[conntrack-tools] conntrackd: use conntrack ID in the cache lookup

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Tue Jul 21 17:07:17 CEST 2009 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=817f847b52bb05c924491deb994194fd5c1c3ba2
commit 817f847b52bb05c924491deb994194fd5c1c3ba2
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Jul 21 16:58:43 2009 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Jul 21 16:58:43 2009 +0200

    conntrackd: use conntrack ID in the cache lookup
    
    This patch adds the conntrack ID to the comparison that is made in
    the lookup of entries that are stored in the cache. For old kernels,
    this field is set to zero for all entries so this patch does not
    make any difference. For recent kernels, this allows to keep two
    entries with the same tuple and different IDs: this is possible if
    NetlinkEventsReliable is set on. Moreover, this patch is useful to
    test the reliable ctnetlink event delivery in 2.6.31 works fine.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit e55321739fa5e04920feeb2a25b02073d8eb9e10
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Jul 21 16:57:54 2009 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Jul 21 16:57:54 2009 +0200

    conntrackd: add support for IPv6 kernel-space filtering via BSF
    
    This patch adds the missing support to filter IPv6 from kernel-space
    by means of the BSF API that libnetfilter_conntrack provides.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  817f847b52bb05c924491deb994194fd5c1c3ba2 (commit)
       via  e55321739fa5e04920feeb2a25b02073d8eb9e10 (commit)
      from  0521db731c0daa417a3dfb67fba7c6f80596e553 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 817f847b52bb05c924491deb994194fd5c1c3ba2
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Tue Jul 21 16:58:43 2009 +0200

    conntrackd: use conntrack ID in the cache lookup
    
    This patch adds the conntrack ID to the comparison that is made in
    the lookup of entries that are stored in the cache. For old kernels,
    this field is set to zero for all entries so this patch does not
    make any difference. For recent kernels, this allows to keep two
    entries with the same tuple and different IDs: this is possible if
    NetlinkEventsReliable is set on. Moreover, this patch is useful to
    test the reliable ctnetlink event delivery in 2.6.31 works fine.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit e55321739fa5e04920feeb2a25b02073d8eb9e10
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Tue Jul 21 16:57:54 2009 +0200

    conntrackd: add support for IPv6 kernel-space filtering via BSF
    
    This patch adds the missing support to filter IPv6 from kernel-space
    by means of the BSF API that libnetfilter_conntrack provides.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 doc/stats/conntrackd.conf        |    1 +
 doc/sync/alarm/conntrackd.conf   |    3 +++
 doc/sync/ftfw/conntrackd.conf    |    3 +++
 doc/sync/notrack/conntrackd.conf |    3 +++
 include/cidr.h                   |    1 +
 src/cache.c                      |    4 +++-
 src/cidr.c                       |   11 +++++++++++
 src/read_config_yy.y             |   17 ++++++++++++++++-
 8 files changed, 41 insertions(+), 2 deletions(-)
This patch adds the missing support to filter IPv6 from kernel-space
by means of the BSF API that libnetfilter_conntrack provides.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf
index ef6a698..0941f64 100644
--- a/doc/stats/conntrackd.conf
+++ b/doc/stats/conntrackd.conf
@@ -88,6 +88,7 @@ General {
 		#
 		Address Ignore {
 			IPv4_address 127.0.0.1 # loopback
+			# IPv6_address ::1
 		}
 
 		#
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index 805a531..800012f 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -351,6 +351,9 @@ General {
 			#
 			# You can also specify networks in format IP/cidr.
 			# IPv4_address 192.168.0.0/24
+			#
+			# You can also specify an IPv6 address
+			# IPv6_address ::1
 		}
 
 		#
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index ceca224..602c3d1 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -361,6 +361,9 @@ General {
 			#
 			# You can also specify networks in format IP/cidr.
 			# IPv4_address 192.168.0.0/24
+			#
+			# You can also specify an IPv6 address
+			# IPv6_address ::1
 		}
 
 		#
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 1efeb81..6968025 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -341,6 +341,9 @@ General {
 			#
 			# You can also specify networks in format IP/cidr.
 			# IPv4_address 192.168.0.0/24
+			#
+			# You can also specify an IPv6 address
+			# IPv6_address ::1
 		}
 
 		#
diff --git a/include/cidr.h b/include/cidr.h
index f8a4e2a..413c321 100644
--- a/include/cidr.h
+++ b/include/cidr.h
@@ -4,5 +4,6 @@ uint32_t ipv4_cidr2mask_host(uint8_t cidr);
 uint32_t ipv4_cidr2mask_net(uint8_t cidr);
 void ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res);
 void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res);
+void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res);
 
 #endif
diff --git a/src/cidr.c b/src/cidr.c
index d43dabc..91025b6 100644
--- a/src/cidr.c
+++ b/src/cidr.c
@@ -57,3 +57,14 @@ void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res)
 		res[i] = htonl(res[i]);
 }
 
+/* I need this function because I initially defined an IPv6 address as
+ * uint32 u[4]. Using char u[16] instead would allow to remove this. */
+void ipv6_addr2addr_host(uint32_t *addr, uint32_t *res)
+{
+	int i;
+
+	memset(res, 0, sizeof(uint32_t)*4);
+	for (i = 0;  i < 4; i++) {
+		res[i] = ntohl(addr[i]);
+	}
+}
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 87f99b6..f3f4730 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1053,6 +1053,12 @@ filter_item : T_ADDRESS T_IGNORE '{' filter_address_list '}'
 	nfct_filter_set_logic(STATE(filter),
 			      NFCT_FILTER_DST_IPV4,
 			      NFCT_FILTER_LOGIC_NEGATIVE);
+	nfct_filter_set_logic(STATE(filter),
+			      NFCT_FILTER_SRC_IPV6,
+			      NFCT_FILTER_LOGIC_NEGATIVE);
+	nfct_filter_set_logic(STATE(filter),
+			      NFCT_FILTER_DST_IPV6,
+			      NFCT_FILTER_LOGIC_NEGATIVE);
 };
 
 filter_address_list :
@@ -1121,7 +1127,8 @@ filter_address_item : T_IPV6_ADDR T_IP
 {
 	union inet_address ip;
 	char *slash;
-	int cidr;
+	int cidr = 128;
+	struct nfct_filter_ipv6 filter_ipv6;
 
 	memset(&ip, 0, sizeof(union inet_address));
 
@@ -1166,6 +1173,14 @@ filter_address_item : T_IPV6_ADDR T_IP
 							"ignore pool!");
 		}
 	}
+	__kernel_filter_start();
+
+	/* host byte order */
+	ipv6_addr2addr_host(ip.ipv6, filter_ipv6.addr);
+	ipv6_cidr2mask_host(cidr, filter_ipv6.mask);
+
+	nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV6, &filter_ipv6);
+	nfct_filter_add_attr(STATE(filter), NFCT_FILTER_DST_IPV6, &filter_ipv6);
 };
 
 filter_item : T_STATE T_ACCEPT '{' filter_state_list '}'

More information about the netfilter-cvslog mailing list