From 416459570ff8e714c9e072e42984db7f6ba8b977 Mon Sep 17 00:00:00 2001 From: Rich Fought Date: Wed, 10 Oct 2012 13:08:23 -0700 Subject: [PATCH] Bugfixes --- lib/netfilter/exp.c | 36 +++++----- src/.gitignore | 1 + src/Makefile.am | 3 +- src/lib/exp.c | 1 - src/nf-exp-create.c | 167 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 189 insertions(+), 19 deletions(-) create mode 100644 src/nf-exp-create.c diff --git a/lib/netfilter/exp.c b/lib/netfilter/exp.c index dbdc278..26eaf0c 100644 --- a/lib/netfilter/exp.c +++ b/lib/netfilter/exp.c @@ -37,11 +37,13 @@ static struct nla_policy exp_policy[CTA_EXPECT_MAX+1] = { [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, [CTA_EXPECT_ID] = { .type = NLA_U32 }, [CTA_EXPECT_HELP_NAME] = { .type = NLA_STRING }, - //[CTA_EXPECT_ZONE] = { .type = NLA_U16 }, // In latest kernel header - //[CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, // In latest kernel header - //[CTA_EXPECT_CLASS] = { .type = NLA_U32 }, // In libnetfilter_conntrack include/linux/linux_nfnetlink_conntrack.h - //[CTA_EXPECT_NAT] = { .type = NLA_NESTED }, // In libnetfilter_conntrack include/linux/linux_nfnetlink_conntrack.h - //[CTA_EXPECT_FN] = { .type = NLA_STRING }, // In libnetfilter_conntrack include/linux/linux_nfnetlink_conntrack.h +#if 0 + [CTA_EXPECT_ZONE] = { .type = NLA_U16 }, // In latest kernel header + [CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, // In latest kernel header + [CTA_EXPECT_CLASS] = { .type = NLA_U32 }, // In libnetfilter_conntrack include/linux/linux_nfnetlink_conntrack.h + [CTA_EXPECT_NAT] = { .type = NLA_NESTED }, // In libnetfilter_conntrack include/linux/linux_nfnetlink_conntrack.h + [CTA_EXPECT_FN] = { .type = NLA_STRING }, // In libnetfilter_conntrack include/linux/linux_nfnetlink_conntrack.h +#endif }; static struct nla_policy exp_tuple_policy[CTA_TUPLE_MAX+1] = { @@ -276,18 +278,18 @@ static int exp_get_tuple_attr(int tuple) int attr = 0; switch (tuple) { - case NFNL_EXP_TUPLE_MASTER: - attr = CTA_EXPECT_MASTER; + case CTA_EXPECT_MASTER: + attr = NFNL_EXP_TUPLE_MASTER; break; - case NFNL_EXP_TUPLE_MASK: - attr = CTA_EXPECT_MASK; + case CTA_EXPECT_MASK: + attr = NFNL_EXP_TUPLE_MASK; break; - //case NFNL_EXP_TUPLE_NAT: - // attr = EXP_ATTR_NAT_L4PROTO_NUM; + //case CTA_EXPECT_NAT: + // attr = NFNL_EXP_TUPLE_NAT; // break; - case NFNL_EXP_TUPLE_EXPECT: + case CTA_EXPECT_TUPLE: default : - attr = CTA_EXPECT_TUPLE; + attr = NFNL_EXP_TUPLE_EXPECT; break; } @@ -295,17 +297,17 @@ static int exp_get_tuple_attr(int tuple) } static int nfnl_exp_build_tuple(struct nl_msg *msg, const struct nfnl_exp *exp, - int type) + int cta) { struct nlattr *tuple, *ip, *proto; struct nl_addr *addr; int family; - int tupattr = exp_get_tuple_attr(type); - family = nfnl_exp_get_family(exp); - tuple = nla_nest_start(msg, tupattr); + int type = exp_get_tuple_attr(cta); + + tuple = nla_nest_start(msg, cta); if (!tuple) goto nla_put_failure; diff --git a/src/.gitignore b/src/.gitignore index b02885a..2c6d839 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -1,6 +1,7 @@ genl-ctrl-list nf-ct-list nf-exp-list +nf-exp-create nf-log nf-monitor nl-addr-add diff --git a/src/Makefile.am b/src/Makefile.am index cf5cd48..317f2d9 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -21,7 +21,8 @@ sbin_PROGRAMS = \ nl-link-list noinst_PROGRAMS = \ - nf-ct-list nf-log nf-queue nf-monitor nf-exp-list \ + nf-ct-list nf-log nf-queue nf-monitor \ + nf-exp-list nf-exp-create \ nl-addr-add nl-addr-delete nl-addr-list \ nl-link-set nl-link-stats \ nl-link-ifindex2name nl-link-name2ifindex \ diff --git a/src/lib/exp.c b/src/lib/exp.c index 82820f9..7cebacc 100644 --- a/src/lib/exp.c +++ b/src/lib/exp.c @@ -61,7 +61,6 @@ void nl_cli_exp_parse_id(struct nfnl_exp *exp, char *arg) void nl_cli_exp_parse_helper_name(struct nfnl_exp *exp, char *arg) { - int err; nfnl_exp_set_helper_name(exp, arg); } diff --git a/src/nf-exp-create.c b/src/nf-exp-create.c new file mode 100644 index 0000000..d003a4a --- /dev/null +++ b/src/nf-exp-create.c @@ -0,0 +1,167 @@ +/* + * src/nf-exp-create.c Create an expectation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation version 2.1 + * of the License. + * + * Copyright (c) 2012 Rich Fought + */ + +#include +#include + +static int quiet = 0; + +static void print_usage(void) +{ + printf( + "Usage: nf-exp-list [OPTION]... [CONNTRACK ENTRY]\n" + "\n" + "Options\n" + " --replace Replace the address if it exists.\n" + " -q, --quiet Do not print informal notifications.\n" + " -h, --help Show this help\n" + " -v, --version Show versioning information\n" + "\n" + "Expectation Selection\n" + " -i, --id=NUM Identifier\n" + " --expect-proto=PROTOCOL Expectation protocol\n" + " --expect-src=ADDR Expectation source address\n" + " --expect-sport=PORT Expectation source port\n" + " --expect-dst=ADDR Expectation destination address\n" + " --expect-dport=PORT Expectation destination port\n" + " --master-proto=PROTOCOL Master conntrack protocol\n" + " --master-src=ADDR Master conntrack source address\n" + " --master-sport=PORT Master conntrack source port\n" + " --master-dst=ADDR Master conntrack destination address\n" + " --master-dport=PORT Master conntrack destination port\n" + " --mask-proto=PROTOCOL Mask protocol\n" + " --mask-src=ADDR Mask source address\n" + " --mask-sport=PORT Mask source port\n" + " --mask-dst=ADDR Mask destination address\n" + " --mask-dport=PORT Mask destination port\n" + " -F, --family=FAMILY Address family\n" + " --timeout=NUM Timeout value\n" + " --helper=STRING Helper Name\n" + //" --flags Flags\n" + ); + exit(0); +} + +int main(int argc, char *argv[]) +{ + struct nl_sock *sock; + struct nfnl_exp *exp; + struct nl_dump_params params = { + .dp_type = NL_DUMP_LINE, + .dp_fd = stdout, + }; + int err, nlflags = NLM_F_CREATE; + + exp = nl_cli_exp_alloc(); + + for (;;) { + int c, optidx = 0; + enum { + ARG_MARK = 270, + ARG_TCP_STATE = 271, + ARG_EXPECT_PROTO, + ARG_EXPECT_SRC, + ARG_EXPECT_SPORT, + ARG_EXPECT_DST, + ARG_EXPECT_DPORT, + ARG_MASTER_PROTO, + ARG_MASTER_SRC, + ARG_MASTER_SPORT, + ARG_MASTER_DST, + ARG_MASTER_DPORT, + ARG_MASK_PROTO, + ARG_MASK_SRC, + ARG_MASK_SPORT, + ARG_MASK_DST, + ARG_MASK_DPORT, + ARG_TIMEOUT, + ARG_HELPER_NAME, + ARG_REPLACE, + //ARG_FLAGS, + }; + static struct option long_opts[] = { + { "replace", 1, 0, ARG_REPLACE }, + { "quiet", 0, 0, 'q' }, + { "help", 0, 0, 'h' }, + { "version", 0, 0, 'v' }, + { "id", 1, 0, 'i' }, + { "expect-proto", 1, 0, ARG_EXPECT_PROTO }, + { "expect-src", 1, 0, ARG_EXPECT_SRC }, + { "expect-sport", 1, 0, ARG_EXPECT_SPORT }, + { "expect-dst", 1, 0, ARG_EXPECT_DST }, + { "expect-dport", 1, 0, ARG_EXPECT_DPORT }, + { "master-proto", 1, 0, ARG_MASTER_PROTO }, + { "master-src", 1, 0, ARG_MASTER_SRC }, + { "master-sport", 1, 0, ARG_MASTER_SPORT }, + { "master-dst", 1, 0, ARG_MASTER_DST }, + { "master-dport", 1, 0, ARG_MASTER_DPORT }, + { "mask-proto", 1, 0, ARG_MASK_PROTO }, + { "mask-src", 1, 0, ARG_MASK_SRC }, + { "mask-sport", 1, 0, ARG_MASK_SPORT }, + { "mask-dst", 1, 0, ARG_MASK_DST }, + { "mask-dport", 1, 0, ARG_MASK_DPORT }, + { "family", 1, 0, 'F' }, + { "timeout", 1, 0, ARG_TIMEOUT }, + { "helper", 1, 0, ARG_HELPER_NAME }, + //{ "flags", 1, 0, ARG_FLAGS}, + { 0, 0, 0, 0 } + }; + + c = getopt_long(argc, argv, "46f:hvi:p:F:", long_opts, &optidx); + if (c == -1) + break; + + switch (c) { + case '?': exit(NLE_INVAL); + case ARG_REPLACE: nlflags |= NLM_F_REPLACE; break; + case 'q': quiet = 1; break; + case '4': nfnl_exp_set_family(exp, AF_INET); break; + case '6': nfnl_exp_set_family(exp, AF_INET6); break; + case 'h': print_usage(); break; + case 'v': nl_cli_print_version(); break; + case 'i': nl_cli_exp_parse_id(exp, optarg); break; + case ARG_EXPECT_PROTO: nl_cli_exp_parse_l4protonum(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break; + case ARG_EXPECT_SRC: nl_cli_exp_parse_src(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break; + case ARG_EXPECT_SPORT: nl_cli_exp_parse_src_port(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break; + case ARG_EXPECT_DST: nl_cli_exp_parse_dst(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break; + case ARG_EXPECT_DPORT: nl_cli_exp_parse_dst_port(exp, NFNL_EXP_TUPLE_EXPECT, optarg); break; + case ARG_MASTER_PROTO: nl_cli_exp_parse_l4protonum(exp, NFNL_EXP_TUPLE_MASTER, optarg); break; + case ARG_MASTER_SRC: nl_cli_exp_parse_src(exp, NFNL_EXP_TUPLE_MASTER, optarg); break; + case ARG_MASTER_SPORT: nl_cli_exp_parse_src_port(exp, NFNL_EXP_TUPLE_MASTER, optarg); break; + case ARG_MASTER_DST: nl_cli_exp_parse_dst(exp, NFNL_EXP_TUPLE_MASTER, optarg); break; + case ARG_MASTER_DPORT: nl_cli_exp_parse_dst_port(exp, NFNL_EXP_TUPLE_MASTER, optarg); break; + case ARG_MASK_PROTO: nl_cli_exp_parse_l4protonum(exp, NFNL_EXP_TUPLE_MASK, optarg); break; + case ARG_MASK_SRC: nl_cli_exp_parse_src(exp, NFNL_EXP_TUPLE_MASK, optarg); break; + case ARG_MASK_SPORT: nl_cli_exp_parse_src_port(exp, NFNL_EXP_TUPLE_MASK, optarg); break; + case ARG_MASK_DST: nl_cli_exp_parse_dst(exp, NFNL_EXP_TUPLE_MASK, optarg); break; + case ARG_MASK_DPORT: nl_cli_exp_parse_dst_port(exp, NFNL_EXP_TUPLE_MASK, optarg); break; + case 'F': nl_cli_exp_parse_family(exp, optarg); break; + case ARG_TIMEOUT: nl_cli_exp_parse_timeout(exp, optarg); break; + case ARG_HELPER_NAME: nl_cli_exp_parse_helper_name(exp, optarg); break; + //case ARG_FLAGS: nl_cli_exp_parse_flags(exp, optarg); break; + } + } + + sock = nl_cli_alloc_socket(); + nl_cli_connect(sock, NETLINK_NETFILTER); + + if ((err = nfnl_exp_add(sock, exp, nlflags)) < 0) + nl_cli_fatal(err, "Unable to add expectation: %s", + nl_geterror(err)); + + if (!quiet) { + printf("Added "); + nl_object_dump(OBJ_CAST(exp), ¶ms); + } + + + return 0; +} -- 2.40.0