Example #1
0
int ignore_conntrack(struct nf_conntrack *ct)
{
	/* ignore a certain protocol */
	if (CONFIG(ignore_protocol)[nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO)])
		return 1;

	/* Accept DNAT'ed traffic: not really coming to the local machine */
	if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
		debug_ct(ct, "DNAT");
		return 0;
	}

        /* Accept SNAT'ed traffic: not really coming to the local machine */
	if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) {
		debug_ct(ct, "SNAT");
		return 0;
	}

	/* Ignore traffic */
	if (ignore_pool_test(STATE(ignore_pool), ct)) {
		debug_ct(ct, "ignore traffic");
		return 1;
	}

	return 0;
}
Example #2
0
static int event_cb(enum nf_conntrack_msg_type type,
		    struct nf_conntrack *ct,
		    void *data) {
   struct conntrack_list *no;
   u_int8_t l4proto;

   // we are interested only in SNAT connections
   if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT))
      return NFCT_CB_CONTINUE;

   // We are interested only in TCP/UDP L4 protocols...
   l4proto = nfct_get_attr_u8(ct,ATTR_ORIG_L4PROTO);
   if (l4proto != IPPROTO_TCP && l4proto != IPPROTO_UDP)
      return NFCT_CB_CONTINUE;

   if (verbose_flag) {
      print_verbose(ct, type, proto_str(l4proto));
   }

   switch(type) {
      case NFCT_T_NEW:
         no = (struct conntrack_list *)malloc(sizeof(struct conntrack_list));
         no->id = nfct_get_attr_u32(ct,ATTR_ID);
         no->orig_ipv4_src = nfct_get_attr_u32(ct,ATTR_ORIG_IPV4_SRC);
         no->orig_port_src = nfct_get_attr_u16(ct,ATTR_ORIG_PORT_SRC);
         time(&no->timestamp);
         list_add(&ct_list, no);
         break;
      case NFCT_T_DESTROY:
         no = list_find(ct_list,
               nfct_get_attr_u32(ct,ATTR_ID),
               nfct_get_attr_u32(ct,ATTR_ORIG_IPV4_SRC),
               nfct_get_attr_u16(ct,ATTR_ORIG_PORT_SRC));
         if (no) {
            print_snatlog(ct, &no->timestamp, proto_str(l4proto));
            list_del(&ct_list,no);
         }
         break;
      default:
         break;
   }

   return NFCT_CB_CONTINUE;
}