static void state_print_state(unsigned int statemask)
{
const char *sep = "";
if (statemask & XT_STATE_INVALID) {
printf("%sINVALID", sep);
sep = ",";
}
if (statemask & XT_STATE_BIT(IP_CT_NEW)) {
printf("%sNEW", sep);
sep = ",";
}
if (statemask & XT_STATE_BIT(IP_CT_RELATED)) {
printf("%sRELATED", sep);
sep = ",";
}
if (statemask & XT_STATE_BIT(IP_CT_ESTABLISHED)) {
printf("%sESTABLISHED", sep);
sep = ",";
}
if (statemask & XT_STATE_UNTRACKED) {
printf("%sUNTRACKED", sep);
sep = ",";
}
}
static unsigned int
state_parse_state(const char *state, size_t len)
{
if (strncasecmp(state, "INVALID", len) == 0)
return XT_STATE_INVALID;
else if (strncasecmp(state, "NEW", len) == 0)
return XT_STATE_BIT(IP_CT_NEW);
else if (strncasecmp(state, "ESTABLISHED", len) == 0)
return XT_STATE_BIT(IP_CT_ESTABLISHED);
else if (strncasecmp(state, "RELATED", len) == 0)
return XT_STATE_BIT(IP_CT_RELATED);
else if (strncasecmp(state, "UNTRACKED", len) == 0)
return XT_STATE_UNTRACKED;
return 0;
}
static bool
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop)
{
const struct xt_state_info *sinfo = matchinfo;
enum ip_conntrack_info ctinfo;
unsigned int statebit;
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
if (!ct)
statebit = XT_STATE_INVALID;
else {
if (nf_ct_is_untracked(ct))
statebit = XT_STATE_UNTRACKED;
else
statebit = XT_STATE_BIT(ctinfo);
}
return (sinfo->statemask & statebit);
}
static int
state_parse_state(const char *state, size_t len, struct xt_state_info *sinfo)
{
if (strncasecmp(state, "INVALID", len) == 0)
sinfo->statemask |= XT_STATE_INVALID;
else if (strncasecmp(state, "NEW", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_NEW);
else if (strncasecmp(state, "ESTABLISHED", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_ESTABLISHED);
else if (strncasecmp(state, "RELATED", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_RELATED);
else if (strncasecmp(state, "UNTRACKED", len) == 0)
sinfo->statemask |= XT_STATE_UNTRACKED;
else
return 0;
return 1;
}
static int state_match2acl(const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
void *acl_rule,
unsigned int *invflags)
{
const struct xt_state_info *sinfo = (struct xt_state_info *)matchinfo;
if(sinfo->statemask & XT_STATE_BIT(IP_CT_ESTABLISHED))
{
return RTL865X_ESTABLISH_RULE;
}
/*if state rule is added, don't add this rule to rtl865x ACL table...skip this rule now.*/
return RTL865X_SKIP_THIS_RULE;
}
static bool
state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_state_info *sinfo = par->matchinfo;
enum ip_conntrack_info ctinfo;
unsigned int statebit;
if (nf_ct_is_untracked(skb))
statebit = XT_STATE_UNTRACKED;
else if (!nf_ct_get(skb, &ctinfo))
statebit = XT_STATE_INVALID;
else
statebit = XT_STATE_BIT(ctinfo);
return (sinfo->statemask & statebit);
}
static bool
state_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_state_info *sinfo = par->matchinfo;
enum ip_conntrack_info ctinfo;
unsigned int statebit;
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
if (ct)
statebit = XT_STATE_BIT(ctinfo);
else if (ctinfo == IP_CT_UNTRACKED)
statebit = XT_STATE_UNTRACKED;
else
statebit = XT_STATE_INVALID;
return (sinfo->statemask & statebit);
}
static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop)
{
const struct xt_state_info *sinfo = matchinfo;
enum ip_conntrack_info ctinfo;
unsigned int statebit;
if (nf_ct_is_untracked(skb))
statebit = XT_STATE_UNTRACKED;
else if (!nf_ct_get_ctinfo(skb, &ctinfo))
statebit = XT_STATE_INVALID;
else
statebit = XT_STATE_BIT(ctinfo);
return (sinfo->statemask & statebit);
}
