Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / d7282413763b0ba85d512c1cd49174b762ff449c / . / extensions / libxt_conntrack.c
blob: 8312d04268a923a617755ca73ed487fc17ada856 [file] [log] [blame]
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1/*
2 * libxt_conntrack
3 * Shared library add-on to iptables for conntrack matching support.
4 *
5 * GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
6 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
7 * Jan Engelhardt <jengelh@computergmbh.de>
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]8 */
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]9#include <sys/socket.h>
10#include <sys/types.h>
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]11#include <ctype.h>
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]12#include <getopt.h>
13#include <netdb.h>
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]14#include <stdbool.h>
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]15#include <stddef.h>
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]16#include <stdio.h>
17#include <stdlib.h>
18#include <string.h>
Jan Engelhardt08b16162008-01-20 13:36:08 +0000[diff] [blame]19#include <xtables.h>
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]20#include <linux/netfilter.h>
21#include <linux/netfilter/xt_conntrack.h>
Patrick McHardy40d54752007-04-18 07:00:36 +0000[diff] [blame]22#include <linux/netfilter/nf_conntrack_common.h>
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]23#include <arpa/inet.h>
Harald Welte4dc734c2003-10-07 18:55:13 +0000[diff] [blame]24
Jan Engelhardt350661a2010-01-31 22:42:52 +0100[diff] [blame]25struct ip_conntrack_old_tuple {
26 struct {
27 __be32 ip;
28 union {
29 __u16 all;
30 } u;
31 } src;
32
33 struct {
34 __be32 ip;
35 union {
36 __u16 all;
37 } u;
38
39 /* The protocol. */
40 __u16 protonum;
41 } dst;
42};
43
44struct xt_conntrack_info {
45 unsigned int statemask, statusmask;
46
47 struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
48 struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
49
50 unsigned long expires_min, expires_max;
51
52 /* Flags word */
Jan Engelhardt7ac40522011-01-07 12:34:04 +0100[diff] [blame]53 uint8_t flags;
Jan Engelhardt350661a2010-01-31 22:42:52 +0100[diff] [blame]54 /* Inverse flags */
Jan Engelhardt7ac40522011-01-07 12:34:04 +0100[diff] [blame]55 uint8_t invflags;
Jan Engelhardt350661a2010-01-31 22:42:52 +0100[diff] [blame]56};
57
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]58static void conntrack_mt_help(void)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]59{
60 printf(
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]61"conntrack match options:\n"
62"[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n"
63" State(s) to match\n"
64"[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n"
65"[!] --ctorigsrc address[/mask]\n"
66"[!] --ctorigdst address[/mask]\n"
67"[!] --ctreplsrc address[/mask]\n"
68"[!] --ctrepldst address[/mask]\n"
69" Original/Reply source/destination address\n"
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]70"[!] --ctorigsrcport port\n"
71"[!] --ctorigdstport port\n"
72"[!] --ctreplsrcport port\n"
73"[!] --ctrepldstport port\n"
74" TCP/UDP/SCTP orig./reply source/destination port\n"
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]75"[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n"
76" Status(es) to match\n"
77"[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n"
78" value or range of values (inclusive)\n"
Jan Engelhardt8b7c64d2008-04-15 11:48:25 +0200[diff] [blame]79" --ctdir {ORIGINAL|REPLY} Flow direction of packet\n");
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]80}
81
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]82static const struct option conntrack_mt_opts_v0[] = {
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]83 {.name = "ctstate", .has_arg = true, .val = '1'},
84 {.name = "ctproto", .has_arg = true, .val = '2'},
85 {.name = "ctorigsrc", .has_arg = true, .val = '3'},
86 {.name = "ctorigdst", .has_arg = true, .val = '4'},
87 {.name = "ctreplsrc", .has_arg = true, .val = '5'},
88 {.name = "ctrepldst", .has_arg = true, .val = '6'},
89 {.name = "ctstatus", .has_arg = true, .val = '7'},
90 {.name = "ctexpire", .has_arg = true, .val = '8'},
Jan Engelhardt32b8e612010-07-23 21:16:14 +0200[diff] [blame]91 XT_GETOPT_TABLEEND,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]92};
93
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]94static const struct option conntrack_mt_opts[] = {
95 {.name = "ctstate", .has_arg = true, .val = '1'},
96 {.name = "ctproto", .has_arg = true, .val = '2'},
97 {.name = "ctorigsrc", .has_arg = true, .val = '3'},
98 {.name = "ctorigdst", .has_arg = true, .val = '4'},
99 {.name = "ctreplsrc", .has_arg = true, .val = '5'},
100 {.name = "ctrepldst", .has_arg = true, .val = '6'},
101 {.name = "ctstatus", .has_arg = true, .val = '7'},
102 {.name = "ctexpire", .has_arg = true, .val = '8'},
103 {.name = "ctorigsrcport", .has_arg = true, .val = 'a'},
104 {.name = "ctorigdstport", .has_arg = true, .val = 'b'},
105 {.name = "ctreplsrcport", .has_arg = true, .val = 'c'},
106 {.name = "ctrepldstport", .has_arg = true, .val = 'd'},
107 {.name = "ctdir", .has_arg = true, .val = 'e'},
Max Kellermann9ee386a2008-01-29 13:48:05 +0000[diff] [blame]108 {.name = NULL},
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]109};
110
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]111static int
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]112parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]113{
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]114 if (strncasecmp(state, "INVALID", len) == 0)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]115 sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]116 else if (strncasecmp(state, "NEW", len) == 0)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]117 sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]118 else if (strncasecmp(state, "ESTABLISHED", len) == 0)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]119 sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]120 else if (strncasecmp(state, "RELATED", len) == 0)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]121 sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]122 else if (strncasecmp(state, "UNTRACKED", len) == 0)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]123 sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]124 else if (strncasecmp(state, "SNAT", len) == 0)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]125 sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]126 else if (strncasecmp(state, "DNAT", len) == 0)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]127 sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]128 else
129 return 0;
130 return 1;
131}
132
133static void
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]134parse_states(const char *arg, struct xt_conntrack_info *sinfo)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]135{
136 const char *comma;
137
138 while ((comma = strchr(arg, ',')) != NULL) {
139 if (comma == arg || !parse_state(arg, comma-arg, sinfo))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]140 xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]141 arg = comma+1;
142 }
Pablo Neira Ayuso0ec8c0f2008-11-19 19:01:26 +0100[diff] [blame]143 if (!*arg)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]144 xtables_error(PARAMETER_PROBLEM, "\"--ctstate\" requires a list of "
Pablo Neira Ayuso0ec8c0f2008-11-19 19:01:26 +0100[diff] [blame]145 "states with no spaces, e.g. "
146 "ESTABLISHED,RELATED");
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]147 if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]148 xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]149}
150
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]151static bool
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]152conntrack_ps_state(struct xt_conntrack_mtinfo3 *info, const char *state,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]153 size_t z)
154{
155 if (strncasecmp(state, "INVALID", z) == 0)
156 info->state_mask |= XT_CONNTRACK_STATE_INVALID;
157 else if (strncasecmp(state, "NEW", z) == 0)
158 info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
159 else if (strncasecmp(state, "ESTABLISHED", z) == 0)
160 info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
161 else if (strncasecmp(state, "RELATED", z) == 0)
162 info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
163 else if (strncasecmp(state, "UNTRACKED", z) == 0)
164 info->state_mask |= XT_CONNTRACK_STATE_UNTRACKED;
165 else if (strncasecmp(state, "SNAT", z) == 0)
166 info->state_mask |= XT_CONNTRACK_STATE_SNAT;
167 else if (strncasecmp(state, "DNAT", z) == 0)
168 info->state_mask |= XT_CONNTRACK_STATE_DNAT;
169 else
170 return false;
171 return true;
172}
173
174static void
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]175conntrack_ps_states(struct xt_conntrack_mtinfo3 *info, const char *arg)
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]176{
177 const char *comma;
178
179 while ((comma = strchr(arg, ',')) != NULL) {
180 if (comma == arg || !conntrack_ps_state(info, arg, comma - arg))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]181 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]182 "Bad ctstate \"%s\"", arg);
183 arg = comma + 1;
184 }
185
186 if (strlen(arg) == 0 || !conntrack_ps_state(info, arg, strlen(arg)))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]187 xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]188}
189
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]190static int
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]191parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]192{
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]193 if (strncasecmp(status, "NONE", len) == 0)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]194 sinfo->statusmask |= 0;
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]195 else if (strncasecmp(status, "EXPECTED", len) == 0)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]196 sinfo->statusmask |= IPS_EXPECTED;
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]197 else if (strncasecmp(status, "SEEN_REPLY", len) == 0)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]198 sinfo->statusmask |= IPS_SEEN_REPLY;
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]199 else if (strncasecmp(status, "ASSURED", len) == 0)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]200 sinfo->statusmask |= IPS_ASSURED;
Harald Weltea643c3e2003-08-25 11:08:52 +0000[diff] [blame]201#ifdef IPS_CONFIRMED
Jan Engelhardtdbb77542008-02-11 00:33:30 +0100[diff] [blame]202 else if (strncasecmp(status, "CONFIRMED", len) == 0)
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]203 sinfo->statusmask |= IPS_CONFIRMED;
Harald Weltea643c3e2003-08-25 11:08:52 +0000[diff] [blame]204#endif
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]205 else
206 return 0;
207 return 1;
208}
209
210static void
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]211parse_statuses(const char *arg, struct xt_conntrack_info *sinfo)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]212{
213 const char *comma;
214
215 while ((comma = strchr(arg, ',')) != NULL) {
216 if (comma == arg || !parse_status(arg, comma-arg, sinfo))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]217 xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]218 arg = comma+1;
219 }
220
221 if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]222 xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]223}
224
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]225static bool
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]226conntrack_ps_status(struct xt_conntrack_mtinfo3 *info, const char *status,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]227 size_t z)
228{
229 if (strncasecmp(status, "NONE", z) == 0)
230 info->status_mask |= 0;
231 else if (strncasecmp(status, "EXPECTED", z) == 0)
232 info->status_mask |= IPS_EXPECTED;
233 else if (strncasecmp(status, "SEEN_REPLY", z) == 0)
234 info->status_mask |= IPS_SEEN_REPLY;
235 else if (strncasecmp(status, "ASSURED", z) == 0)
236 info->status_mask |= IPS_ASSURED;
237 else if (strncasecmp(status, "CONFIRMED", z) == 0)
238 info->status_mask |= IPS_CONFIRMED;
239 else
240 return false;
241 return true;
242}
243
244static void
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]245conntrack_ps_statuses(struct xt_conntrack_mtinfo3 *info, const char *arg)
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]246{
247 const char *comma;
248
249 while ((comma = strchr(arg, ',')) != NULL) {
250 if (comma == arg || !conntrack_ps_status(info, arg, comma - arg))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]251 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]252 "Bad ctstatus \"%s\"", arg);
253 arg = comma + 1;
254 }
255
256 if (strlen(arg) == 0 || !conntrack_ps_status(info, arg, strlen(arg)))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]257 xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]258}
259
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]260static unsigned long
261parse_expire(const char *s)
262{
263 unsigned int len;
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]264
Jan Engelhardt5f2922c2009-01-27 18:43:01 +0100[diff] [blame]265 if (!xtables_strtoui(s, NULL, &len, 0, UINT32_MAX))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]266 xtables_error(PARAMETER_PROBLEM, "expire value invalid: \"%s\"\n", s);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]267 else
268 return len;
269}
270
271/* If a single value is provided, min and max are both set to the value */
272static void
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]273parse_expires(const char *s, struct xt_conntrack_info *sinfo)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]274{
275 char *buffer;
276 char *cp;
277
278 buffer = strdup(s);
279 if ((cp = strchr(buffer, ':')) == NULL)
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]280 sinfo->expires_min = sinfo->expires_max =
281 parse_expire(buffer);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]282 else {
283 *cp = '\0';
284 cp++;
285
286 sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0;
Max Kellermann9ee386a2008-01-29 13:48:05 +0000[diff] [blame]287 sinfo->expires_max = cp[0]
288 ? parse_expire(cp)
289 : (unsigned long)-1;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]290 }
291 free(buffer);
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]292
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]293 if (sinfo->expires_min > sinfo->expires_max)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]294 xtables_error(PARAMETER_PROBLEM,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]295 "expire min. range value `%lu' greater than max. "
296 "range value `%lu'", sinfo->expires_min, sinfo->expires_max);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]297}
298
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]299static void
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]300conntrack_ps_expires(struct xt_conntrack_mtinfo3 *info, const char *s)
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]301{
302 unsigned int min, max;
303 char *end;
304
Jan Engelhardt5f2922c2009-01-27 18:43:01 +0100[diff] [blame]305 if (!xtables_strtoui(s, &end, &min, 0, UINT32_MAX))
Jan Engelhardta41545c2009-01-27 21:27:19 +0100[diff] [blame]306 xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]307 max = min;
308 if (*end == ':')
Patrick McHardyf294f842009-11-20 14:58:11 +0100[diff] [blame]309 if (!xtables_strtoui(end + 1, &end, &max, 0, UINT32_MAX))
Jan Engelhardta41545c2009-01-27 21:27:19 +0100[diff] [blame]310 xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]311 if (*end != '\0')
Jan Engelhardta41545c2009-01-27 21:27:19 +0100[diff] [blame]312 xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]313
314 if (min > max)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]315 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]316 "expire min. range value \"%u\" greater than max. "
317 "range value \"%u\"", min, max);
318
319 info->expires_min = min;
320 info->expires_max = max;
321}
322
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]323static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
324 const void *entry, struct xt_entry_match **match)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]325{
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]326 struct xt_conntrack_info *sinfo = (void *)(*match)->data;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]327 char *protocol = NULL;
328 unsigned int naddrs = 0;
329 struct in_addr *addrs = NULL;
330
331
332 switch (c) {
333 case '1':
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]334 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]335
Jan Engelhardtbbe83862009-10-24 00:45:33 +0200[diff] [blame]336 parse_states(optarg, sinfo);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]337 if (invert) {
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]338 sinfo->invflags |= XT_CONNTRACK_STATE;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]339 }
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]340 sinfo->flags |= XT_CONNTRACK_STATE;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]341 break;
342
343 case '2':
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]344 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]345
346 if(invert)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]347 sinfo->invflags |= XT_CONNTRACK_PROTO;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]348
349 /* Canonicalize into lower case */
Jan Engelhardtbbe83862009-10-24 00:45:33 +0200[diff] [blame]350 for (protocol = optarg; *protocol; protocol++)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]351 *protocol = tolower(*protocol);
352
Jan Engelhardtbbe83862009-10-24 00:45:33 +0200[diff] [blame]353 protocol = optarg;
Jan Engelhardt1de7edf2009-01-30 05:38:11 +0100[diff] [blame]354 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum =
355 xtables_parse_protocol(protocol);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]356
357 if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]358 && (sinfo->invflags & XT_INV_PROTO))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]359 xtables_error(PARAMETER_PROBLEM,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]360 "rule would never match protocol");
361
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]362 sinfo->flags |= XT_CONNTRACK_PROTO;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]363 break;
364
365 case '3':
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]366 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]367
368 if (invert)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]369 sinfo->invflags |= XT_CONNTRACK_ORIGSRC;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]370
Jan Engelhardtbbe83862009-10-24 00:45:33 +0200[diff] [blame]371 xtables_ipparse_any(optarg, &addrs,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]372 &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
373 &naddrs);
374 if(naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]375 xtables_error(PARAMETER_PROBLEM,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]376 "multiple IP addresses not allowed");
377
378 if(naddrs == 1) {
379 sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr;
380 }
381
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]382 sinfo->flags |= XT_CONNTRACK_ORIGSRC;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]383 break;
384
385 case '4':
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]386 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]387
388 if (invert)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]389 sinfo->invflags |= XT_CONNTRACK_ORIGDST;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]390
Jan Engelhardtbbe83862009-10-24 00:45:33 +0200[diff] [blame]391 xtables_ipparse_any(optarg, &addrs,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]392 &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
393 &naddrs);
394 if(naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]395 xtables_error(PARAMETER_PROBLEM,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]396 "multiple IP addresses not allowed");
397
398 if(naddrs == 1) {
399 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr;
400 }
401
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]402 sinfo->flags |= XT_CONNTRACK_ORIGDST;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]403 break;
404
405 case '5':
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]406 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]407
408 if (invert)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]409 sinfo->invflags |= XT_CONNTRACK_REPLSRC;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]410
Jan Engelhardtbbe83862009-10-24 00:45:33 +0200[diff] [blame]411 xtables_ipparse_any(optarg, &addrs,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]412 &sinfo->sipmsk[IP_CT_DIR_REPLY],
413 &naddrs);
414 if(naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]415 xtables_error(PARAMETER_PROBLEM,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]416 "multiple IP addresses not allowed");
417
418 if(naddrs == 1) {
419 sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr;
420 }
421
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]422 sinfo->flags |= XT_CONNTRACK_REPLSRC;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]423 break;
424
425 case '6':
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]426 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]427
428 if (invert)
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]429 sinfo->invflags |= XT_CONNTRACK_REPLDST;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]430
Jan Engelhardtbbe83862009-10-24 00:45:33 +0200[diff] [blame]431 xtables_ipparse_any(optarg, &addrs,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]432 &sinfo->dipmsk[IP_CT_DIR_REPLY],
433 &naddrs);
434 if(naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]435 xtables_error(PARAMETER_PROBLEM,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]436 "multiple IP addresses not allowed");
437
438 if(naddrs == 1) {
439 sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr;
440 }
441
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]442 sinfo->flags |= XT_CONNTRACK_REPLDST;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]443 break;
444
445 case '7':
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]446 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]447
Jan Engelhardtbbe83862009-10-24 00:45:33 +0200[diff] [blame]448 parse_statuses(optarg, sinfo);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]449 if (invert) {
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]450 sinfo->invflags |= XT_CONNTRACK_STATUS;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]451 }
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]452 sinfo->flags |= XT_CONNTRACK_STATUS;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]453 break;
454
455 case '8':
Jan Engelhardtbf971282009-11-03 19:55:11 +0100[diff] [blame]456 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]457
Jan Engelhardtbbe83862009-10-24 00:45:33 +0200[diff] [blame]458 parse_expires(optarg, sinfo);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]459 if (invert) {
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]460 sinfo->invflags |= XT_CONNTRACK_EXPIRES;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]461 }
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]462 sinfo->flags |= XT_CONNTRACK_EXPIRES;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]463 break;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]464 }
465
466 *flags = sinfo->flags;
467 return 1;
468}
469
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]470static void
471ct_parse_ports(const char *param, const char *str,
472 u_int16_t *port_low, u_int16_t *port_high)
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]473{
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]474 unsigned int port;
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]475 char *buf, *cp;
476
477 buf = strdup(str);
478 cp = strchr(buf, ':');
479 if (cp != NULL)
480 *cp = '\0';
481
482 if (!xtables_strtoui(buf, NULL, &port, 0, UINT16_MAX))
483 xtables_param_act(XTF_BAD_VALUE, "conntrack", param, buf);
484
485 if (port_high == NULL) {
486 /* revision 0-2 do not support ranges */
487 if (cp != NULL)
488 xtables_error(PARAMETER_PROBLEM, "conntrack: "
489 "port ranges not supported");
490
491 *port_low = htons(port);
492 } else {
493 *port_low = port;
494
495 if (cp != NULL) {
496 if (!xtables_strtoui(cp + 1, NULL, &port, 0, UINT16_MAX))
497 xtables_param_act(XTF_BAD_VALUE, "conntrack", param, buf);
498
499 *port_high = port;
500 if (*port_low > *port_high)
501 xtables_error(PARAMETER_PROBLEM,
502 "invalid portrange (min > max)");
503 } else
504 *port_high = port;
505 }
506
507 free(buf);
508}
509
510
511static int
512conntrack_mt_parse(int c, bool invert, unsigned int *flags,
513 struct xt_conntrack_mtinfo3 *info, bool v3)
514{
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]515 char *p;
516
517 switch (c) {
518 case '1': /* --ctstate */
519 conntrack_ps_states(info, optarg);
520 info->match_flags |= XT_CONNTRACK_STATE;
521 if (invert)
522 info->invert_flags |= XT_CONNTRACK_STATE;
523 break;
524
525 case '2': /* --ctproto */
526 /* Canonicalize into lower case */
527 for (p = optarg; *p != '\0'; ++p)
528 *p = tolower(*p);
Jan Engelhardt1de7edf2009-01-30 05:38:11 +0100[diff] [blame]529 info->l4proto = xtables_parse_protocol(optarg);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]530
531 if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]532 xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]533 "never match protocol");
534
535 info->match_flags |= XT_CONNTRACK_PROTO;
536 if (invert)
537 info->invert_flags |= XT_CONNTRACK_PROTO;
538 break;
539
540 case '7': /* --ctstatus */
541 conntrack_ps_statuses(info, optarg);
542 info->match_flags |= XT_CONNTRACK_STATUS;
543 if (invert)
544 info->invert_flags |= XT_CONNTRACK_STATUS;
545 break;
546
547 case '8': /* --ctexpire */
548 conntrack_ps_expires(info, optarg);
549 info->match_flags |= XT_CONNTRACK_EXPIRES;
550 if (invert)
551 info->invert_flags |= XT_CONNTRACK_EXPIRES;
552 break;
553
554 case 'a': /* --ctorigsrcport */
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]555 ct_parse_ports("--ctorigsrcport", optarg,
556 &info->origsrc_port,
557 v3 ? &info->origsrc_port_high : NULL);
558
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]559 info->match_flags |= XT_CONNTRACK_ORIGSRC_PORT;
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]560 if (invert)
561 info->invert_flags |= XT_CONNTRACK_ORIGSRC_PORT;
562 break;
563
564 case 'b': /* --ctorigdstport */
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]565 ct_parse_ports("--ctorigdstport", optarg,
566 &info->origdst_port,
567 v3 ? &info->origdst_port_high : NULL);
568
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]569 info->match_flags |= XT_CONNTRACK_ORIGDST_PORT;
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]570 if (invert)
571 info->invert_flags |= XT_CONNTRACK_ORIGDST_PORT;
572 break;
573
574 case 'c': /* --ctreplsrcport */
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]575 ct_parse_ports("--ctreplsrcport", optarg,
576 &info->replsrc_port,
577 v3 ? &info->replsrc_port_high : NULL);
578
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]579 info->match_flags |= XT_CONNTRACK_REPLSRC_PORT;
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]580 if (invert)
581 info->invert_flags |= XT_CONNTRACK_REPLSRC_PORT;
582 break;
583
584 case 'd': /* --ctrepldstport */
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]585 ct_parse_ports("--ctrepldstport", optarg,
586 &info->repldst_port,
587 v3 ? &info->repldst_port_high : NULL);
588
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]589 info->match_flags |= XT_CONNTRACK_REPLDST_PORT;
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]590 if (invert)
591 info->invert_flags |= XT_CONNTRACK_REPLDST_PORT;
592 break;
593
594 case 'e': /* --ctdir */
Jan Engelhardta41545c2009-01-27 21:27:19 +0100[diff] [blame]595 xtables_param_act(XTF_NO_INVERT, "conntrack", "--ctdir", invert);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]596 if (strcasecmp(optarg, "ORIGINAL") == 0) {
597 info->match_flags |= XT_CONNTRACK_DIRECTION;
598 info->invert_flags &= ~XT_CONNTRACK_DIRECTION;
599 } else if (strcasecmp(optarg, "REPLY") == 0) {
600 info->match_flags |= XT_CONNTRACK_DIRECTION;
601 info->invert_flags |= XT_CONNTRACK_DIRECTION;
602 } else {
Jan Engelhardta41545c2009-01-27 21:27:19 +0100[diff] [blame]603 xtables_param_act(XTF_BAD_VALUE, "conntrack", "--ctdir", optarg);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]604 }
605 break;
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]606 }
607
608 *flags = info->match_flags;
609 return true;
610}
611
612static int
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]613conntrack_mt4_parse(int c, bool invert, unsigned int *flags,
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]614 struct xt_conntrack_mtinfo3 *info, bool v3)
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]615{
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]616 struct in_addr *addr = NULL;
617 unsigned int naddrs = 0;
618
619 switch (c) {
620 case '3': /* --ctorigsrc */
Jan Engelhardta0baae82009-01-30 04:32:50 +0100[diff] [blame]621 xtables_ipparse_any(optarg, &addr, &info->origsrc_mask.in,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]622 &naddrs);
623 if (naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]624 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]625 "multiple IP addresses not allowed");
626 if (naddrs == 1)
627 memcpy(&info->origsrc_addr.in, addr, sizeof(*addr));
628 info->match_flags |= XT_CONNTRACK_ORIGSRC;
629 if (invert)
630 info->invert_flags |= XT_CONNTRACK_ORIGSRC;
631 break;
632
633 case '4': /* --ctorigdst */
Jan Engelhardta0baae82009-01-30 04:32:50 +0100[diff] [blame]634 xtables_ipparse_any(optarg, &addr, &info->origdst_mask.in,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]635 &naddrs);
636 if (naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]637 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]638 "multiple IP addresses not allowed");
639 if (naddrs == 1)
640 memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
641 info->match_flags |= XT_CONNTRACK_ORIGDST;
642 if (invert)
643 info->invert_flags |= XT_CONNTRACK_ORIGDST;
644 break;
645
646 case '5': /* --ctreplsrc */
Jan Engelhardta0baae82009-01-30 04:32:50 +0100[diff] [blame]647 xtables_ipparse_any(optarg, &addr, &info->replsrc_mask.in,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]648 &naddrs);
649 if (naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]650 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]651 "multiple IP addresses not allowed");
652 if (naddrs == 1)
653 memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
654 info->match_flags |= XT_CONNTRACK_REPLSRC;
655 if (invert)
656 info->invert_flags |= XT_CONNTRACK_REPLSRC;
657 break;
658
659 case '6': /* --ctrepldst */
Jan Engelhardta0baae82009-01-30 04:32:50 +0100[diff] [blame]660 xtables_ipparse_any(optarg, &addr, &info->repldst_mask.in,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]661 &naddrs);
662 if (naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]663 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]664 "multiple IP addresses not allowed");
665 if (naddrs == 1)
666 memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
667 info->match_flags |= XT_CONNTRACK_REPLDST;
668 if (invert)
669 info->invert_flags |= XT_CONNTRACK_REPLDST;
670 break;
671
672
673 default:
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]674 return conntrack_mt_parse(c, invert, flags, info, v3);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]675 }
676
677 *flags = info->match_flags;
678 return true;
679}
680
681static int
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]682conntrack_mt6_parse(int c, bool invert, unsigned int *flags,
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]683 struct xt_conntrack_mtinfo3 *info, bool v3)
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]684{
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]685 struct in6_addr *addr = NULL;
686 unsigned int naddrs = 0;
687
688 switch (c) {
689 case '3': /* --ctorigsrc */
Jan Engelhardta0baae82009-01-30 04:32:50 +0100[diff] [blame]690 xtables_ip6parse_any(optarg, &addr,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]691 &info->origsrc_mask.in6, &naddrs);
692 if (naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]693 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]694 "multiple IP addresses not allowed");
695 if (naddrs == 1)
696 memcpy(&info->origsrc_addr.in6, addr, sizeof(*addr));
697 info->match_flags |= XT_CONNTRACK_ORIGSRC;
698 if (invert)
699 info->invert_flags |= XT_CONNTRACK_ORIGSRC;
700 break;
701
702 case '4': /* --ctorigdst */
Jan Engelhardta0baae82009-01-30 04:32:50 +0100[diff] [blame]703 xtables_ip6parse_any(optarg, &addr,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]704 &info->origdst_mask.in6, &naddrs);
705 if (naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]706 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]707 "multiple IP addresses not allowed");
708 if (naddrs == 1)
709 memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
710 info->match_flags |= XT_CONNTRACK_ORIGDST;
711 if (invert)
712 info->invert_flags |= XT_CONNTRACK_ORIGDST;
713 break;
714
715 case '5': /* --ctreplsrc */
Jan Engelhardta0baae82009-01-30 04:32:50 +0100[diff] [blame]716 xtables_ip6parse_any(optarg, &addr,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]717 &info->replsrc_mask.in6, &naddrs);
718 if (naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]719 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]720 "multiple IP addresses not allowed");
721 if (naddrs == 1)
722 memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
723 info->match_flags |= XT_CONNTRACK_REPLSRC;
724 if (invert)
725 info->invert_flags |= XT_CONNTRACK_REPLSRC;
726 break;
727
728 case '6': /* --ctrepldst */
Jan Engelhardta0baae82009-01-30 04:32:50 +0100[diff] [blame]729 xtables_ip6parse_any(optarg, &addr,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]730 &info->repldst_mask.in6, &naddrs);
731 if (naddrs > 1)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]732 xtables_error(PARAMETER_PROBLEM,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]733 "multiple IP addresses not allowed");
734 if (naddrs == 1)
735 memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
736 info->match_flags |= XT_CONNTRACK_REPLDST;
737 if (invert)
738 info->invert_flags |= XT_CONNTRACK_REPLDST;
739 break;
740
741
742 default:
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]743 return conntrack_mt_parse(c, invert, flags, info, v3);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]744 }
745
746 *flags = info->match_flags;
747 return true;
748}
749
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]750#define cinfo_transform(r, l) \
751 do { \
752 memcpy((r), (l), offsetof(typeof(*(l)), state_mask)); \
753 (r)->state_mask = (l)->state_mask; \
754 (r)->status_mask = (l)->status_mask; \
755 } while (false);
756
757static int
758conntrack1_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
759 const void *entry, struct xt_entry_match **match)
760{
761 struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]762 struct xt_conntrack_mtinfo3 up;
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]763
764 cinfo_transform(&up, info);
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]765 if (!conntrack_mt4_parse(c, invert, flags, &up, false))
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]766 return false;
767 cinfo_transform(info, &up);
768 return true;
769}
770
771static int
772conntrack1_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
773 const void *entry, struct xt_entry_match **match)
774{
775 struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]776 struct xt_conntrack_mtinfo3 up;
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]777
778 cinfo_transform(&up, info);
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]779 if (!conntrack_mt6_parse(c, invert, flags, &up, false))
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]780 return false;
781 cinfo_transform(info, &up);
782 return true;
783}
784
785static int
786conntrack2_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
787 const void *entry, struct xt_entry_match **match)
788{
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]789 return conntrack_mt4_parse(c, invert, flags, (void *)(*match)->data, false);
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]790}
791
792static int
793conntrack2_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
794 const void *entry, struct xt_entry_match **match)
795{
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]796 return conntrack_mt6_parse(c, invert, flags, (void *)(*match)->data, false);
797}
798
799static int
800conntrack3_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
801 const void *entry, struct xt_entry_match **match)
802{
803 return conntrack_mt4_parse(c, invert, flags, (void *)(*match)->data, true);
804}
805
806static int
807conntrack3_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
808 const void *entry, struct xt_entry_match **match)
809{
810 return conntrack_mt6_parse(c, invert, flags, (void *)(*match)->data, true);
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]811}
812
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]813static void conntrack_mt_check(unsigned int flags)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]814{
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]815 if (flags == 0)
Jan Engelhardt1829ed42009-02-21 03:29:44 +0100[diff] [blame]816 xtables_error(PARAMETER_PROBLEM, "conntrack: At least one option "
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]817 "is required");
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]818}
819
820static void
821print_state(unsigned int statemask)
822{
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]823 const char *sep = " ";
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]824
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]825 if (statemask & XT_CONNTRACK_STATE_INVALID) {
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]826 printf("%sINVALID", sep);
827 sep = ",";
828 }
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]829 if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]830 printf("%sNEW", sep);
831 sep = ",";
832 }
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]833 if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]834 printf("%sRELATED", sep);
835 sep = ",";
836 }
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]837 if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]838 printf("%sESTABLISHED", sep);
839 sep = ",";
840 }
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]841 if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
Harald Welte4dc734c2003-10-07 18:55:13 +0000[diff] [blame]842 printf("%sUNTRACKED", sep);
843 sep = ",";
844 }
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]845 if (statemask & XT_CONNTRACK_STATE_SNAT) {
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]846 printf("%sSNAT", sep);
847 sep = ",";
848 }
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]849 if (statemask & XT_CONNTRACK_STATE_DNAT) {
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]850 printf("%sDNAT", sep);
851 sep = ",";
852 }
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]853}
854
855static void
856print_status(unsigned int statusmask)
857{
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]858 const char *sep = " ";
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]859
860 if (statusmask & IPS_EXPECTED) {
861 printf("%sEXPECTED", sep);
862 sep = ",";
863 }
864 if (statusmask & IPS_SEEN_REPLY) {
865 printf("%sSEEN_REPLY", sep);
866 sep = ",";
867 }
868 if (statusmask & IPS_ASSURED) {
869 printf("%sASSURED", sep);
870 sep = ",";
871 }
Harald Weltea643c3e2003-08-25 11:08:52 +0000[diff] [blame]872 if (statusmask & IPS_CONFIRMED) {
873 printf("%sCONFIRMED", sep);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]874 sep = ",";
875 }
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]876 if (statusmask == 0)
877 printf("%sNONE", sep);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]878}
879
880static void
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]881conntrack_dump_addr(const union nf_inet_addr *addr,
882 const union nf_inet_addr *mask,
883 unsigned int family, bool numeric)
884{
Jan Engelhardt03d99482008-11-18 12:27:54 +0100[diff] [blame]885 if (family == NFPROTO_IPV4) {
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]886 if (!numeric && addr->ip == 0) {
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]887 printf(" anywhere");
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]888 return;
889 }
Jan Engelhardt6b6c0962008-11-10 17:08:07 +0100[diff] [blame]890 if (numeric)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]891 printf(" %s%s",
Jan Engelhardt76f7a232010-06-24 21:23:44 +0200[diff] [blame]892 xtables_ipaddr_to_numeric(&addr->in),
893 xtables_ipmask_to_numeric(&mask->in));
Jan Engelhardt6b6c0962008-11-10 17:08:07 +0100[diff] [blame]894 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]895 printf(" %s%s",
Jan Engelhardt76f7a232010-06-24 21:23:44 +0200[diff] [blame]896 xtables_ipaddr_to_anyname(&addr->in),
897 xtables_ipmask_to_numeric(&mask->in));
Jan Engelhardt03d99482008-11-18 12:27:54 +0100[diff] [blame]898 } else if (family == NFPROTO_IPV6) {
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]899 if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
900 addr->ip6[2] == 0 && addr->ip6[3] == 0) {
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]901 printf(" anywhere");
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]902 return;
903 }
Jan Engelhardt6b6c0962008-11-10 17:08:07 +0100[diff] [blame]904 if (numeric)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]905 printf(" %s%s",
Jan Engelhardt76f7a232010-06-24 21:23:44 +0200[diff] [blame]906 xtables_ip6addr_to_numeric(&addr->in6),
907 xtables_ip6mask_to_numeric(&mask->in6));
Jan Engelhardt6b6c0962008-11-10 17:08:07 +0100[diff] [blame]908 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]909 printf(" %s%s",
Jan Engelhardt76f7a232010-06-24 21:23:44 +0200[diff] [blame]910 xtables_ip6addr_to_anyname(&addr->in6),
911 xtables_ip6mask_to_numeric(&mask->in6));
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]912 }
913}
914
915static void
Jan Engelhardt69f564e2009-05-26 13:14:06 +0200[diff] [blame]916print_addr(const struct in_addr *addr, const struct in_addr *mask,
917 int inv, int numeric)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]918{
919 char buf[BUFSIZ];
920
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]921 if (inv)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]922 printf(" !");
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]923
924 if (mask->s_addr == 0L && !numeric)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]925 printf(" %s", "anywhere");
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]926 else {
927 if (numeric)
Jan Engelhardte44ea7f2009-01-30 03:55:09 +0100[diff] [blame]928 strcpy(buf, xtables_ipaddr_to_numeric(addr));
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]929 else
Jan Engelhardte44ea7f2009-01-30 03:55:09 +0100[diff] [blame]930 strcpy(buf, xtables_ipaddr_to_anyname(addr));
931 strcat(buf, xtables_ipmask_to_numeric(mask));
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]932 printf(" %s", buf);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]933 }
934}
935
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]936static void
Yasuyuki KOZAKAIc0a9ab92007-07-24 06:02:05 +0000[diff] [blame]937matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]938{
Jan Engelhardt69f564e2009-05-26 13:14:06 +0200[diff] [blame]939 const struct xt_conntrack_info *sinfo = (const void *)match->data;
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]940
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]941 if(sinfo->flags & XT_CONNTRACK_STATE) {
942 if (sinfo->invflags & XT_CONNTRACK_STATE)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]943 printf(" !");
944 printf(" %sctstate", optpfx);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]945 print_state(sinfo->statemask);
946 }
947
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]948 if(sinfo->flags & XT_CONNTRACK_PROTO) {
949 if (sinfo->invflags & XT_CONNTRACK_PROTO)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]950 printf(" !");
951 printf(" %sctproto", optpfx);
952 printf(" %u", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
Phil Oester5a4892b2005-11-17 13:34:51 +0000[diff] [blame]953 }
954
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]955 if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
956 if (sinfo->invflags & XT_CONNTRACK_ORIGSRC)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]957 printf(" !");
958 printf(" %sctorigsrc", optpfx);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]959
960 print_addr(
961 (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
962 &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]963 false,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]964 numeric);
965 }
966
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]967 if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
968 if (sinfo->invflags & XT_CONNTRACK_ORIGDST)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]969 printf(" !");
970 printf(" %sctorigdst", optpfx);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]971
972 print_addr(
973 (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
974 &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]975 false,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]976 numeric);
977 }
978
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]979 if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
980 if (sinfo->invflags & XT_CONNTRACK_REPLSRC)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]981 printf(" !");
982 printf(" %sctreplsrc", optpfx);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]983
984 print_addr(
985 (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
986 &sinfo->sipmsk[IP_CT_DIR_REPLY],
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]987 false,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]988 numeric);
989 }
990
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]991 if(sinfo->flags & XT_CONNTRACK_REPLDST) {
992 if (sinfo->invflags & XT_CONNTRACK_REPLDST)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]993 printf(" !");
994 printf(" %sctrepldst", optpfx);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]995
996 print_addr(
997 (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
998 &sinfo->dipmsk[IP_CT_DIR_REPLY],
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]999 false,
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1000 numeric);
1001 }
1002
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]1003 if(sinfo->flags & XT_CONNTRACK_STATUS) {
1004 if (sinfo->invflags & XT_CONNTRACK_STATUS)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1005 printf(" !");
1006 printf(" %sctstatus", optpfx);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1007 print_status(sinfo->statusmask);
1008 }
1009
Jan Engelhardta80b6042008-01-20 13:34:07 +0000[diff] [blame]1010 if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
1011 if (sinfo->invflags & XT_CONNTRACK_EXPIRES)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1012 printf(" !");
1013 printf(" %sctexpire ", optpfx);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1014
1015 if (sinfo->expires_max == sinfo->expires_min)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1016 printf("%lu", sinfo->expires_min);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1017 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1018 printf("%lu:%lu", sinfo->expires_min, sinfo->expires_max);
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1019 }
Jan Engelhardtc7fc1da2008-11-12 12:03:25 +0100[diff] [blame]1020
1021 if (sinfo->flags & XT_CONNTRACK_DIRECTION) {
1022 if (sinfo->invflags & XT_CONNTRACK_DIRECTION)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1023 printf(" %sctdir REPLY", optpfx);
Jan Engelhardtc7fc1da2008-11-12 12:03:25 +0100[diff] [blame]1024 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1025 printf(" %sctdir ORIGINAL", optpfx);
Jan Engelhardtc7fc1da2008-11-12 12:03:25 +0100[diff] [blame]1026 }
1027
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1028}
1029
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1030static void
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1031conntrack_dump_ports(const char *prefix, const char *opt,
1032 u_int16_t port_low, u_int16_t port_high)
1033{
1034 if (port_high == 0 || port_low == port_high)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1035 printf(" %s%s %u", prefix, opt, port_low);
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1036 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1037 printf(" %s%s %u:%u", prefix, opt, port_low, port_high);
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1038}
1039
1040static void
1041conntrack_dump(const struct xt_conntrack_mtinfo3 *info, const char *prefix,
1042 unsigned int family, bool numeric, bool v3)
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1043{
1044 if (info->match_flags & XT_CONNTRACK_STATE) {
1045 if (info->invert_flags & XT_CONNTRACK_STATE)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1046 printf(" !");
1047 printf(" %sctstate", prefix);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1048 print_state(info->state_mask);
1049 }
1050
1051 if (info->match_flags & XT_CONNTRACK_PROTO) {
1052 if (info->invert_flags & XT_CONNTRACK_PROTO)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1053 printf(" !");
1054 printf(" %sctproto %u", prefix, info->l4proto);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1055 }
1056
1057 if (info->match_flags & XT_CONNTRACK_ORIGSRC) {
Jan Engelhardt093d5fc2009-04-05 00:05:30 +0200[diff] [blame]1058 if (info->invert_flags & XT_CONNTRACK_ORIGSRC)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1059 printf(" !");
1060 printf(" %sctorigsrc", prefix);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1061 conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask,
1062 family, numeric);
1063 }
1064
1065 if (info->match_flags & XT_CONNTRACK_ORIGDST) {
Jan Engelhardt093d5fc2009-04-05 00:05:30 +0200[diff] [blame]1066 if (info->invert_flags & XT_CONNTRACK_ORIGDST)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1067 printf(" !");
1068 printf(" %sctorigdst", prefix);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1069 conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask,
1070 family, numeric);
1071 }
1072
1073 if (info->match_flags & XT_CONNTRACK_REPLSRC) {
Jan Engelhardt093d5fc2009-04-05 00:05:30 +0200[diff] [blame]1074 if (info->invert_flags & XT_CONNTRACK_REPLSRC)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1075 printf(" !");
1076 printf(" %sctreplsrc", prefix);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1077 conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask,
1078 family, numeric);
1079 }
1080
1081 if (info->match_flags & XT_CONNTRACK_REPLDST) {
Jan Engelhardt093d5fc2009-04-05 00:05:30 +0200[diff] [blame]1082 if (info->invert_flags & XT_CONNTRACK_REPLDST)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1083 printf(" !");
1084 printf(" %sctrepldst", prefix);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1085 conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask,
1086 family, numeric);
1087 }
1088
1089 if (info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) {
1090 if (info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1091 printf(" !");
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1092 conntrack_dump_ports(prefix, "ctorigsrcport",
1093 v3 ? info->origsrc_port : ntohs(info->origsrc_port),
1094 v3 ? info->origsrc_port_high : 0);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1095 }
1096
1097 if (info->match_flags & XT_CONNTRACK_ORIGDST_PORT) {
1098 if (info->invert_flags & XT_CONNTRACK_ORIGDST_PORT)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1099 printf(" !");
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1100 conntrack_dump_ports(prefix, "ctorigdstport",
1101 v3 ? info->origdst_port : ntohs(info->origdst_port),
1102 v3 ? info->origdst_port_high : 0);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1103 }
1104
1105 if (info->match_flags & XT_CONNTRACK_REPLSRC_PORT) {
1106 if (info->invert_flags & XT_CONNTRACK_REPLSRC_PORT)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1107 printf(" !");
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1108 conntrack_dump_ports(prefix, "ctreplsrcport",
1109 v3 ? info->replsrc_port : ntohs(info->replsrc_port),
1110 v3 ? info->replsrc_port_high : 0);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1111 }
1112
1113 if (info->match_flags & XT_CONNTRACK_REPLDST_PORT) {
1114 if (info->invert_flags & XT_CONNTRACK_REPLDST_PORT)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1115 printf(" !");
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1116 conntrack_dump_ports(prefix, "ctrepldstport",
1117 v3 ? info->repldst_port : ntohs(info->repldst_port),
1118 v3 ? info->repldst_port_high : 0);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1119 }
1120
1121 if (info->match_flags & XT_CONNTRACK_STATUS) {
1122 if (info->invert_flags & XT_CONNTRACK_STATUS)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1123 printf(" !");
1124 printf(" %sctstatus", prefix);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1125 print_status(info->status_mask);
1126 }
1127
1128 if (info->match_flags & XT_CONNTRACK_EXPIRES) {
1129 if (info->invert_flags & XT_CONNTRACK_EXPIRES)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1130 printf(" !");
1131 printf(" %sctexpire ", prefix);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1132
1133 if (info->expires_max == info->expires_min)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1134 printf("%u", (unsigned int)info->expires_min);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1135 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1136 printf("%u:%u", (unsigned int)info->expires_min,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1137 (unsigned int)info->expires_max);
1138 }
Jan Engelhardtc7fc1da2008-11-12 12:03:25 +0100[diff] [blame]1139
1140 if (info->match_flags & XT_CONNTRACK_DIRECTION) {
1141 if (info->invert_flags & XT_CONNTRACK_DIRECTION)
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1142 printf(" %sctdir REPLY", prefix);
Jan Engelhardtc7fc1da2008-11-12 12:03:25 +0100[diff] [blame]1143 else
Jan Engelhardt73866352010-12-18 02:04:59 +0100[diff] [blame]1144 printf(" %sctdir ORIGINAL", prefix);
Jan Engelhardtc7fc1da2008-11-12 12:03:25 +0100[diff] [blame]1145 }
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1146}
1147
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]1148static void conntrack_print(const void *ip, const struct xt_entry_match *match,
1149 int numeric)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1150{
1151 matchinfo_print(ip, match, numeric, "");
1152}
1153
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1154static void
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1155conntrack1_mt4_print(const void *ip, const struct xt_entry_match *match,
1156 int numeric)
1157{
1158 const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1159 struct xt_conntrack_mtinfo3 up;
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1160
1161 cinfo_transform(&up, info);
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1162 conntrack_dump(&up, "", NFPROTO_IPV4, numeric, false);
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1163}
1164
1165static void
1166conntrack1_mt6_print(const void *ip, const struct xt_entry_match *match,
1167 int numeric)
1168{
1169 const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1170 struct xt_conntrack_mtinfo3 up;
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1171
1172 cinfo_transform(&up, info);
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1173 conntrack_dump(&up, "", NFPROTO_IPV6, numeric, false);
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1174}
1175
1176static void
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1177conntrack2_mt_print(const void *ip, const struct xt_entry_match *match,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1178 int numeric)
1179{
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1180 conntrack_dump((const void *)match->data, "", NFPROTO_IPV4, numeric, false);
1181}
1182
1183static void
1184conntrack2_mt6_print(const void *ip, const struct xt_entry_match *match,
1185 int numeric)
1186{
1187 conntrack_dump((const void *)match->data, "", NFPROTO_IPV6, numeric, false);
1188}
1189
1190static void
1191conntrack3_mt_print(const void *ip, const struct xt_entry_match *match,
1192 int numeric)
1193{
1194 conntrack_dump((const void *)match->data, "", NFPROTO_IPV4, numeric, true);
1195}
1196
1197static void
1198conntrack3_mt6_print(const void *ip, const struct xt_entry_match *match,
1199 int numeric)
1200{
1201 conntrack_dump((const void *)match->data, "", NFPROTO_IPV6, numeric, true);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1202}
1203
Jan Engelhardt59d16402007-10-04 16:28:39 +0000[diff] [blame]1204static void conntrack_save(const void *ip, const struct xt_entry_match *match)
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1205{
Joszef Kadlecsikdb503f92004-05-05 10:10:33 +0000[diff] [blame]1206 matchinfo_print(ip, match, 1, "--");
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1207}
1208
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1209static void conntrack3_mt_save(const void *ip,
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1210 const struct xt_entry_match *match)
1211{
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1212 conntrack_dump((const void *)match->data, "--", NFPROTO_IPV4, true, true);
1213}
1214
1215static void conntrack3_mt6_save(const void *ip,
1216 const struct xt_entry_match *match)
1217{
1218 conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true, true);
1219}
1220
1221static void conntrack2_mt_save(const void *ip,
1222 const struct xt_entry_match *match)
1223{
1224 conntrack_dump((const void *)match->data, "--", NFPROTO_IPV4, true, false);
1225}
1226
1227static void conntrack2_mt6_save(const void *ip,
1228 const struct xt_entry_match *match)
1229{
1230 conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true, false);
Jan Engelhardta8ad34c2008-01-29 13:37:21 +0000[diff] [blame]1231}
1232
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1233static void
1234conntrack1_mt4_save(const void *ip, const struct xt_entry_match *match)
1235{
1236 const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1237 struct xt_conntrack_mtinfo3 up;
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1238
1239 cinfo_transform(&up, info);
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1240 conntrack_dump(&up, "--", NFPROTO_IPV4, true, false);
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1241}
1242
1243static void
1244conntrack1_mt6_save(const void *ip, const struct xt_entry_match *match)
1245{
1246 const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1247 struct xt_conntrack_mtinfo3 up;
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1248
1249 cinfo_transform(&up, info);
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1250 conntrack_dump(&up, "--", NFPROTO_IPV6, true, false);
Jan Engelhardtb97b4212009-06-25 18:46:37 +0200[diff] [blame]1251}
1252
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]1253static struct xtables_match conntrack_mt_reg[] = {
1254 {
1255 .version = XTABLES_VERSION,
1256 .name = "conntrack",
1257 .revision = 0,
1258 .family = NFPROTO_IPV4,
1259 .size = XT_ALIGN(sizeof(struct xt_conntrack_info)),
1260 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)),
1261 .help = conntrack_mt_help,
1262 .parse = conntrack_parse,
1263 .final_check = conntrack_mt_check,
1264 .print = conntrack_print,
1265 .save = conntrack_save,
1266 .extra_opts = conntrack_mt_opts_v0,
1267 },
1268 {
1269 .version = XTABLES_VERSION,
1270 .name = "conntrack",
1271 .revision = 1,
1272 .family = NFPROTO_IPV4,
1273 .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1274 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1275 .help = conntrack_mt_help,
Jan Engelhardt8e4daca2009-08-05 18:13:11 +0200[diff] [blame]1276 .parse = conntrack1_mt4_parse,
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]1277 .final_check = conntrack_mt_check,
Jan Engelhardt8e4daca2009-08-05 18:13:11 +0200[diff] [blame]1278 .print = conntrack1_mt4_print,
1279 .save = conntrack1_mt4_save,
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]1280 .extra_opts = conntrack_mt_opts,
1281 },
1282 {
1283 .version = XTABLES_VERSION,
1284 .name = "conntrack",
1285 .revision = 1,
1286 .family = NFPROTO_IPV6,
1287 .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1288 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1289 .help = conntrack_mt_help,
Jan Engelhardt8e4daca2009-08-05 18:13:11 +0200[diff] [blame]1290 .parse = conntrack1_mt6_parse,
1291 .final_check = conntrack_mt_check,
1292 .print = conntrack1_mt6_print,
1293 .save = conntrack1_mt6_save,
1294 .extra_opts = conntrack_mt_opts,
1295 },
1296 {
1297 .version = XTABLES_VERSION,
1298 .name = "conntrack",
1299 .revision = 2,
1300 .family = NFPROTO_IPV4,
1301 .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
1302 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
1303 .help = conntrack_mt_help,
1304 .parse = conntrack2_mt4_parse,
1305 .final_check = conntrack_mt_check,
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1306 .print = conntrack2_mt_print,
1307 .save = conntrack2_mt_save,
Jan Engelhardt8e4daca2009-08-05 18:13:11 +0200[diff] [blame]1308 .extra_opts = conntrack_mt_opts,
1309 },
1310 {
1311 .version = XTABLES_VERSION,
1312 .name = "conntrack",
1313 .revision = 2,
1314 .family = NFPROTO_IPV6,
1315 .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
1316 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
1317 .help = conntrack_mt_help,
1318 .parse = conntrack2_mt6_parse,
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]1319 .final_check = conntrack_mt_check,
Patrick McHardyc8f28cc2011-01-20 11:45:12 +0100[diff] [blame]1320 .print = conntrack2_mt6_print,
1321 .save = conntrack2_mt6_save,
1322 .extra_opts = conntrack_mt_opts,
1323 },
1324 {
1325 .version = XTABLES_VERSION,
1326 .name = "conntrack",
1327 .revision = 3,
1328 .family = NFPROTO_IPV4,
1329 .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
1330 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
1331 .help = conntrack_mt_help,
1332 .parse = conntrack3_mt4_parse,
1333 .final_check = conntrack_mt_check,
1334 .print = conntrack3_mt_print,
1335 .save = conntrack3_mt_save,
1336 .extra_opts = conntrack_mt_opts,
1337 },
1338 {
1339 .version = XTABLES_VERSION,
1340 .name = "conntrack",
1341 .revision = 3,
1342 .family = NFPROTO_IPV6,
1343 .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
1344 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
1345 .help = conntrack_mt_help,
1346 .parse = conntrack3_mt6_parse,
1347 .final_check = conntrack_mt_check,
1348 .print = conntrack3_mt6_print,
1349 .save = conntrack3_mt6_save,
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]1350 .extra_opts = conntrack_mt_opts,
1351 },
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1352};
1353
1354void _init(void)
1355{
Jan Engelhardtf2a77522009-06-25 20:12:12 +0200[diff] [blame]1356 xtables_register_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg));
Marc Boucher5054e852002-01-19 10:59:12 +0000[diff] [blame]1357}