l4dst.icmp.type)
+ return 0;
+
+ if (test_bit(ATTR_ICMP_CODE, ct1->set) &&
+ test_bit(ATTR_ICMP_CODE, ct2->set) &&
+ ct1->tuple[__DIR_ORIG].l4dst.icmp.code !=
+ ct2->tuple[__DIR_ORIG].l4dst.icmp.code)
+ return 0;
+ break;
+ default:
+ if (test_bit(ATTR_ORIG_PORT_SRC, ct1->set) &&
+ test_bit(ATTR_ORIG_PORT_SRC, ct2->set) &&
+ ct1->tuple[__DIR_ORIG].l4src.all !=
+ ct2->tuple[__DIR_ORIG].l4src.all)
+ return 0;
+
+ if (test_bit(ATTR_ORIG_PORT_DST, ct1->set) &&
+ test_bit(ATTR_ORIG_PORT_DST, ct2->set) &&
+ ct1->tuple[__DIR_ORIG].l4dst.all !=
+ ct2->tuple[__DIR_ORIG].l4dst.all)
+ return 0;
+ }
+ }
if (test_bit(ATTR_ORIG_IPV4_SRC, ct1->set) &&
test_bit(ATTR_ORIG_IPV4_SRC, ct2->set) &&
@@ -65,10 +102,47 @@ static int cmp_repl(const struct nf_conntrack *ct1,
return 0;
if (test_bit(ATTR_REPL_L4PROTO, ct1->set) &&
- test_bit(ATTR_REPL_L4PROTO, ct2->set) &&
- ct1->tuple[__DIR_REPL].protonum !=
- ct2->tuple[__DIR_REPL].protonum)
- return 0;
+ test_bit(ATTR_REPL_L4PROTO, ct2->set)) {
+
+ if (ct1->tuple[__DIR_REPL].protonum !=
+ ct2->tuple[__DIR_REPL].protonum)
+ return 0;
+
+ switch(ct1->tuple[__DIR_REPL].protonum) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ if (test_bit(ATTR_ICMP_ID, ct1->set) &&
+ test_bit(ATTR_ICMP_ID, ct2->set) &&
+ ct1->tuple[__DIR_REPL].l4src.icmp.id !=
+ ct2->tuple[__DIR_REPL].l4src.icmp.id)
+ return 0;
+
+ if (test_bit(ATTR_ICMP_TYPE, ct1->set) &&
+ test_bit(ATTR_ICMP_TYPE, ct2->set) &&
+ ct1->tuple[__DIR_REPL].l4dst.icmp.type !=
+ ct2->tuple[__DIR_REPL].l4dst.icmp.type)
+ return 0;
+
+ if (test_bit(ATTR_ICMP_CODE, ct1->set) &&
+ test_bit(ATTR_ICMP_CODE, ct2->set) &&
+ ct1->tuple[__DIR_REPL].l4dst.icmp.code !=
+ ct2->tuple[__DIR_REPL].l4dst.icmp.code)
+ return 0;
+ break;
+ default:
+ if (test_bit(ATTR_REPL_PORT_SRC, ct1->set) &&
+ test_bit(ATTR_REPL_PORT_SRC, ct2->set) &&
+ ct1->tuple[__DIR_REPL].l4src.all !=
+ ct2->tuple[__DIR_REPL].l4src.all)
+ return 0;
+
+ if (test_bit(ATTR_REPL_PORT_DST, ct1->set) &&
+ test_bit(ATTR_REPL_PORT_DST, ct2->set) &&
+ ct1->tuple[__DIR_REPL].l4dst.all !=
+ ct2->tuple[__DIR_REPL].l4dst.all)
+ return 0;
+ }
+ }
if (test_bit(ATTR_REPL_IPV4_SRC, ct1->set) &&
test_bit(ATTR_REPL_IPV4_SRC, ct2->set) &&
hooks/post-receive
--
libnetfilter_conntrack
More information about the netfilter-cvslog
mailing list