expectation entry creation with conntrack

expectation entry creation with conntrack

[pfeiffer.szilard]

Hello,

Here are two patches that fix the expectation entry creation with conntrack
tool. First patch is only a refactor with the purpose to make the second
patch smaller and easier to understand. The second one fixes the entry
creation by using the necessary conntrack stucture.

BR,
Szilárd Pfeiffer
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/2] conntrack: refactor handling of address options

[pfeiffer.szilard]

From: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>

Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
---
 src/conntrack.c | 69 ++++++++++++++++++++++++++-------------------------------
 1 file changed, 32 insertions(+), 37 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index b1a2589..4b22e75 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -437,6 +437,10 @@ static const int opt2attr[] = {
 	['d']	= ATTR_ORIG_L3PROTO,
 	['r']	= ATTR_REPL_L3PROTO,
 	['q']	= ATTR_REPL_L3PROTO,
+	['{']	= ATTR_ORIG_L3PROTO,
+	['}']	= ATTR_ORIG_L3PROTO,
+	['[']	= ATTR_ORIG_L3PROTO,
+	[']']	= ATTR_ORIG_L3PROTO,
 	['m']	= ATTR_MARK,
 	['c']	= ATTR_SECMARK,
 	['i']	= ATTR_ID,
@@ -1952,6 +1956,31 @@ static void merge_bitmasks(struct nfct_bitmask **current,
 	nfct_bitmask_destroy(src);
 }
 
+static void 
+nfct_set_addr_from_opt(int opt, struct nf_conntrack *ct, union ct_address *ad,
+		       int *family)
+{
+	int l3protonum;
+
+	options |= opt2type[opt];
+	l3protonum = parse_addr(optarg, ad);
+	if (l3protonum == AF_UNSPEC) {
+		exit_error(PARAMETER_PROBLEM,
+			   "Invalid IP address `%s'", optarg);
+	}
+	set_family(family, l3protonum);
+	if (l3protonum == AF_INET) {
+		nfct_set_attr_u32(ct,
+				  opt2family_attr[opt][0],
+				  ad->v4);
+	} else if (l3protonum == AF_INET6) {
+		nfct_set_attr(ct,
+			      opt2family_attr[opt][1],
+			      &ad->v6);
+	}
+	nfct_set_attr_u8(ct, opt2attr[opt], l3protonum);
+}
+
 int main(int argc, char *argv[])
 {
 	int c, cmd;
@@ -1959,7 +1988,7 @@ int main(int argc, char *argv[])
 	int res = 0, partial;
 	size_t socketbuffersize = 0;
 	int family = AF_UNSPEC;
-	int l3protonum, protonum = 0;
+	int protonum = 0;
 	union ct_address ad;
 	unsigned int command = 0;
 
@@ -2030,47 +2059,13 @@ int main(int argc, char *argv[])
 		case 'd':
 		case 'r':
 		case 'q':
-			options |= opt2type[c];
-
-			l3protonum = parse_addr(optarg, &ad);
-			if (l3protonum == AF_UNSPEC) {
-				exit_error(PARAMETER_PROBLEM,
-					   "Invalid IP address `%s'", optarg);
-			}
-			set_family(&family, l3protonum);
-			if (l3protonum == AF_INET) {
-				nfct_set_attr_u32(tmpl.ct,
-						  opt2family_attr[c][0],
-						  ad.v4);
-			} else if (l3protonum == AF_INET6) {
-				nfct_set_attr(tmpl.ct,
-					      opt2family_attr[c][1],
-					      &ad.v6);
-			}
-			nfct_set_attr_u8(tmpl.ct, opt2attr[c], l3protonum);
+			nfct_set_addr_from_opt(c, tmpl.ct, &ad, &family);
 			break;
 		case '{':
 		case '}':
 		case '[':
 		case ']':
-			options |= opt2type[c];
-			l3protonum = parse_addr(optarg, &ad);
-			if (l3protonum == AF_UNSPEC) {
-				exit_error(PARAMETER_PROBLEM,
-					   "Invalid IP address `%s'", optarg);
-			}
-			set_family(&family, l3protonum);
-			if (l3protonum == AF_INET) {
-				nfct_set_attr_u32(tmpl.mask, 
-						  opt2family_attr[c][0],
-						  ad.v4);
-			} else if (l3protonum == AF_INET6) {
-				nfct_set_attr(tmpl.mask,
-					      opt2family_attr[c][1],
-					      &ad.v6);
-			}
-			nfct_set_attr_u8(tmpl.mask,
-					 ATTR_ORIG_L3PROTO, l3protonum);
+			nfct_set_addr_from_opt(c, tmpl.mask, &ad, &family);
 			break;
 		case 'p':
 			options |= CT_OPT_PROTO;
-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/2] conntrack: fix expectation entry creation

[pfeiffer.szilard]

From: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>

Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
---
 src/conntrack.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/conntrack.c b/src/conntrack.c
index 4b22e75..45276f4 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2063,6 +2063,8 @@ int main(int argc, char *argv[])
 			break;
 		case '{':
 		case '}':
+			nfct_set_addr_from_opt(c, tmpl.exptuple, &ad, &family);
+			break;
 		case '[':
 		case ']':
 			nfct_set_addr_from_opt(c, tmpl.mask, &ad, &family);
-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: expectation entry creation with conntrack

[Pablo Neira Ayuso]

On Thu, Jun 25, 2015 at 12:22:09PM +0200, pfeiffer.szilard@balabit.hu wrote:
> 
> Hello,
> 
> Here are two patches that fix the expectation entry creation with conntrack
> tool. First patch is only a refactor with the purpose to make the second
> patch smaller and easier to understand. The second one fixes the entry
> creation by using the necessary conntrack stucture.

Series applied, thanks Szilárd.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html