Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 1 | /* Shared library add-on to iptables for conntrack matching support. |
| 2 | * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). |
| 3 | */ |
| 4 | |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 5 | #include <ctype.h> |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 6 | #include <getopt.h> |
| 7 | #include <netdb.h> |
| 8 | #include <stdio.h> |
| 9 | #include <stdlib.h> |
| 10 | #include <string.h> |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 11 | #include <iptables.h> |
Jan Engelhardt | 08b1616 | 2008-01-20 13:36:08 +0000 | [diff] [blame^] | 12 | #include <xtables.h> |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 13 | #include <linux/netfilter.h> |
| 14 | #include <linux/netfilter/xt_conntrack.h> |
Patrick McHardy | 40d5475 | 2007-04-18 07:00:36 +0000 | [diff] [blame] | 15 | #include <linux/netfilter/nf_conntrack_common.h> |
Harald Welte | 4dc734c | 2003-10-07 18:55:13 +0000 | [diff] [blame] | 16 | |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 17 | /* Function which prints out usage message. */ |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 18 | static void conntrack_mt_help(void) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 19 | { |
| 20 | printf( |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 21 | "conntrack match options:\n" |
| 22 | "[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n" |
| 23 | " State(s) to match\n" |
| 24 | "[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n" |
| 25 | "[!] --ctorigsrc address[/mask]\n" |
| 26 | "[!] --ctorigdst address[/mask]\n" |
| 27 | "[!] --ctreplsrc address[/mask]\n" |
| 28 | "[!] --ctrepldst address[/mask]\n" |
| 29 | " Original/Reply source/destination address\n" |
| 30 | "[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n" |
| 31 | " Status(es) to match\n" |
| 32 | "[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n" |
| 33 | " value or range of values (inclusive)\n" |
| 34 | "\n"); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 35 | } |
| 36 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 37 | static const struct option conntrack_mt_opts[] = { |
| 38 | {.name = "ctstate", .has_arg = true, .val = '1'}, |
| 39 | {.name = "ctproto", .has_arg = true, .val = '2'}, |
| 40 | {.name = "ctorigsrc", .has_arg = true, .val = '3'}, |
| 41 | {.name = "ctorigdst", .has_arg = true, .val = '4'}, |
| 42 | {.name = "ctreplsrc", .has_arg = true, .val = '5'}, |
| 43 | {.name = "ctrepldst", .has_arg = true, .val = '6'}, |
| 44 | {.name = "ctstatus", .has_arg = true, .val = '7'}, |
| 45 | {.name = "ctexpire", .has_arg = true, .val = '8'}, |
| 46 | {}, |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 47 | }; |
| 48 | |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 49 | static int |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 50 | parse_state(const char *state, size_t strlen, struct xt_conntrack_info *sinfo) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 51 | { |
| 52 | if (strncasecmp(state, "INVALID", strlen) == 0) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 53 | sinfo->statemask |= XT_CONNTRACK_STATE_INVALID; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 54 | else if (strncasecmp(state, "NEW", strlen) == 0) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 55 | sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 56 | else if (strncasecmp(state, "ESTABLISHED", strlen) == 0) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 57 | sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 58 | else if (strncasecmp(state, "RELATED", strlen) == 0) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 59 | sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED); |
Harald Welte | 4dc734c | 2003-10-07 18:55:13 +0000 | [diff] [blame] | 60 | else if (strncasecmp(state, "UNTRACKED", strlen) == 0) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 61 | sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 62 | else if (strncasecmp(state, "SNAT", strlen) == 0) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 63 | sinfo->statemask |= XT_CONNTRACK_STATE_SNAT; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 64 | else if (strncasecmp(state, "DNAT", strlen) == 0) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 65 | sinfo->statemask |= XT_CONNTRACK_STATE_DNAT; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 66 | else |
| 67 | return 0; |
| 68 | return 1; |
| 69 | } |
| 70 | |
| 71 | static void |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 72 | parse_states(const char *arg, struct xt_conntrack_info *sinfo) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 73 | { |
| 74 | const char *comma; |
| 75 | |
| 76 | while ((comma = strchr(arg, ',')) != NULL) { |
| 77 | if (comma == arg || !parse_state(arg, comma-arg, sinfo)) |
| 78 | exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg); |
| 79 | arg = comma+1; |
| 80 | } |
| 81 | |
| 82 | if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo)) |
| 83 | exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg); |
| 84 | } |
| 85 | |
| 86 | static int |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 87 | parse_status(const char *status, size_t strlen, struct xt_conntrack_info *sinfo) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 88 | { |
| 89 | if (strncasecmp(status, "NONE", strlen) == 0) |
| 90 | sinfo->statusmask |= 0; |
| 91 | else if (strncasecmp(status, "EXPECTED", strlen) == 0) |
| 92 | sinfo->statusmask |= IPS_EXPECTED; |
| 93 | else if (strncasecmp(status, "SEEN_REPLY", strlen) == 0) |
| 94 | sinfo->statusmask |= IPS_SEEN_REPLY; |
| 95 | else if (strncasecmp(status, "ASSURED", strlen) == 0) |
| 96 | sinfo->statusmask |= IPS_ASSURED; |
Harald Welte | a643c3e | 2003-08-25 11:08:52 +0000 | [diff] [blame] | 97 | #ifdef IPS_CONFIRMED |
| 98 | else if (strncasecmp(status, "CONFIRMED", strlen) == 0) |
| 99 | sinfo->stausmask |= IPS_CONFIRMED; |
| 100 | #endif |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 101 | else |
| 102 | return 0; |
| 103 | return 1; |
| 104 | } |
| 105 | |
| 106 | static void |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 107 | parse_statuses(const char *arg, struct xt_conntrack_info *sinfo) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 108 | { |
| 109 | const char *comma; |
| 110 | |
| 111 | while ((comma = strchr(arg, ',')) != NULL) { |
| 112 | if (comma == arg || !parse_status(arg, comma-arg, sinfo)) |
| 113 | exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg); |
| 114 | arg = comma+1; |
| 115 | } |
| 116 | |
| 117 | if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo)) |
| 118 | exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg); |
| 119 | } |
| 120 | |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 121 | static unsigned long |
| 122 | parse_expire(const char *s) |
| 123 | { |
| 124 | unsigned int len; |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 125 | |
Martin Josefsson | 1da399c | 2004-05-26 15:50:57 +0000 | [diff] [blame] | 126 | if (string_to_number(s, 0, 0, &len) == -1) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 127 | exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s); |
| 128 | else |
| 129 | return len; |
| 130 | } |
| 131 | |
| 132 | /* If a single value is provided, min and max are both set to the value */ |
| 133 | static void |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 134 | parse_expires(const char *s, struct xt_conntrack_info *sinfo) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 135 | { |
| 136 | char *buffer; |
| 137 | char *cp; |
| 138 | |
| 139 | buffer = strdup(s); |
| 140 | if ((cp = strchr(buffer, ':')) == NULL) |
| 141 | sinfo->expires_min = sinfo->expires_max = parse_expire(buffer); |
| 142 | else { |
| 143 | *cp = '\0'; |
| 144 | cp++; |
| 145 | |
| 146 | sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0; |
Martin Josefsson | 1da399c | 2004-05-26 15:50:57 +0000 | [diff] [blame] | 147 | sinfo->expires_max = cp[0] ? parse_expire(cp) : -1; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 148 | } |
| 149 | free(buffer); |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 150 | |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 151 | if (sinfo->expires_min > sinfo->expires_max) |
| 152 | exit_error(PARAMETER_PROBLEM, |
| 153 | "expire min. range value `%lu' greater than max. " |
| 154 | "range value `%lu'", sinfo->expires_min, sinfo->expires_max); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 155 | } |
| 156 | |
| 157 | /* Function which parses command options; returns true if it |
| 158 | ate an option */ |
Jan Engelhardt | 59d1640 | 2007-10-04 16:28:39 +0000 | [diff] [blame] | 159 | static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags, |
| 160 | const void *entry, struct xt_entry_match **match) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 161 | { |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 162 | struct xt_conntrack_info *sinfo = (void *)(*match)->data; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 163 | char *protocol = NULL; |
| 164 | unsigned int naddrs = 0; |
| 165 | struct in_addr *addrs = NULL; |
| 166 | |
| 167 | |
| 168 | switch (c) { |
| 169 | case '1': |
Harald Welte | b77f1da | 2002-03-14 11:35:58 +0000 | [diff] [blame] | 170 | check_inverse(optarg, &invert, &optind, 0); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 171 | |
| 172 | parse_states(argv[optind-1], sinfo); |
| 173 | if (invert) { |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 174 | sinfo->invflags |= XT_CONNTRACK_STATE; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 175 | } |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 176 | sinfo->flags |= XT_CONNTRACK_STATE; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 177 | break; |
| 178 | |
| 179 | case '2': |
Harald Welte | 3c5bd60 | 2002-03-14 19:54:34 +0000 | [diff] [blame] | 180 | check_inverse(optarg, &invert, &optind, 0); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 181 | |
| 182 | if(invert) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 183 | sinfo->invflags |= XT_CONNTRACK_PROTO; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 184 | |
| 185 | /* Canonicalize into lower case */ |
| 186 | for (protocol = argv[optind-1]; *protocol; protocol++) |
| 187 | *protocol = tolower(*protocol); |
| 188 | |
| 189 | protocol = argv[optind-1]; |
| 190 | sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = parse_protocol(protocol); |
| 191 | |
| 192 | if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 193 | && (sinfo->invflags & XT_INV_PROTO)) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 194 | exit_error(PARAMETER_PROBLEM, |
| 195 | "rule would never match protocol"); |
| 196 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 197 | sinfo->flags |= XT_CONNTRACK_PROTO; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 198 | break; |
| 199 | |
| 200 | case '3': |
Jan Engelhardt | 40eaf2a | 2007-11-25 15:25:23 +0000 | [diff] [blame] | 201 | check_inverse(optarg, &invert, &optind, 0); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 202 | |
| 203 | if (invert) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 204 | sinfo->invflags |= XT_CONNTRACK_ORIGSRC; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 205 | |
| 206 | parse_hostnetworkmask(argv[optind-1], &addrs, |
| 207 | &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], |
| 208 | &naddrs); |
| 209 | if(naddrs > 1) |
| 210 | exit_error(PARAMETER_PROBLEM, |
| 211 | "multiple IP addresses not allowed"); |
| 212 | |
| 213 | if(naddrs == 1) { |
| 214 | sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr; |
| 215 | } |
| 216 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 217 | sinfo->flags |= XT_CONNTRACK_ORIGSRC; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 218 | break; |
| 219 | |
| 220 | case '4': |
Harald Welte | b77f1da | 2002-03-14 11:35:58 +0000 | [diff] [blame] | 221 | check_inverse(optarg, &invert, &optind, 0); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 222 | |
| 223 | if (invert) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 224 | sinfo->invflags |= XT_CONNTRACK_ORIGDST; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 225 | |
| 226 | parse_hostnetworkmask(argv[optind-1], &addrs, |
| 227 | &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], |
| 228 | &naddrs); |
| 229 | if(naddrs > 1) |
| 230 | exit_error(PARAMETER_PROBLEM, |
| 231 | "multiple IP addresses not allowed"); |
| 232 | |
| 233 | if(naddrs == 1) { |
| 234 | sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr; |
| 235 | } |
| 236 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 237 | sinfo->flags |= XT_CONNTRACK_ORIGDST; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 238 | break; |
| 239 | |
| 240 | case '5': |
Harald Welte | b77f1da | 2002-03-14 11:35:58 +0000 | [diff] [blame] | 241 | check_inverse(optarg, &invert, &optind, 0); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 242 | |
| 243 | if (invert) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 244 | sinfo->invflags |= XT_CONNTRACK_REPLSRC; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 245 | |
| 246 | parse_hostnetworkmask(argv[optind-1], &addrs, |
| 247 | &sinfo->sipmsk[IP_CT_DIR_REPLY], |
| 248 | &naddrs); |
| 249 | if(naddrs > 1) |
| 250 | exit_error(PARAMETER_PROBLEM, |
| 251 | "multiple IP addresses not allowed"); |
| 252 | |
| 253 | if(naddrs == 1) { |
| 254 | sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr; |
| 255 | } |
| 256 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 257 | sinfo->flags |= XT_CONNTRACK_REPLSRC; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 258 | break; |
| 259 | |
| 260 | case '6': |
Harald Welte | b77f1da | 2002-03-14 11:35:58 +0000 | [diff] [blame] | 261 | check_inverse(optarg, &invert, &optind, 0); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 262 | |
| 263 | if (invert) |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 264 | sinfo->invflags |= XT_CONNTRACK_REPLDST; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 265 | |
| 266 | parse_hostnetworkmask(argv[optind-1], &addrs, |
| 267 | &sinfo->dipmsk[IP_CT_DIR_REPLY], |
| 268 | &naddrs); |
| 269 | if(naddrs > 1) |
| 270 | exit_error(PARAMETER_PROBLEM, |
| 271 | "multiple IP addresses not allowed"); |
| 272 | |
| 273 | if(naddrs == 1) { |
| 274 | sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr; |
| 275 | } |
| 276 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 277 | sinfo->flags |= XT_CONNTRACK_REPLDST; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 278 | break; |
| 279 | |
| 280 | case '7': |
Harald Welte | b77f1da | 2002-03-14 11:35:58 +0000 | [diff] [blame] | 281 | check_inverse(optarg, &invert, &optind, 0); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 282 | |
| 283 | parse_statuses(argv[optind-1], sinfo); |
| 284 | if (invert) { |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 285 | sinfo->invflags |= XT_CONNTRACK_STATUS; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 286 | } |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 287 | sinfo->flags |= XT_CONNTRACK_STATUS; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 288 | break; |
| 289 | |
| 290 | case '8': |
Harald Welte | b77f1da | 2002-03-14 11:35:58 +0000 | [diff] [blame] | 291 | check_inverse(optarg, &invert, &optind, 0); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 292 | |
| 293 | parse_expires(argv[optind-1], sinfo); |
| 294 | if (invert) { |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 295 | sinfo->invflags |= XT_CONNTRACK_EXPIRES; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 296 | } |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 297 | sinfo->flags |= XT_CONNTRACK_EXPIRES; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 298 | break; |
| 299 | |
| 300 | default: |
| 301 | return 0; |
| 302 | } |
| 303 | |
| 304 | *flags = sinfo->flags; |
| 305 | return 1; |
| 306 | } |
| 307 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 308 | static void conntrack_mt_check(unsigned int flags) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 309 | { |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 310 | if (flags == 0) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 311 | exit_error(PARAMETER_PROBLEM, "You must specify one or more options"); |
| 312 | } |
| 313 | |
| 314 | static void |
| 315 | print_state(unsigned int statemask) |
| 316 | { |
| 317 | const char *sep = ""; |
| 318 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 319 | if (statemask & XT_CONNTRACK_STATE_INVALID) { |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 320 | printf("%sINVALID", sep); |
| 321 | sep = ","; |
| 322 | } |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 323 | if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) { |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 324 | printf("%sNEW", sep); |
| 325 | sep = ","; |
| 326 | } |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 327 | if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) { |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 328 | printf("%sRELATED", sep); |
| 329 | sep = ","; |
| 330 | } |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 331 | if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) { |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 332 | printf("%sESTABLISHED", sep); |
| 333 | sep = ","; |
| 334 | } |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 335 | if (statemask & XT_CONNTRACK_STATE_UNTRACKED) { |
Harald Welte | 4dc734c | 2003-10-07 18:55:13 +0000 | [diff] [blame] | 336 | printf("%sUNTRACKED", sep); |
| 337 | sep = ","; |
| 338 | } |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 339 | if (statemask & XT_CONNTRACK_STATE_SNAT) { |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 340 | printf("%sSNAT", sep); |
| 341 | sep = ","; |
| 342 | } |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 343 | if (statemask & XT_CONNTRACK_STATE_DNAT) { |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 344 | printf("%sDNAT", sep); |
| 345 | sep = ","; |
| 346 | } |
| 347 | printf(" "); |
| 348 | } |
| 349 | |
| 350 | static void |
| 351 | print_status(unsigned int statusmask) |
| 352 | { |
| 353 | const char *sep = ""; |
| 354 | |
| 355 | if (statusmask & IPS_EXPECTED) { |
| 356 | printf("%sEXPECTED", sep); |
| 357 | sep = ","; |
| 358 | } |
| 359 | if (statusmask & IPS_SEEN_REPLY) { |
| 360 | printf("%sSEEN_REPLY", sep); |
| 361 | sep = ","; |
| 362 | } |
| 363 | if (statusmask & IPS_ASSURED) { |
| 364 | printf("%sASSURED", sep); |
| 365 | sep = ","; |
| 366 | } |
Harald Welte | a643c3e | 2003-08-25 11:08:52 +0000 | [diff] [blame] | 367 | #ifdef IPS_CONFIRMED |
| 368 | if (statusmask & IPS_CONFIRMED) { |
| 369 | printf("%sCONFIRMED", sep); |
| 370 | sep =","; |
| 371 | } |
| 372 | #endif |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 373 | if (statusmask == 0) { |
| 374 | printf("%sNONE", sep); |
| 375 | sep = ","; |
| 376 | } |
| 377 | printf(" "); |
| 378 | } |
| 379 | |
| 380 | static void |
| 381 | print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric) |
| 382 | { |
| 383 | char buf[BUFSIZ]; |
| 384 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 385 | if (inv) |
| 386 | printf("! "); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 387 | |
| 388 | if (mask->s_addr == 0L && !numeric) |
| 389 | printf("%s ", "anywhere"); |
| 390 | else { |
| 391 | if (numeric) |
Jan Engelhardt | 08b1616 | 2008-01-20 13:36:08 +0000 | [diff] [blame^] | 392 | sprintf(buf, "%s", ipaddr_to_numeric(addr)); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 393 | else |
Jan Engelhardt | 08b1616 | 2008-01-20 13:36:08 +0000 | [diff] [blame^] | 394 | sprintf(buf, "%s", ipaddr_to_anyname(addr)); |
| 395 | strcat(buf, ipmask_to_numeric(mask)); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 396 | printf("%s ", buf); |
| 397 | } |
| 398 | } |
| 399 | |
| 400 | /* Saves the matchinfo in parsable form to stdout. */ |
| 401 | static void |
Yasuyuki KOZAKAI | c0a9ab9 | 2007-07-24 06:02:05 +0000 | [diff] [blame] | 402 | matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 403 | { |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 404 | struct xt_conntrack_info *sinfo = (void *)match->data; |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 405 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 406 | if(sinfo->flags & XT_CONNTRACK_STATE) { |
| 407 | if (sinfo->invflags & XT_CONNTRACK_STATE) |
Michael Schwendt | dfba3ac | 2002-12-05 20:20:29 +0000 | [diff] [blame] | 408 | printf("! "); |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 409 | printf("%sctstate ", optpfx); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 410 | print_state(sinfo->statemask); |
| 411 | } |
| 412 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 413 | if(sinfo->flags & XT_CONNTRACK_PROTO) { |
| 414 | if (sinfo->invflags & XT_CONNTRACK_PROTO) |
Phil Oester | 5a4892b | 2005-11-17 13:34:51 +0000 | [diff] [blame] | 415 | printf("! "); |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 416 | printf("%sctproto ", optpfx); |
Phil Oester | 5a4892b | 2005-11-17 13:34:51 +0000 | [diff] [blame] | 417 | printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum); |
| 418 | } |
| 419 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 420 | if(sinfo->flags & XT_CONNTRACK_ORIGSRC) { |
| 421 | if (sinfo->invflags & XT_CONNTRACK_ORIGSRC) |
| 422 | printf("! "); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 423 | printf("%sctorigsrc ", optpfx); |
| 424 | |
| 425 | print_addr( |
| 426 | (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, |
| 427 | &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 428 | false, |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 429 | numeric); |
| 430 | } |
| 431 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 432 | if(sinfo->flags & XT_CONNTRACK_ORIGDST) { |
| 433 | if (sinfo->invflags & XT_CONNTRACK_ORIGDST) |
| 434 | printf("! "); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 435 | printf("%sctorigdst ", optpfx); |
| 436 | |
| 437 | print_addr( |
| 438 | (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, |
| 439 | &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 440 | false, |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 441 | numeric); |
| 442 | } |
| 443 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 444 | if(sinfo->flags & XT_CONNTRACK_REPLSRC) { |
| 445 | if (sinfo->invflags & XT_CONNTRACK_REPLSRC) |
| 446 | printf("! "); |
Lutz Preßler | d0ae04e | 2003-03-04 14:50:50 +0000 | [diff] [blame] | 447 | printf("%sctreplsrc ", optpfx); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 448 | |
| 449 | print_addr( |
| 450 | (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip, |
| 451 | &sinfo->sipmsk[IP_CT_DIR_REPLY], |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 452 | false, |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 453 | numeric); |
| 454 | } |
| 455 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 456 | if(sinfo->flags & XT_CONNTRACK_REPLDST) { |
| 457 | if (sinfo->invflags & XT_CONNTRACK_REPLDST) |
| 458 | printf("! "); |
Lutz Preßler | d0ae04e | 2003-03-04 14:50:50 +0000 | [diff] [blame] | 459 | printf("%sctrepldst ", optpfx); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 460 | |
| 461 | print_addr( |
| 462 | (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, |
| 463 | &sinfo->dipmsk[IP_CT_DIR_REPLY], |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 464 | false, |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 465 | numeric); |
| 466 | } |
| 467 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 468 | if(sinfo->flags & XT_CONNTRACK_STATUS) { |
| 469 | if (sinfo->invflags & XT_CONNTRACK_STATUS) |
Michael Schwendt | dfba3ac | 2002-12-05 20:20:29 +0000 | [diff] [blame] | 470 | printf("! "); |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 471 | printf("%sctstatus ", optpfx); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 472 | print_status(sinfo->statusmask); |
| 473 | } |
| 474 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 475 | if(sinfo->flags & XT_CONNTRACK_EXPIRES) { |
| 476 | if (sinfo->invflags & XT_CONNTRACK_EXPIRES) |
Michael Schwendt | dfba3ac | 2002-12-05 20:20:29 +0000 | [diff] [blame] | 477 | printf("! "); |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 478 | printf("%sctexpire ", optpfx); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 479 | |
| 480 | if (sinfo->expires_max == sinfo->expires_min) |
| 481 | printf("%lu ", sinfo->expires_min); |
| 482 | else |
| 483 | printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max); |
| 484 | } |
| 485 | } |
| 486 | |
| 487 | /* Prints out the matchinfo. */ |
Jan Engelhardt | 59d1640 | 2007-10-04 16:28:39 +0000 | [diff] [blame] | 488 | static void conntrack_print(const void *ip, const struct xt_entry_match *match, |
| 489 | int numeric) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 490 | { |
| 491 | matchinfo_print(ip, match, numeric, ""); |
| 492 | } |
| 493 | |
| 494 | /* Saves the matchinfo in parsable form to stdout. */ |
Jan Engelhardt | 59d1640 | 2007-10-04 16:28:39 +0000 | [diff] [blame] | 495 | static void conntrack_save(const void *ip, const struct xt_entry_match *match) |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 496 | { |
Joszef Kadlecsik | db503f9 | 2004-05-05 10:10:33 +0000 | [diff] [blame] | 497 | matchinfo_print(ip, match, 1, "--"); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 498 | } |
| 499 | |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 500 | static struct xtables_match conntrack_match = { |
| 501 | .version = IPTABLES_VERSION, |
| 502 | .name = "conntrack", |
| 503 | .revision = 0, |
| 504 | .family = AF_INET, |
| 505 | .size = XT_ALIGN(sizeof(struct xt_conntrack_info)), |
| 506 | .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)), |
| 507 | .help = conntrack_mt_help, |
| 508 | .parse = conntrack_parse, |
| 509 | .final_check = conntrack_mt_check, |
| 510 | .print = conntrack_print, |
| 511 | .save = conntrack_save, |
| 512 | .extra_opts = conntrack_mt_opts, |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 513 | }; |
| 514 | |
| 515 | void _init(void) |
| 516 | { |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 517 | xtables_register_match(&conntrack_match); |
Marc Boucher | 5054e85 | 2002-01-19 10:59:12 +0000 | [diff] [blame] | 518 | } |