[conntrack-tools] conntrackd: add ICMP support for state-synchronization
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Wed Dec 23 18:14:22 CET 2009
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=65645763ebe870fa01b5c1a5dbe810feb9397ff2
commit 65645763ebe870fa01b5c1a5dbe810feb9397ff2
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Oct 6 11:19:28 2009 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Dec 19 15:24:20 2009 +0100
conntrackd: add ICMP support for state-synchronization
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 2f52fea14f94fb267e22280bce2d45f44c3b34f0
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Dec 19 13:55:00 2009 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Dec 19 13:55:00 2009 +0100
conntrackd: use indirect call to build layer 4 protocol information
With this patch, we use an indirect call to build the layer 4
information into the synchronization message.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 65645763ebe870fa01b5c1a5dbe810feb9397ff2 (commit)
via 2f52fea14f94fb267e22280bce2d45f44c3b34f0 (commit)
from 8ad5df6121c46753a6d12fafa5ab9da309ddb721 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 65645763ebe870fa01b5c1a5dbe810feb9397ff2
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Oct 6 11:19:28 2009 +0200
conntrackd: add ICMP support for state-synchronization
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 2f52fea14f94fb267e22280bce2d45f44c3b34f0
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Dec 19 13:55:00 2009 +0100
conntrackd: use indirect call to build layer 4 protocol information
With this patch, we use an indirect call to build the layer 4
information into the synchronization message.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
doc/sync/alarm/conntrackd.conf | 1 +
doc/sync/ftfw/conntrackd.conf | 1 +
doc/sync/notrack/conntrackd.conf | 1 +
include/network.h | 3 ++
src/build.c | 62 +++++++++++++++++++++++++++++++-------
src/parse.c | 15 +++++++++
6 files changed, 72 insertions(+), 11 deletions(-)
With this patch, we use an indirect call to build the layer 4
information into the synchronization message.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/src/build.c b/src/build.c
index 92760f2..defb2ec 100644
--- a/src/build.c
+++ b/src/build.c
@@ -97,9 +97,50 @@ static enum nf_conntrack_attr nat_type[] =
ATTR_ORIG_NAT_SEQ_OFFSET_AFTER, ATTR_REPL_NAT_SEQ_CORRECTION_POS,
ATTR_REPL_NAT_SEQ_OFFSET_BEFORE, ATTR_REPL_NAT_SEQ_OFFSET_AFTER };
+static void build_l4proto_tcp(const struct nf_conntrack *ct, struct nethdr *n)
+{
+ if (!nfct_attr_is_set(ct, ATTR_TCP_STATE))
+ return;
+
+ __build_u8(ct, ATTR_TCP_STATE, n, NTA_TCP_STATE);
+}
+
+static void build_l4proto_sctp(const struct nf_conntrack *ct, struct nethdr *n)
+{
+ if (!nfct_attr_is_set(ct, ATTR_SCTP_STATE))
+ return;
+
+ __build_u8(ct, ATTR_SCTP_STATE, n, NTA_SCTP_STATE);
+ __build_u32(ct, ATTR_SCTP_VTAG_ORIG, n, NTA_SCTP_VTAG_ORIG);
+ __build_u32(ct, ATTR_SCTP_VTAG_REPL, n, NTA_SCTP_VTAG_REPL);
+}
+
+static void build_l4proto_dccp(const struct nf_conntrack *ct, struct nethdr *n)
+{
+ if (!nfct_attr_is_set(ct, ATTR_DCCP_STATE))
+ return;
+
+ __build_u8(ct, ATTR_DCCP_STATE, n, NTA_DCCP_STATE);
+ __build_u8(ct, ATTR_DCCP_ROLE, n, NTA_DCCP_ROLE);
+}
+
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+
+static struct build_l4proto {
+ void (*build)(const struct nf_conntrack *, struct nethdr *n);
+} l4proto_fcn[IPPROTO_MAX] = {
+ [IPPROTO_TCP] = { .build = build_l4proto_tcp },
+ [IPPROTO_SCTP] = { .build = build_l4proto_sctp },
+ [IPPROTO_DCCP] = { .build = build_l4proto_dccp },
+};
+
/* XXX: ICMP not supported */
void build_payload(const struct nf_conntrack *ct, struct nethdr *n)
{
+ uint8_t l4proto = nfct_get_attr_u8(ct, ATTR_L4PROTO);
+
if (nfct_attr_grp_is_set(ct, ATTR_GRP_ORIG_IPV4)) {
__build_group(ct, ATTR_GRP_ORIG_IPV4, n, NTA_IPV4,
sizeof(struct nfct_attr_grp_ipv4));
@@ -116,16 +157,8 @@ void build_payload(const struct nf_conntrack *ct, struct nethdr *n)
__build_u32(ct, ATTR_STATUS, n, NTA_STATUS);
- if (nfct_attr_is_set(ct, ATTR_TCP_STATE))
- __build_u8(ct, ATTR_TCP_STATE, n, NTA_TCP_STATE);
- else if (nfct_attr_is_set(ct, ATTR_SCTP_STATE)) {
- __build_u8(ct, ATTR_SCTP_STATE, n, NTA_SCTP_STATE);
- __build_u32(ct, ATTR_SCTP_VTAG_ORIG, n, NTA_SCTP_VTAG_ORIG);
- __build_u32(ct, ATTR_SCTP_VTAG_REPL, n, NTA_SCTP_VTAG_REPL);
- } else if (nfct_attr_is_set(ct, ATTR_DCCP_STATE)) {
- __build_u8(ct, ATTR_DCCP_STATE, n, NTA_DCCP_STATE);
- __build_u8(ct, ATTR_DCCP_ROLE, n, NTA_DCCP_ROLE);
- }
+ if (l4proto_fcn[l4proto].build)
+ l4proto_fcn[l4proto].build(ct, n);
if (!CONFIG(commit_timeout) && nfct_attr_is_set(ct, ATTR_TIMEOUT))
__build_u32(ct, ATTR_TIMEOUT, n, NTA_TIMEOUT);
More information about the netfilter-cvslog
mailing list