static void test_nfct_cmp_api(struct nf_conntrack *ct1, struct nf_conntrack *ct2)
{
int i;
printf("== test cmp API ==\n");
test_nfct_cmp_attr(ATTR_ZONE);
test_nfct_cmp_attr(ATTR_ORIG_ZONE);
test_nfct_cmp_attr(ATTR_REPL_ZONE);
test_nfct_cmp_attr(ATTR_MARK);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 0);
nfct_copy(ct1, ct2, NFCT_CP_OVERRIDE);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 1);
for (i=0; i < ATTR_MAX ; i++) {
nfct_attr_unset(ct1, i);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 0);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_MASK) == 1);
}
nfct_copy(ct1, ct2, NFCT_CP_OVERRIDE);
for (i=0; i < ATTR_MAX ; i++) {
nfct_attr_unset(ct2, i);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 0);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_MASK) == 0);
}
for (i=0; i < ATTR_MAX ; i++)
assert(test_nfct_cmp_api_single(ct1, ct2, i) == 0);
nfct_copy(ct2, ct1, NFCT_CP_OVERRIDE);
for (i=0; i < ATTR_MAX ; i++) {
nfct_attr_unset(ct1, i);
nfct_attr_unset(ct2, i);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 1);
assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_MASK) == 1);
}
nfct_destroy(ct1);
nfct_destroy(ct2);
}
static int do_dump(void *data1, void *n)
{
char buf[1024];
int size;
struct __dump_container *container = data1;
struct cache_object *obj = n;
char *data = obj->data;
unsigned i;
/*
* XXX: Do not dump the entries that are scheduled to expire.
* These entries talk about already destroyed connections
* that we keep for some time just in case that we have to
* resent some lost messages. We do not show them to the
* user as he may think that the firewall replicas are not
* in sync. The branch below is a hack as it is quite
* specific and it breaks conntrackd modularity. Probably
* there's a nicer way to do this but until I come up with it...
*/
if (CONFIG(flags) & CTD_SYNC_FTFW && obj->status == C_OBJ_DEAD)
return 0;
/* do not show cached timeout, this may confuse users */
if (nfct_attr_is_set(obj->ct, ATTR_TIMEOUT))
nfct_attr_unset(obj->ct, ATTR_TIMEOUT);
memset(buf, 0, sizeof(buf));
size = nfct_snprintf(buf,
sizeof(buf),
obj->ct,
NFCT_T_UNKNOWN,
container->type,
0);
for (i = 0; i < obj->cache->num_features; i++) {
if (obj->cache->features[i]->dump) {
size += obj->cache->features[i]->dump(obj,
data,
buf+size,
container->type);
data += obj->cache->features[i]->size;
}
}
if (container->type != NFCT_O_XML) {
long tm = time(NULL);
size += sprintf(buf+size, " [active since %lds]",
tm - obj->lifetime);
}
size += sprintf(buf+size, "\n");
if (send(container->fd, buf, size, 0) == -1) {
if (errno != EPIPE)
return -1;
}
return 0;
}
int nl_update_conntrack(struct nfct_handle *h,
const struct nf_conntrack *orig,
int timeout)
{
int ret;
struct nf_conntrack *ct;
ct = nfct_clone(orig);
if (ct == NULL)
return -1;
if (timeout > 0)
nfct_set_attr_u32(ct, ATTR_TIMEOUT, timeout);
/* unset NAT info, otherwise we hit error */
nfct_attr_unset(ct, ATTR_SNAT_IPV4);
nfct_attr_unset(ct, ATTR_DNAT_IPV4);
nfct_attr_unset(ct, ATTR_SNAT_PORT);
nfct_attr_unset(ct, ATTR_DNAT_PORT);
if (nfct_attr_is_set(ct, ATTR_STATUS)) {
uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS);
status &= ~IPS_NAT_MASK;
nfct_set_attr_u32(ct, ATTR_STATUS, status);
}
/* we have to unset the helper to avoid EBUSY in reset timers */
if (nfct_attr_is_set(ct, ATTR_HELPER_NAME))
nfct_attr_unset(ct, ATTR_HELPER_NAME);
/* we hit error if we try to update the master conntrack */
if (ct_is_related(ct)) {
nfct_attr_unset(ct, ATTR_MASTER_L3PROTO);
nfct_attr_unset(ct, ATTR_MASTER_L4PROTO);
nfct_attr_unset(ct, ATTR_MASTER_IPV4_SRC);
nfct_attr_unset(ct, ATTR_MASTER_IPV4_DST);
nfct_attr_unset(ct, ATTR_MASTER_IPV6_SRC);
nfct_attr_unset(ct, ATTR_MASTER_IPV6_DST);
nfct_attr_unset(ct, ATTR_MASTER_PORT_SRC);
nfct_attr_unset(ct, ATTR_MASTER_PORT_DST);
}
/* disable TCP window tracking for recovered connections if required */
if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM;
if (!CONFIG(sync).tcp_window_tracking)
flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
else
flags |= IP_CT_TCP_FLAG_WINDOW_SCALE;
/* FIXME: workaround, we should send TCP flags in updates */
if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >=
TCP_CONNTRACK_TIME_WAIT) {
flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
}
nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags);
nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags);
nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
}
ret = nfct_query(h, NFCT_Q_UPDATE, ct);
nfct_destroy(ct);
return ret;
}
