int main() { int ret; struct nfct_handle *h; struct nf_conntrack *ct; ct = nfct_new(); if (!ct) { perror("nfct_new"); return 0; } nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20)); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10)); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfct_query(h, NFCT_Q_DESTROY, ct); printf("TEST: delete conntrack (%d)(%s)\n", ret, strerror(errno)); if (ret == -1) exit(EXIT_FAILURE); nfct_close(h); }
int main(void) { int ret; uint32_t family = AF_INET; struct nfct_handle *h; h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } nfct_callback_register(h, NFCT_T_ALL, cb, NULL); ret = nfct_query(h, NFCT_Q_DUMP, &family); printf("TEST: get conntrack "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }
int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr, int istcp, unsigned int *markp) { struct nf_conntrack *ct; struct nfct_handle *h; gotit = 0; if ((ct = nfct_new())) { nfct_set_attr_u8(ct, ATTR_L4PROTO, istcp ? IPPROTO_TCP : IPPROTO_UDP); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(daemon->port)); #ifdef HAVE_IPV6 if (peer_addr->sa.sa_family == AF_INET6) { nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET6); nfct_set_attr(ct, ATTR_IPV6_SRC, peer_addr->in6.sin6_addr.s6_addr); nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in6.sin6_port); nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr.addr6.s6_addr); } else #endif { nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, peer_addr->in.sin_addr.s_addr); nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in.sin_port); nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr.addr4.s_addr); } if ((h = nfct_open(CONNTRACK, 0))) { nfct_callback_register(h, NFCT_T_ALL, callback, (void *)markp); if (nfct_query(h, NFCT_Q_GET, ct) == -1) { static int warned = 0; if (!warned) { my_syslog(LOG_ERR, _("Conntrack connection mark retrieval failed: %s"), strerror(errno)); warned = 1; } } nfct_close(h); } nfct_destroy(ct); } return gotit; }
int nl_create_conntrack(struct nfct_handle *h, const struct nf_conntrack *orig, int timeout) { int ret; struct nf_conntrack *ct; ct = nfct_clone(orig); if (ct == NULL) return -1; if (timeout > 0) nfct_set_attr_u32(ct, ATTR_TIMEOUT, timeout); /* we hit error if we try to change the expected bit */ if (nfct_attr_is_set(ct, ATTR_STATUS)) { uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS); status &= ~IPS_EXPECTED; nfct_set_attr_u32(ct, ATTR_STATUS, status); } nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY); /* disable TCP window tracking for recovered connections if required */ if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) { uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM; if (!CONFIG(sync).tcp_window_tracking) flags |= IP_CT_TCP_FLAG_BE_LIBERAL; else flags |= IP_CT_TCP_FLAG_WINDOW_SCALE; /* FIXME: workaround, we should send TCP flags in updates */ if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= TCP_CONNTRACK_TIME_WAIT) { flags |= IP_CT_TCP_FLAG_CLOSE_INIT; } nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags); } ret = nfct_query(h, NFCT_Q_CREATE, ct); nfct_destroy(ct); return ret; }
/* if the handle has no callback, check for existence, otherwise, update */ int nl_get_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct) { int ret = 1; struct nf_conntrack *tmp; tmp = nfct_new(); if (tmp == NULL) return -1; /* use the original tuple to check if it is there */ nfct_copy(tmp, ct, NFCT_CP_ORIG); if (nfct_query(h, NFCT_Q_GET, tmp) == -1) ret = (errno == ENOENT) ? 0 : -1; nfct_destroy(tmp); return ret; }
int nl_flush_conntrack_table_selective(void) { struct nfct_handle *h; int ret; h = nfct_open(CONNTRACK, 0); if (h == NULL) { dlog(LOG_ERR, "cannot open handle"); return -1; } nfct_callback_register(h, NFCT_T_ALL, nl_flush_selective_cb, NULL); ret = nfct_query(h, NFCT_Q_DUMP, &family); nfct_close(h); return ret; }
static void internal_bypass_ct_dump(int fd, int type) { struct nfct_handle *h; u_int32_t family = AF_UNSPEC; int ret; h = nfct_open(CONFIG(netlink).subsys_id, 0); if (h == NULL) { dlog(LOG_ERR, "can't allocate memory for the internal cache"); return; } nfct_callback_register(h, NFCT_T_ALL, internal_bypass_ct_dump_cb, &fd); ret = nfct_query(h, NFCT_Q_DUMP, &family); if (ret == -1) { dlog(LOG_ERR, "can't dump kernel table"); } nfct_close(h); }
static void ForwardingRule_dealloc(ForwardingRule *self) { struct nfct_handle *ct_handle; PyObject_GC_UnTrack(self); ForwardingRule_clear(self); if (self->is_active) { forwarding_rules[ntohs(nfct_get_attr_u16(self->conntrack, ATTR_ORIG_PORT_DST))] = NULL; Py_BEGIN_ALLOW_THREADS ct_handle = nfct_open(CONNTRACK, 0); if (ct_handle != NULL) { nfct_query(ct_handle, NFCT_Q_DESTROY, self->conntrack); nfct_close(ct_handle); } Py_END_ALLOW_THREADS }
int main() { int ret; struct nfct_handle *h; struct nf_conntrack *ct; ct = nfct_new(); if (!ct) { perror("nfct_new"); return 0; } nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20)); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10)); nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY); nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_LISTEN); nfct_set_attr_u32(ct, ATTR_TIMEOUT, 100); nfct_set_attr_u32(ct, ATTR_SNAT_IPV4, inet_addr("8.8.8.8")); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfct_query(h, NFCT_Q_CREATE, ct); printf("TEST: create conntrack (%d)(%s)\n", ret, strerror(errno)); if (ret == -1) exit(EXIT_FAILURE); nfct_close(h); }
int main() { int ret; u_int8_t family = AF_INET; struct nfct_handle *h; char buf[1024]; h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } nfct_callback_register(h, NFCT_T_ALL, cb, NULL); ret = nfct_query(h, NFCT_Q_DUMP, &family); printf("TEST: dump conntrack (%d)(%s)\n", ret, strerror(errno)); if (ret == -1) exit(EXIT_FAILURE); nfct_close(h); }
int nl_dump_conntrack_table(void) { return nfct_query(STATE(dump), NFCT_Q_DUMP, &CONFIG(family)); }
int nl_destroy_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct) { return nfct_query(h, NFCT_Q_DESTROY, ct); }
int nl_update_conntrack(struct nfct_handle *h, const struct nf_conntrack *orig, int timeout) { int ret; struct nf_conntrack *ct; ct = nfct_clone(orig); if (ct == NULL) return -1; if (timeout > 0) nfct_set_attr_u32(ct, ATTR_TIMEOUT, timeout); /* unset NAT info, otherwise we hit error */ nfct_attr_unset(ct, ATTR_SNAT_IPV4); nfct_attr_unset(ct, ATTR_DNAT_IPV4); nfct_attr_unset(ct, ATTR_SNAT_PORT); nfct_attr_unset(ct, ATTR_DNAT_PORT); if (nfct_attr_is_set(ct, ATTR_STATUS)) { uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS); status &= ~IPS_NAT_MASK; nfct_set_attr_u32(ct, ATTR_STATUS, status); } /* we have to unset the helper to avoid EBUSY in reset timers */ if (nfct_attr_is_set(ct, ATTR_HELPER_NAME)) nfct_attr_unset(ct, ATTR_HELPER_NAME); /* we hit error if we try to update the master conntrack */ if (ct_is_related(ct)) { nfct_attr_unset(ct, ATTR_MASTER_L3PROTO); nfct_attr_unset(ct, ATTR_MASTER_L4PROTO); nfct_attr_unset(ct, ATTR_MASTER_IPV4_SRC); nfct_attr_unset(ct, ATTR_MASTER_IPV4_DST); nfct_attr_unset(ct, ATTR_MASTER_IPV6_SRC); nfct_attr_unset(ct, ATTR_MASTER_IPV6_DST); nfct_attr_unset(ct, ATTR_MASTER_PORT_SRC); nfct_attr_unset(ct, ATTR_MASTER_PORT_DST); } /* disable TCP window tracking for recovered connections if required */ if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) { uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM; if (!CONFIG(sync).tcp_window_tracking) flags |= IP_CT_TCP_FLAG_BE_LIBERAL; else flags |= IP_CT_TCP_FLAG_WINDOW_SCALE; /* FIXME: workaround, we should send TCP flags in updates */ if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= TCP_CONNTRACK_TIME_WAIT) { flags |= IP_CT_TCP_FLAG_CLOSE_INIT; } nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags); } ret = nfct_query(h, NFCT_Q_UPDATE, ct); nfct_destroy(ct); return ret; }
int nl_dump_conntrack_table(struct nfct_handle *h) { return nfct_query(h, NFCT_Q_DUMP, &family); }
int main(void) { int ret; struct nfct_handle *h; struct nf_conntrack *master, *expected, *mask, *nat; struct nf_expect *exp; /* * Step 1: Setup master conntrack */ master = nfct_new(); if (!master) { perror("nfct_new"); exit(EXIT_FAILURE); } nfct_set_attr_u8(master, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(master, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(master, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(master, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(master, ATTR_PORT_SRC, htons(1025)); nfct_set_attr_u16(master, ATTR_PORT_DST, htons(21)); nfct_setobjopt(master, NFCT_SOPT_SETUP_REPLY); nfct_set_attr_u8(master, ATTR_TCP_STATE, TCP_CONNTRACK_ESTABLISHED); nfct_set_attr_u32(master, ATTR_TIMEOUT, 200); nfct_set_attr(master, ATTR_HELPER_NAME, "ftp"); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); nfct_destroy(master); return -1; } ret = nfct_query(h, NFCT_Q_CREATE, master); printf("TEST: add master conntrack "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); expected = nfct_new(); if (!expected) { perror("nfct_new"); exit(EXIT_FAILURE); } nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0); nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241)); mask = nfct_new(); if (!mask) { perror("nfct_new"); nfct_destroy(master); nfct_destroy(expected); exit(EXIT_FAILURE); } nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(mask, ATTR_IPV4_SRC, 0xffffffff); nfct_set_attr_u32(mask, ATTR_IPV4_DST, 0xffffffff); nfct_set_attr_u8(mask, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(mask, ATTR_PORT_SRC, 0x0000); nfct_set_attr_u16(mask, ATTR_PORT_DST, 0xffff); nat = nfct_new(); if (!nat) { perror("nfct_new"); nfct_destroy(mask); nfct_destroy(master); nfct_destroy(expected); exit(EXIT_FAILURE); } nfct_set_attr_u8(nat, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(nat, ATTR_IPV4_SRC, inet_addr("3.3.3.3")); nfct_set_attr_u32(nat, ATTR_IPV4_DST, 0); nfct_set_attr_u8(nat, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(nat, ATTR_PORT_SRC, 12345); nfct_set_attr_u16(nat, ATTR_PORT_DST, 0); /* * Step 2: Setup expectation */ exp = nfexp_new(); if (!exp) { perror("nfexp_new"); nfct_destroy(master); nfct_destroy(expected); nfct_destroy(mask); exit(EXIT_FAILURE); } nfexp_set_attr(exp, ATTR_EXP_MASTER, master); nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected); nfexp_set_attr(exp, ATTR_EXP_MASK, mask); nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat); nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, 0); nfexp_set_attr_u32(exp, ATTR_EXP_TIMEOUT, 200); nfct_destroy(master); nfct_destroy(expected); nfct_destroy(mask); nfct_destroy(nat); h = nfct_open(EXPECT, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfexp_query(h, NFCT_Q_CREATE, exp); printf("TEST: create expectation "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }