[conntrack-tools] conntrack: add GRE support

Sat Apr 18 17:06:49 CEST 2009

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=a9554339451a0698e33b0964d0e8113f714470a4
commit a9554339451a0698e33b0964d0e8113f714470a4
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Apr 18 17:05:13 2009 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Apr 18 17:05:13 2009 +0200

    conntrack: add GRE support
    
    This patch adds GRE support for the command line tool conntrack.
    With this patch, we support all protocols available in the kernel.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.
       via  a9554339451a0698e33b0964d0e8113f714470a4 (commit)
      from  575fc906a302599cb9afeb136096dfd96bb57b17 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a9554339451a0698e33b0964d0e8113f714470a4
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Sat Apr 18 17:05:13 2009 +0200

    conntrack: add GRE support
    
    This patch adds GRE support for the command line tool conntrack.
    With this patch, we support all protocols available in the kernel.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.

-----------------------------------------------------------------------

 conntrack.8                  |   14 +++
 extensions/Makefile.am       |    4 +-
 extensions/libct_proto_gre.c |  192 ++++++++++++++++++++++++++++++++++++++++++
 include/conntrack.h          |    1 +
 src/Makefile.am              |    2 +-
 src/conntrack.c              |    1 +
 6 files changed, 212 insertions(+), 2 deletions(-)
 create mode 100644 extensions/libct_proto_gre.c
This patch adds GRE support for the command line tool conntrack.
With this patch, we support all protocols available in the kernel.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.

diff --git a/conntrack.8 b/conntrack.8
index e875940..6aa5c3b 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -254,6 +254,20 @@ Destination port in reply direction
 .BI "--state " "[NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOSING | TIMEWAIT]"
 DCCP state
 .TP
+GRE-specific fields:
+.TP
+.BI "--srckey, --orig-key-src " "KEY"
+Source key in original direction (in hexadecimal or decimal)
+.TP
+.BI "--dstkey, --orig-key-dst " "KEY"
+Destination key in original direction (in hexadecimal or decimal)
+.TP
+.BI "--reply-key-src " "KEY"
+Source key in reply direction (in hexadecimal or decimal)
+.TP
+.BI "--reply-key-dst " "KEY"
+Destination key in reply direction (in hexadecimal or decimal)
+.TP
 .SH DIAGNOSTICS
 The exit code is 0 for correct function.  Errors which appear to be caused by
 invalid command line parameters cause an exit code of 2.  Any other errors
diff --git a/extensions/Makefile.am b/extensions/Makefile.am
index dc7bff5..c36c3a1 100644
--- a/extensions/Makefile.am
+++ b/extensions/Makefile.am
@@ -3,7 +3,8 @@ include $(top_srcdir)/Make_global.am
 noinst_LTLIBRARIES = libct_proto_tcp.la libct_proto_udp.la \
 		     libct_proto_icmp.la libct_proto_icmpv6.la \
 		     libct_proto_unknown.la libct_proto_udplite.la \
-		     libct_proto_sctp.la libct_proto_dccp.la
+		     libct_proto_sctp.la libct_proto_dccp.la \
+		     libct_proto_gre.la
 
 libct_proto_tcp_la_SOURCES = libct_proto_tcp.c
 libct_proto_udp_la_SOURCES = libct_proto_udp.c
@@ -13,3 +14,4 @@ libct_proto_icmpv6_la_SOURCES = libct_proto_icmpv6.c
 libct_proto_unknown_la_SOURCES = libct_proto_unknown.c
 libct_proto_sctp_la_SOURCES = libct_proto_sctp.c
 libct_proto_dccp_la_SOURCES = libct_proto_dccp.c
+libct_proto_gre_la_SOURCES = libct_proto_gre.c
diff --git a/extensions/libct_proto_gre.c b/extensions/libct_proto_gre.c
new file mode 100644
index 0000000..0274a37
--- /dev/null
+++ b/extensions/libct_proto_gre.c
@@ -0,0 +1,192 @@
+/*
+ * (C) 2009 by Pablo Neira Ayuso <pablo at netfilter.org>
+ *
+ *      This program is free software; you can redistribute it and/or modify
+ *      it under the terms of the GNU General Public License as published by
+ *      the Free Software Foundation; either version 2 of the License, or
+ *      (at your option) any later version.
+ *
+ */
+#include <stdio.h>
+#include <getopt.h>
+#include <stdlib.h>
+#include <netinet/in.h> /* For htons */
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+#include "conntrack.h"
+
+enum {
+	CT_GRE_ORIG_SKEY =	(1 << 0),
+	CT_GRE_ORIG_DKEY =	(1 << 1),
+	CT_GRE_REPL_SKEY =	(1 << 2),
+	CT_GRE_REPL_DKEY =	(1 << 3),
+	CT_GRE_MASK_SKEY =	(1 << 4),
+	CT_GRE_MASK_DKEY =	(1 << 5),
+	CT_GRE_EXPTUPLE_SKEY =	(1 << 6),
+	CT_GRE_EXPTUPLE_DKEY =	(1 << 7)
+};
+
+#define GRE_OPT_MAX	11
+static struct option opts[GRE_OPT_MAX] = {
+	{ "orig-key-src",	.has_arg = 1, .val = '1' },
+	{ "srckey",		.has_arg = 1, .val = '1' },
+	{ "orig-key-dst",	.has_arg = 1, .val = '2' },
+	{ "dstkey",		.has_arg = 1, .val = '2' },
+	{ "reply-key-src",	.has_arg = 1, .val = '3' },
+	{ "reply-key-dst",	.has_arg = 1, .val = '4' },
+	{ "mask-key-src",	.has_arg = 1, .val = '5' },
+	{ "mask-key-dst",	.has_arg = 1, .val = '6' },
+	{ "tuple-key-src",	.has_arg = 1, .val = '7' },
+	{ "tuple-key-dst",	.has_arg = 1, .val = '8' },
+	{0, 0, 0, 0}
+};
+
+static const char *gre_optflags[GRE_OPT_MAX] = {
+	[0] = "srckey",
+	[1] = "dstkey",
+	[2] = "reply-key-src",
+	[3] = "reply-key-dst",
+	[4] = "mask-key-src",
+	[5] = "mask-key-dst",
+	[6] = "tuple-key-src",
+	[7] = "tuple-key-dst"
+};
+
+static void help(void)
+{
+	fprintf(stdout, "  --orig-key-src\t\toriginal source key\n");
+	fprintf(stdout, "  --orig-key-dst\t\toriginal destination key\n");
+	fprintf(stdout, "  --reply-key-src\t\treply source key\n");
+	fprintf(stdout, "  --reply-key-dst\t\treply destination key\n");
+	fprintf(stdout, "  --mask-key-src\t\tmask source key\n");
+	fprintf(stdout, "  --mask-key-dst\t\tmask destination key\n");
+	fprintf(stdout, "  --tuple-key-src\t\texpectation tuple src key\n");
+	fprintf(stdout, "  --tuple-key-src\t\texpectation tuple dst key\n");
+}
+
+static char gre_commands_v_options[NUMBER_OF_CMD][GRE_OPT_MAX] =
+{
+		/* 1 2 3 4 5 6 7 8 */
+/*CT_LIST*/	  {2,2,2,2,0,0,0,0},
+/*CT_CREATE*/	  {3,3,3,3,0,0,0,0},
+/*CT_UPDATE*/	  {2,2,2,2,0,0,0,0},
+/*CT_DELETE*/	  {2,2,2,2,0,0,0,0},
+/*CT_GET*/	  {3,3,3,3,0,0,0,0},
+/*CT_FLUSH*/	  {0,0,0,0,0,0,0,0},
+/*CT_EVENT*/	  {2,2,2,2,0,0,0,0},
+/*CT_VERSION*/	  {0,0,0,0,0,0,0,0},
+/*CT_HELP*/	  {0,0,0,0,0,0,0,0},
+/*EXP_LIST*/	  {0,0,0,0,0,0,0,0},
+/*EXP_CREATE*/	  {1,1,1,1,1,1,1,1},
+/*EXP_DELETE*/	  {1,1,1,1,0,0,0,0},
+/*EXP_GET*/	  {1,1,1,1,0,0,0,0},
+/*EXP_FLUSH*/	  {0,0,0,0,0,0,0,0},
+/*EXP_EVENT*/	  {0,0,0,0,0,0,0,0},
+};
+
+static int parse_options(char c,
+			 struct nf_conntrack *ct,
+			 struct nf_conntrack *exptuple,
+			 struct nf_conntrack *mask,
+			 unsigned int *flags)
+{
+	switch(c) {
+	u_int16_t port;
+	case '1':
+		port = htons(strtoul(optarg, NULL, 0));
+		nfct_set_attr_u16(ct, ATTR_ORIG_PORT_SRC, port);
+		nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_GRE);
+		*flags |= CT_GRE_ORIG_SKEY;
+		break;
+	case '2':
+		port = htons(strtoul(optarg, NULL, 0));
+		nfct_set_attr_u16(ct, ATTR_ORIG_PORT_DST, port);
+		nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_GRE);
+		*flags |= CT_GRE_ORIG_DKEY;
+		break;
+	case '3':
+		port = htons(strtoul(optarg, NULL, 0));
+		nfct_set_attr_u16(ct, ATTR_REPL_PORT_SRC, port);
+		nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_GRE);
+		*flags |= CT_GRE_REPL_SKEY;
+		break;
+	case '4':
+		port = htons(strtoul(optarg, NULL, 0));
+		nfct_set_attr_u16(ct, ATTR_REPL_PORT_DST, port);
+		nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_GRE);
+		*flags |= CT_GRE_REPL_DKEY;
+		break;
+	case '5':
+		port = htons(strtoul(optarg, NULL, 0));
+		nfct_set_attr_u16(mask, ATTR_ORIG_PORT_SRC, port);
+		nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_GRE);
+		*flags |= CT_GRE_MASK_SKEY;
+		break;
+	case '6':
+		port = htons(strtoul(optarg, NULL, 0));
+		nfct_set_attr_u16(mask, ATTR_ORIG_PORT_DST, port);
+		nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_GRE);
+		*flags |= CT_GRE_MASK_DKEY;
+		break;
+	case '7':
+		port = htons(strtoul(optarg, NULL, 0));
+		nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_SRC, port);
+		nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, IPPROTO_GRE);
+		*flags |= CT_GRE_EXPTUPLE_SKEY;
+		break;
+	case '8':
+		port = htons(strtoul(optarg, NULL, 0));
+		nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_DST, port);
+		nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, IPPROTO_GRE);
+		*flags |= CT_GRE_EXPTUPLE_DKEY;
+		break;
+	}
+	return 1;
+}
+
+#define GRE_VALID_FLAGS_MAX   2
+static unsigned int gre_valid_flags[GRE_VALID_FLAGS_MAX] = {
+       CT_GRE_ORIG_SKEY | CT_GRE_ORIG_DKEY,
+       CT_GRE_REPL_SKEY | CT_GRE_REPL_DKEY,
+};
+
+static void final_check(unsigned int flags,
+		        unsigned int cmd,
+		        struct nf_conntrack *ct)
+{
+	int ret, partial;
+
+	ret = generic_opt_check(flags, GRE_OPT_MAX,
+				gre_commands_v_options[cmd], gre_optflags,
+				gre_valid_flags, GRE_VALID_FLAGS_MAX, &partial);
+	if (!ret) {
+		switch(partial) {
+		case -1:
+		case 0:
+			exit_error(PARAMETER_PROBLEM, "you have to specify "
+						      "`--srckey' and "
+						      "`--dstkey'");
+			break;
+		case 1:
+			exit_error(PARAMETER_PROBLEM, "you have to specify "
+						      "`--reply-src-key' and "
+						      "`--reply-dst-key'");
+			break;
+		}
+	}
+}
+
+static struct ctproto_handler gre = {
+	.name 			= "gre",
+	.protonum		= IPPROTO_GRE,
+	.parse_opts		= parse_options,
+	.final_check		= final_check,
+	.help			= help,
+	.opts			= opts,
+	.version		= VERSION,
+};
+
+void register_gre(void)
+{
+	register_proto(&gre);
+}
diff --git a/include/conntrack.h b/include/conntrack.h
index 30a5fb4..61e7581 100644
--- a/include/conntrack.h
+++ b/include/conntrack.h
@@ -200,6 +200,7 @@ extern void register_sctp(void);
 extern void register_dccp(void);
 extern void register_icmp(void);
 extern void register_icmpv6(void);
+extern void register_gre(void);
 extern void register_unknown(void);
 
 #endif
diff --git a/src/Makefile.am b/src/Makefile.am
index 8a0c548..8a45bf9 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -7,7 +7,7 @@ CLEANFILES = read_config_yy.c read_config_lex.c
 sbin_PROGRAMS = conntrack conntrackd
 
 conntrack_SOURCES = conntrack.c
-conntrack_LDADD = ../extensions/libct_proto_tcp.la ../extensions/libct_proto_udp.la ../extensions/libct_proto_udplite.la ../extensions/libct_proto_icmp.la ../extensions/libct_proto_icmpv6.la ../extensions/libct_proto_sctp.la ../extensions/libct_proto_dccp.la ../extensions/libct_proto_unknown.la
+conntrack_LDADD = ../extensions/libct_proto_tcp.la ../extensions/libct_proto_udp.la ../extensions/libct_proto_udplite.la ../extensions/libct_proto_icmp.la ../extensions/libct_proto_icmpv6.la ../extensions/libct_proto_sctp.la ../extensions/libct_proto_dccp.la ../extensions/libct_proto_gre.la ../extensions/libct_proto_unknown.la
 conntrack_LDFLAGS = $(all_libraries) @LIBNETFILTER_CONNTRACK_LIBS@
 
 conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c rbtree.c \
diff --git a/src/conntrack.c b/src/conntrack.c
index 8e28d86..42b5133 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1056,6 +1056,7 @@ int main(int argc, char *argv[])
 	register_dccp();
 	register_icmp();
 	register_icmpv6();
+	register_gre();
 	register_unknown();
 
 	/* disable explicit missing arguments error output from getopt_long */

