static void test_nfct_cmp_api(struct nf_conntrack *ct1, struct nf_conntrack *ct2) { int i; printf("== test cmp API ==\n"); test_nfct_cmp_attr(ATTR_ZONE); test_nfct_cmp_attr(ATTR_ORIG_ZONE); test_nfct_cmp_attr(ATTR_REPL_ZONE); test_nfct_cmp_attr(ATTR_MARK); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 0); nfct_copy(ct1, ct2, NFCT_CP_OVERRIDE); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 1); for (i=0; i < ATTR_MAX ; i++) { nfct_attr_unset(ct1, i); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 0); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_MASK) == 1); } nfct_copy(ct1, ct2, NFCT_CP_OVERRIDE); for (i=0; i < ATTR_MAX ; i++) { nfct_attr_unset(ct2, i); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 0); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_MASK) == 0); } for (i=0; i < ATTR_MAX ; i++) assert(test_nfct_cmp_api_single(ct1, ct2, i) == 0); nfct_copy(ct2, ct1, NFCT_CP_OVERRIDE); for (i=0; i < ATTR_MAX ; i++) { nfct_attr_unset(ct1, i); nfct_attr_unset(ct2, i); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL) == 1); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_STRICT) == 1); assert(nfct_cmp(ct1, ct2, NFCT_CMP_ALL|NFCT_CMP_MASK) == 1); } nfct_destroy(ct1); nfct_destroy(ct2); }
static int do_dump(void *data1, void *n) { char buf[1024]; int size; struct __dump_container *container = data1; struct cache_object *obj = n; char *data = obj->data; unsigned i; /* * XXX: Do not dump the entries that are scheduled to expire. * These entries talk about already destroyed connections * that we keep for some time just in case that we have to * resent some lost messages. We do not show them to the * user as he may think that the firewall replicas are not * in sync. The branch below is a hack as it is quite * specific and it breaks conntrackd modularity. Probably * there's a nicer way to do this but until I come up with it... */ if (CONFIG(flags) & CTD_SYNC_FTFW && obj->status == C_OBJ_DEAD) return 0; /* do not show cached timeout, this may confuse users */ if (nfct_attr_is_set(obj->ct, ATTR_TIMEOUT)) nfct_attr_unset(obj->ct, ATTR_TIMEOUT); memset(buf, 0, sizeof(buf)); size = nfct_snprintf(buf, sizeof(buf), obj->ct, NFCT_T_UNKNOWN, container->type, 0); for (i = 0; i < obj->cache->num_features; i++) { if (obj->cache->features[i]->dump) { size += obj->cache->features[i]->dump(obj, data, buf+size, container->type); data += obj->cache->features[i]->size; } } if (container->type != NFCT_O_XML) { long tm = time(NULL); size += sprintf(buf+size, " [active since %lds]", tm - obj->lifetime); } size += sprintf(buf+size, "\n"); if (send(container->fd, buf, size, 0) == -1) { if (errno != EPIPE) return -1; } return 0; }
int nl_update_conntrack(struct nfct_handle *h, const struct nf_conntrack *orig, int timeout) { int ret; struct nf_conntrack *ct; ct = nfct_clone(orig); if (ct == NULL) return -1; if (timeout > 0) nfct_set_attr_u32(ct, ATTR_TIMEOUT, timeout); /* unset NAT info, otherwise we hit error */ nfct_attr_unset(ct, ATTR_SNAT_IPV4); nfct_attr_unset(ct, ATTR_DNAT_IPV4); nfct_attr_unset(ct, ATTR_SNAT_PORT); nfct_attr_unset(ct, ATTR_DNAT_PORT); if (nfct_attr_is_set(ct, ATTR_STATUS)) { uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS); status &= ~IPS_NAT_MASK; nfct_set_attr_u32(ct, ATTR_STATUS, status); } /* we have to unset the helper to avoid EBUSY in reset timers */ if (nfct_attr_is_set(ct, ATTR_HELPER_NAME)) nfct_attr_unset(ct, ATTR_HELPER_NAME); /* we hit error if we try to update the master conntrack */ if (ct_is_related(ct)) { nfct_attr_unset(ct, ATTR_MASTER_L3PROTO); nfct_attr_unset(ct, ATTR_MASTER_L4PROTO); nfct_attr_unset(ct, ATTR_MASTER_IPV4_SRC); nfct_attr_unset(ct, ATTR_MASTER_IPV4_DST); nfct_attr_unset(ct, ATTR_MASTER_IPV6_SRC); nfct_attr_unset(ct, ATTR_MASTER_IPV6_DST); nfct_attr_unset(ct, ATTR_MASTER_PORT_SRC); nfct_attr_unset(ct, ATTR_MASTER_PORT_DST); } /* disable TCP window tracking for recovered connections if required */ if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) { uint8_t flags = IP_CT_TCP_FLAG_SACK_PERM; if (!CONFIG(sync).tcp_window_tracking) flags |= IP_CT_TCP_FLAG_BE_LIBERAL; else flags |= IP_CT_TCP_FLAG_WINDOW_SCALE; /* FIXME: workaround, we should send TCP flags in updates */ if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= TCP_CONNTRACK_TIME_WAIT) { flags |= IP_CT_TCP_FLAG_CLOSE_INIT; } nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags); } ret = nfct_query(h, NFCT_Q_UPDATE, ct); nfct_destroy(ct); return ret; }