[conntrack-tools] extensions: remove use of old libnetfilter API flags

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Fri Mar 6 19:43:05 CET 2009


Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=52b80d312a3297f37e09e2802a52625dab0bbbfa
commit 52b80d312a3297f37e09e2802a52625dab0bbbfa
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Fri Mar 6 19:38:53 2009 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Fri Mar 6 19:38:53 2009 +0100

    extensions: remove use of old libnetfilter API flags
    
    This patch removes the use of the obsolete old libnetfilter protocol
    flags. This patch also improves error reporting in TCP and UDP.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  52b80d312a3297f37e09e2802a52625dab0bbbfa (commit)
      from  d70aed8f1d46a727c1b58df0b3bdf8d9ef219ffc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 52b80d312a3297f37e09e2802a52625dab0bbbfa
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Fri Mar 6 19:38:53 2009 +0100

    extensions: remove use of old libnetfilter API flags
    
    This patch removes the use of the obsolete old libnetfilter protocol
    flags. This patch also improves error reporting in TCP and UDP.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 extensions/libct_proto_icmp.c   |   13 ++++++---
 extensions/libct_proto_icmpv6.c |   13 ++++++---
 extensions/libct_proto_tcp.c    |   57 +++++++++++++++++++++++++++++---------
 extensions/libct_proto_udp.c    |   55 ++++++++++++++++++++++++++++---------
 4 files changed, 102 insertions(+), 36 deletions(-)
This patch removes the use of the obsolete old libnetfilter protocol
flags. This patch also improves error reporting in TCP and UDP.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/extensions/libct_proto_icmp.c b/extensions/libct_proto_icmp.c
index a2c9a85..51366f1 100644
--- a/extensions/libct_proto_icmp.c
+++ b/extensions/libct_proto_icmp.c
@@ -17,7 +17,12 @@
 #include <netinet/in.h> /* For htons */
 #include <netinet/ip_icmp.h>
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
-#include <libnetfilter_conntrack/libnetfilter_conntrack_icmp.h>
+
+enum {
+	CT_ICMP_TYPE	= (1 << 0),
+	CT_ICMP_CODE	= (1 << 1),
+	CT_ICMP_ID	= (1 << 2),
+};
 
 static struct option opts[] = {
 	{"icmp-type", 1, 0, '1'},
@@ -73,19 +78,19 @@ static int parse(char c,
 			tmp = atoi(optarg);
 			nfct_set_attr_u8(ct, ATTR_ICMP_TYPE, tmp);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP);
-			*flags |= ICMP_TYPE;
+			*flags |= CT_ICMP_TYPE;
 			break;
 		case '2':
 			tmp = atoi(optarg);
 			nfct_set_attr_u8(ct, ATTR_ICMP_CODE, tmp);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP);
-			*flags |= ICMP_CODE;
+			*flags |= CT_ICMP_CODE;
 			break;
 		case '3':
 			id = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_ICMP_ID, id);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMP);
-			*flags |= ICMP_ID;
+			*flags |= CT_ICMP_ID;
 			break;
 	}
 	return 1;
diff --git a/extensions/libct_proto_icmpv6.c b/extensions/libct_proto_icmpv6.c
index 388087d..cfc5979 100644
--- a/extensions/libct_proto_icmpv6.c
+++ b/extensions/libct_proto_icmpv6.c
@@ -20,7 +20,12 @@
 #include <netinet/in.h> /* For htons */
 #include <netinet/icmp6.h>
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
-#include <libnetfilter_conntrack/libnetfilter_conntrack_icmp.h>
+
+enum {
+	CT_ICMP_TYPE	= (1 << 0),
+	CT_ICMP_CODE	= (1 << 1),
+	CT_ICMP_ID	= (1 << 2),
+};
 
 static struct option opts[] = {
 	{ "icmpv6-type", 1, 0, '1' },
@@ -76,19 +81,19 @@ static int parse(char c,
 			tmp = atoi(optarg);
 			nfct_set_attr_u8(ct, ATTR_ICMP_TYPE, tmp);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6);
-			*flags |= ICMP_TYPE;
+			*flags |= CT_ICMP_TYPE;
 			break;
 		case '2':
 			tmp = atoi(optarg);
 			nfct_set_attr_u8(ct, ATTR_ICMP_CODE, tmp);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6);
-			*flags |= ICMP_CODE;
+			*flags |= CT_ICMP_CODE;
 			break;
 		case '3':
 			id = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_ICMP_ID, id);
 			nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_ICMPV6);
-			*flags |= ICMP_ID;
+			*flags |= CT_ICMP_ID;
 			break;
 	}
 	return 1;
diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
index a08f5b3..8113e6f 100644
--- a/extensions/libct_proto_tcp.c
+++ b/extensions/libct_proto_tcp.c
@@ -17,6 +17,18 @@
 
 #include "conntrack.h"
 
+enum {
+	CT_TCP_ORIG_SPORT =	(1 << 0),
+	CT_TCP_ORIG_DPORT =	(1 << 1),
+	CT_TCP_REPL_SPORT =	(1 << 2),
+	CT_TCP_REPL_DPORT =	(1 << 3),
+	CT_TCP_MASK_SPORT =	(1 << 4),
+	CT_TCP_MASK_DPORT =	(1 << 5),
+	CT_TCP_STATE =		(1 << 6),
+	CT_TCP_EXPTUPLE_SPORT =	(1 << 7),
+	CT_TCP_EXPTUPLE_DPORT =	(1 << 8)
+};
+
 static struct option opts[] = {
 	{"orig-port-src", 1, 0, '1'},
 	{"sport", 1, 0, '1'},
@@ -100,37 +112,37 @@ static int parse_options(char c,
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_ORIG_PORT_SRC, port);
 			nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_TCP);
-			*flags |= TCP_ORIG_SPORT;
+			*flags |= CT_TCP_ORIG_SPORT;
 			break;
 		case '2':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_ORIG_PORT_DST, port);
 			nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_TCP);
-			*flags |= TCP_ORIG_DPORT;
+			*flags |= CT_TCP_ORIG_DPORT;
 			break;
 		case '3':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_REPL_PORT_SRC, port);
 			nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_TCP);
-			*flags |= TCP_REPL_SPORT;
+			*flags |= CT_TCP_REPL_SPORT;
 			break;
 		case '4':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_REPL_PORT_DST, port);
 			nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_TCP);
-			*flags |= TCP_REPL_DPORT;
+			*flags |= CT_TCP_REPL_DPORT;
 			break;
 		case '5':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(mask, ATTR_ORIG_PORT_SRC, port);
 			nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_TCP);
-			*flags |= TCP_MASK_SPORT;
+			*flags |= CT_TCP_MASK_SPORT;
 			break;
 		case '6':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(mask, ATTR_ORIG_PORT_DST, port);
 			nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_TCP);
-			*flags |= TCP_MASK_DPORT;
+			*flags |= CT_TCP_MASK_DPORT;
 			break;
 		case '7':
 			for (i=0; i<10; i++) {
@@ -144,19 +156,19 @@ static int parse_options(char c,
 			if (i == 10)
 				exit_error(PARAMETER_PROBLEM,
 					   "Unknown TCP state %s\n", optarg);
-			*flags |= TCP_STATE;
+			*flags |= CT_TCP_STATE;
 			break;
 		case '8':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_SRC, port);
 			nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, port);
-			*flags |= TCP_EXPTUPLE_SPORT;
+			*flags |= CT_TCP_EXPTUPLE_SPORT;
 			break;
 		case '9':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_DST, port); 
 			nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, port);
-			*flags |= TCP_EXPTUPLE_DPORT;
+			*flags |= CT_TCP_EXPTUPLE_DPORT;
 			break;
 	}
 	return 1;
@@ -166,11 +178,28 @@ static void final_check(unsigned int flags,
 			unsigned int cmd,
 			struct nf_conntrack *ct)
 {
-	if ((1 << cmd) & (CT_CREATE|CT_GET) &&
-	    !((flags & TCP_ORIG_SPORT && flags & TCP_ORIG_DPORT) ||
-	      (flags & TCP_REPL_SPORT && flags & TCP_REPL_DPORT)))
-	      	exit_error(PARAMETER_PROBLEM, "missing ports");
-
+	if ((1 << cmd) & (CT_CREATE|CT_GET)) {
+		if (!(flags & CT_TCP_ORIG_SPORT) &&
+		     (flags & CT_TCP_ORIG_DPORT)) {
+			exit_error(PARAMETER_PROBLEM,
+				   "missing `--sport'");
+		}
+		if ((flags & CT_TCP_ORIG_SPORT) &&
+		    !(flags & CT_TCP_ORIG_DPORT)) {
+			exit_error(PARAMETER_PROBLEM,
+				   "missing `--dport'");
+		}
+		if (!(flags & CT_TCP_REPL_SPORT) &&
+		    (flags & CT_TCP_REPL_DPORT)) {
+			exit_error(PARAMETER_PROBLEM,
+				   "missing `--reply-port-src'");
+		}
+		if ((flags & CT_TCP_REPL_SPORT) &&
+		    !(flags & CT_TCP_REPL_DPORT)) {
+			exit_error(PARAMETER_PROBLEM,
+				   "missing `--reply-port-dst'");
+		}
+	}
 	generic_opt_check(flags, 
 			  TCP_NUMBER_OF_OPT,
 			  tcp_commands_v_options[cmd],
diff --git a/extensions/libct_proto_udp.c b/extensions/libct_proto_udp.c
index 0f8bf5c..4f34e3b 100644
--- a/extensions/libct_proto_udp.c
+++ b/extensions/libct_proto_udp.c
@@ -12,10 +12,20 @@
 #include <stdlib.h>
 #include <netinet/in.h> /* For htons */
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
-#include <libnetfilter_conntrack/libnetfilter_conntrack_udp.h>
 
 #include "conntrack.h"
 
+enum {
+	CT_UDP_ORIG_SPORT =	(1 << 0),
+	CT_UDP_ORIG_DPORT =	(1 << 1),
+	CT_UDP_REPL_SPORT =	(1 << 2),
+	CT_UDP_REPL_DPORT =	(1 << 3),
+	CT_UDP_MASK_SPORT =	(1 << 4),
+	CT_UDP_MASK_DPORT =	(1 << 5),
+	CT_UDP_EXPTUPLE_SPORT =	(1 << 6),
+	CT_UDP_EXPTUPLE_DPORT =	(1 << 7)
+};
+
 static struct option opts[] = {
 	{"orig-port-src", 1, 0, '1'},
 	{"sport", 1, 0, '1'},
@@ -82,37 +92,37 @@ static int parse_options(char c,
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_ORIG_PORT_SRC, port);
 			nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_UDP);
-			*flags |= UDP_ORIG_SPORT;
+			*flags |= CT_UDP_ORIG_SPORT;
 			break;
 		case '2':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_ORIG_PORT_DST, port);
 			nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_UDP);
-			*flags |= UDP_ORIG_DPORT;
+			*flags |= CT_UDP_ORIG_DPORT;
 			break;
 		case '3':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_REPL_PORT_SRC, port);
 			nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_UDP);
-			*flags |= UDP_REPL_SPORT;
+			*flags |= CT_UDP_REPL_SPORT;
 			break;
 		case '4':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(ct, ATTR_REPL_PORT_DST, port);
 			nfct_set_attr_u8(ct, ATTR_REPL_L4PROTO, IPPROTO_UDP);
-			*flags |= UDP_REPL_DPORT;
+			*flags |= CT_UDP_REPL_DPORT;
 			break;
 		case '5':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(mask, ATTR_ORIG_PORT_SRC, port);
 			nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_UDP);
-			*flags |= UDP_MASK_SPORT;
+			*flags |= CT_UDP_MASK_SPORT;
 			break;
 		case '6':
 			port = htons(atoi(optarg));
 			nfct_set_attr_u16(mask, ATTR_ORIG_PORT_DST, port);
 			nfct_set_attr_u8(mask, ATTR_ORIG_L4PROTO, IPPROTO_UDP);
-			*flags |= UDP_MASK_DPORT;
+			*flags |= CT_UDP_MASK_DPORT;
 			break;
 		case '7':
 			port = htons(atoi(optarg));
@@ -120,7 +130,7 @@ static int parse_options(char c,
 			nfct_set_attr_u8(exptuple,
 					 ATTR_ORIG_L4PROTO,
 					 IPPROTO_UDP);
-			*flags |= UDP_EXPTUPLE_SPORT;
+			*flags |= CT_UDP_EXPTUPLE_SPORT;
 			break;
 		case '8':
 			port = htons(atoi(optarg));
@@ -128,7 +138,7 @@ static int parse_options(char c,
 			nfct_set_attr_u8(exptuple,
 					 ATTR_ORIG_L4PROTO,
 					 IPPROTO_UDP);
-			*flags |= UDP_EXPTUPLE_DPORT;
+			*flags |= CT_UDP_EXPTUPLE_DPORT;
 			break;
 	}
 	return 1;
@@ -138,11 +148,28 @@ static void final_check(unsigned int flags,
 		        unsigned int cmd,
 		        struct nf_conntrack *ct)
 {
-	if ((1 << cmd) & (CT_CREATE|CT_GET) &&
-	    !((flags & UDP_ORIG_SPORT && flags & UDP_ORIG_DPORT) ||
-	      (flags & UDP_REPL_SPORT && flags & UDP_REPL_DPORT)))
-		exit_error(PARAMETER_PROBLEM, "missing ports");
-
+	if ((1 << cmd) & (CT_CREATE|CT_GET)) {
+		if (!(flags & CT_UDP_ORIG_SPORT) &&
+		     (flags & CT_UDP_ORIG_DPORT)) {
+			exit_error(PARAMETER_PROBLEM,
+				   "missing `--sport'");
+		}
+		if ((flags & CT_UDP_ORIG_SPORT) &&
+		    !(flags & CT_UDP_ORIG_DPORT)) {
+			exit_error(PARAMETER_PROBLEM,
+				   "missing `--dport'");
+		}
+		if (!(flags & CT_UDP_REPL_SPORT) &&
+		    (flags & CT_UDP_REPL_DPORT)) {
+			exit_error(PARAMETER_PROBLEM,
+				   "missing `--reply-port-src'");
+		}
+		if ((flags & CT_UDP_REPL_SPORT) &&
+		    !(flags & CT_UDP_REPL_DPORT)) {
+			exit_error(PARAMETER_PROBLEM,
+				   "missing `--reply-port-dst'");
+		}
+	}
 	generic_opt_check(flags, 
 			  UDP_NUMBER_OF_OPT,
 			  udp_commands_v_options[cmd],



More information about the netfilter-cvslog mailing list