3
* Shared library add-on to iptables for conntrack matching support.
5
* GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
6
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
7
* Jan Engelhardt <jengelh@computergmbh.de>
9
#include <sys/socket.h>
10
#include <sys/types.h>
20
#include <linux/netfilter.h>
21
#include <linux/netfilter/xt_conntrack.h>
22
#include <linux/netfilter/nf_conntrack_common.h>
23
#include <arpa/inet.h>
25
/* Function which prints out usage message. */
26
static void conntrack_mt_help(void)
29
"conntrack match options:\n"
30
"[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n"
31
" State(s) to match\n"
32
"[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n"
33
"[!] --ctorigsrc address[/mask]\n"
34
"[!] --ctorigdst address[/mask]\n"
35
"[!] --ctreplsrc address[/mask]\n"
36
"[!] --ctrepldst address[/mask]\n"
37
" Original/Reply source/destination address\n"
38
"[!] --ctorigsrcport port\n"
39
"[!] --ctorigdstport port\n"
40
"[!] --ctreplsrcport port\n"
41
"[!] --ctrepldstport port\n"
42
" TCP/UDP/SCTP orig./reply source/destination port\n"
43
"[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n"
44
" Status(es) to match\n"
45
"[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n"
46
" value or range of values (inclusive)\n"
47
" --ctdir {ORIGINAL|REPLY} Flow direction of packet\n");
50
static const struct option conntrack_mt_opts_v0[] = {
51
{.name = "ctstate", .has_arg = true, .val = '1'},
52
{.name = "ctproto", .has_arg = true, .val = '2'},
53
{.name = "ctorigsrc", .has_arg = true, .val = '3'},
54
{.name = "ctorigdst", .has_arg = true, .val = '4'},
55
{.name = "ctreplsrc", .has_arg = true, .val = '5'},
56
{.name = "ctrepldst", .has_arg = true, .val = '6'},
57
{.name = "ctstatus", .has_arg = true, .val = '7'},
58
{.name = "ctexpire", .has_arg = true, .val = '8'},
62
static const struct option conntrack_mt_opts[] = {
63
{.name = "ctstate", .has_arg = true, .val = '1'},
64
{.name = "ctproto", .has_arg = true, .val = '2'},
65
{.name = "ctorigsrc", .has_arg = true, .val = '3'},
66
{.name = "ctorigdst", .has_arg = true, .val = '4'},
67
{.name = "ctreplsrc", .has_arg = true, .val = '5'},
68
{.name = "ctrepldst", .has_arg = true, .val = '6'},
69
{.name = "ctstatus", .has_arg = true, .val = '7'},
70
{.name = "ctexpire", .has_arg = true, .val = '8'},
71
{.name = "ctorigsrcport", .has_arg = true, .val = 'a'},
72
{.name = "ctorigdstport", .has_arg = true, .val = 'b'},
73
{.name = "ctreplsrcport", .has_arg = true, .val = 'c'},
74
{.name = "ctrepldstport", .has_arg = true, .val = 'd'},
75
{.name = "ctdir", .has_arg = true, .val = 'e'},
80
parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo)
82
if (strncasecmp(state, "INVALID", len) == 0)
83
sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
84
else if (strncasecmp(state, "NEW", len) == 0)
85
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
86
else if (strncasecmp(state, "ESTABLISHED", len) == 0)
87
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
88
else if (strncasecmp(state, "RELATED", len) == 0)
89
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
90
else if (strncasecmp(state, "UNTRACKED", len) == 0)
91
sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
92
else if (strncasecmp(state, "SNAT", len) == 0)
93
sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
94
else if (strncasecmp(state, "DNAT", len) == 0)
95
sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
102
parse_states(const char *arg, struct xt_conntrack_info *sinfo)
106
while ((comma = strchr(arg, ',')) != NULL) {
107
if (comma == arg || !parse_state(arg, comma-arg, sinfo))
108
exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
112
if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
113
exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
117
conntrack_ps_state(struct xt_conntrack_mtinfo1 *info, const char *state,
120
if (strncasecmp(state, "INVALID", z) == 0)
121
info->state_mask |= XT_CONNTRACK_STATE_INVALID;
122
else if (strncasecmp(state, "NEW", z) == 0)
123
info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
124
else if (strncasecmp(state, "ESTABLISHED", z) == 0)
125
info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
126
else if (strncasecmp(state, "RELATED", z) == 0)
127
info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
128
else if (strncasecmp(state, "UNTRACKED", z) == 0)
129
info->state_mask |= XT_CONNTRACK_STATE_UNTRACKED;
130
else if (strncasecmp(state, "SNAT", z) == 0)
131
info->state_mask |= XT_CONNTRACK_STATE_SNAT;
132
else if (strncasecmp(state, "DNAT", z) == 0)
133
info->state_mask |= XT_CONNTRACK_STATE_DNAT;
140
conntrack_ps_states(struct xt_conntrack_mtinfo1 *info, const char *arg)
144
while ((comma = strchr(arg, ',')) != NULL) {
145
if (comma == arg || !conntrack_ps_state(info, arg, comma - arg))
146
exit_error(PARAMETER_PROBLEM,
147
"Bad ctstate \"%s\"", arg);
151
if (strlen(arg) == 0 || !conntrack_ps_state(info, arg, strlen(arg)))
152
exit_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
156
parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo)
158
if (strncasecmp(status, "NONE", len) == 0)
159
sinfo->statusmask |= 0;
160
else if (strncasecmp(status, "EXPECTED", len) == 0)
161
sinfo->statusmask |= IPS_EXPECTED;
162
else if (strncasecmp(status, "SEEN_REPLY", len) == 0)
163
sinfo->statusmask |= IPS_SEEN_REPLY;
164
else if (strncasecmp(status, "ASSURED", len) == 0)
165
sinfo->statusmask |= IPS_ASSURED;
167
else if (strncasecmp(status, "CONFIRMED", len) == 0)
168
sinfo->statusmask |= IPS_CONFIRMED;
176
parse_statuses(const char *arg, struct xt_conntrack_info *sinfo)
180
while ((comma = strchr(arg, ',')) != NULL) {
181
if (comma == arg || !parse_status(arg, comma-arg, sinfo))
182
exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
186
if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo))
187
exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
191
conntrack_ps_status(struct xt_conntrack_mtinfo1 *info, const char *status,
194
if (strncasecmp(status, "NONE", z) == 0)
195
info->status_mask |= 0;
196
else if (strncasecmp(status, "EXPECTED", z) == 0)
197
info->status_mask |= IPS_EXPECTED;
198
else if (strncasecmp(status, "SEEN_REPLY", z) == 0)
199
info->status_mask |= IPS_SEEN_REPLY;
200
else if (strncasecmp(status, "ASSURED", z) == 0)
201
info->status_mask |= IPS_ASSURED;
202
else if (strncasecmp(status, "CONFIRMED", z) == 0)
203
info->status_mask |= IPS_CONFIRMED;
210
conntrack_ps_statuses(struct xt_conntrack_mtinfo1 *info, const char *arg)
214
while ((comma = strchr(arg, ',')) != NULL) {
215
if (comma == arg || !conntrack_ps_status(info, arg, comma - arg))
216
exit_error(PARAMETER_PROBLEM,
217
"Bad ctstatus \"%s\"", arg);
221
if (strlen(arg) == 0 || !conntrack_ps_status(info, arg, strlen(arg)))
222
exit_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
226
parse_expire(const char *s)
230
if (string_to_number(s, 0, 0, &len) == -1)
231
exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s);
236
/* If a single value is provided, min and max are both set to the value */
238
parse_expires(const char *s, struct xt_conntrack_info *sinfo)
244
if ((cp = strchr(buffer, ':')) == NULL)
245
sinfo->expires_min = sinfo->expires_max =
246
parse_expire(buffer);
251
sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0;
252
sinfo->expires_max = cp[0]
258
if (sinfo->expires_min > sinfo->expires_max)
259
exit_error(PARAMETER_PROBLEM,
260
"expire min. range value `%lu' greater than max. "
261
"range value `%lu'", sinfo->expires_min, sinfo->expires_max);
265
conntrack_ps_expires(struct xt_conntrack_mtinfo1 *info, const char *s)
267
unsigned int min, max;
270
if (!strtonum(s, &end, &min, 0, ~0))
271
param_act(P_BAD_VALUE, "conntrack", "--expires", s);
274
if (!strtonum(s, &end, &max, 0, ~0U))
275
param_act(P_BAD_VALUE, "conntrack", "--expires", s);
277
param_act(P_BAD_VALUE, "conntrack", "--expires", s);
280
exit_error(PARAMETER_PROBLEM,
281
"expire min. range value \"%u\" greater than max. "
282
"range value \"%u\"", min, max);
284
info->expires_min = min;
285
info->expires_max = max;
288
/* Function which parses command options; returns true if it
290
static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
291
const void *entry, struct xt_entry_match **match)
293
struct xt_conntrack_info *sinfo = (void *)(*match)->data;
294
char *protocol = NULL;
295
unsigned int naddrs = 0;
296
struct in_addr *addrs = NULL;
301
check_inverse(optarg, &invert, &optind, 0);
303
parse_states(argv[optind-1], sinfo);
305
sinfo->invflags |= XT_CONNTRACK_STATE;
307
sinfo->flags |= XT_CONNTRACK_STATE;
311
check_inverse(optarg, &invert, &optind, 0);
314
sinfo->invflags |= XT_CONNTRACK_PROTO;
316
/* Canonicalize into lower case */
317
for (protocol = argv[optind-1]; *protocol; protocol++)
318
*protocol = tolower(*protocol);
320
protocol = argv[optind-1];
321
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = parse_protocol(protocol);
323
if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
324
&& (sinfo->invflags & XT_INV_PROTO))
325
exit_error(PARAMETER_PROBLEM,
326
"rule would never match protocol");
328
sinfo->flags |= XT_CONNTRACK_PROTO;
332
check_inverse(optarg, &invert, &optind, 0);
335
sinfo->invflags |= XT_CONNTRACK_ORIGSRC;
337
ipparse_hostnetworkmask(argv[optind-1], &addrs,
338
&sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
341
exit_error(PARAMETER_PROBLEM,
342
"multiple IP addresses not allowed");
345
sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr;
348
sinfo->flags |= XT_CONNTRACK_ORIGSRC;
352
check_inverse(optarg, &invert, &optind, 0);
355
sinfo->invflags |= XT_CONNTRACK_ORIGDST;
357
ipparse_hostnetworkmask(argv[optind-1], &addrs,
358
&sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
361
exit_error(PARAMETER_PROBLEM,
362
"multiple IP addresses not allowed");
365
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr;
368
sinfo->flags |= XT_CONNTRACK_ORIGDST;
372
check_inverse(optarg, &invert, &optind, 0);
375
sinfo->invflags |= XT_CONNTRACK_REPLSRC;
377
ipparse_hostnetworkmask(argv[optind-1], &addrs,
378
&sinfo->sipmsk[IP_CT_DIR_REPLY],
381
exit_error(PARAMETER_PROBLEM,
382
"multiple IP addresses not allowed");
385
sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr;
388
sinfo->flags |= XT_CONNTRACK_REPLSRC;
392
check_inverse(optarg, &invert, &optind, 0);
395
sinfo->invflags |= XT_CONNTRACK_REPLDST;
397
ipparse_hostnetworkmask(argv[optind-1], &addrs,
398
&sinfo->dipmsk[IP_CT_DIR_REPLY],
401
exit_error(PARAMETER_PROBLEM,
402
"multiple IP addresses not allowed");
405
sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr;
408
sinfo->flags |= XT_CONNTRACK_REPLDST;
412
check_inverse(optarg, &invert, &optind, 0);
414
parse_statuses(argv[optind-1], sinfo);
416
sinfo->invflags |= XT_CONNTRACK_STATUS;
418
sinfo->flags |= XT_CONNTRACK_STATUS;
422
check_inverse(optarg, &invert, &optind, 0);
424
parse_expires(argv[optind-1], sinfo);
426
sinfo->invflags |= XT_CONNTRACK_EXPIRES;
428
sinfo->flags |= XT_CONNTRACK_EXPIRES;
435
*flags = sinfo->flags;
440
conntrack_mt_parse(int c, char **argv, int invert, unsigned int *flags,
441
struct xt_entry_match **match)
443
struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
448
case '1': /* --ctstate */
449
conntrack_ps_states(info, optarg);
450
info->match_flags |= XT_CONNTRACK_STATE;
452
info->invert_flags |= XT_CONNTRACK_STATE;
455
case '2': /* --ctproto */
456
/* Canonicalize into lower case */
457
for (p = optarg; *p != '\0'; ++p)
459
info->l4proto = parse_protocol(optarg);
461
if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
462
exit_error(PARAMETER_PROBLEM, "conntrack: rule would "
463
"never match protocol");
465
info->match_flags |= XT_CONNTRACK_PROTO;
467
info->invert_flags |= XT_CONNTRACK_PROTO;
470
case '7': /* --ctstatus */
471
conntrack_ps_statuses(info, optarg);
472
info->match_flags |= XT_CONNTRACK_STATUS;
474
info->invert_flags |= XT_CONNTRACK_STATUS;
477
case '8': /* --ctexpire */
478
conntrack_ps_expires(info, optarg);
479
info->match_flags |= XT_CONNTRACK_EXPIRES;
481
info->invert_flags |= XT_CONNTRACK_EXPIRES;
484
case 'a': /* --ctorigsrcport */
485
if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
486
param_act(P_BAD_VALUE, "conntrack",
487
"--ctorigsrcport", optarg);
488
info->match_flags |= XT_CONNTRACK_ORIGSRC_PORT;
489
info->origsrc_port = htons(port);
491
info->invert_flags |= XT_CONNTRACK_ORIGSRC_PORT;
494
case 'b': /* --ctorigdstport */
495
if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
496
param_act(P_BAD_VALUE, "conntrack",
497
"--ctorigdstport", optarg);
498
info->match_flags |= XT_CONNTRACK_ORIGDST_PORT;
499
info->origdst_port = htons(port);
501
info->invert_flags |= XT_CONNTRACK_ORIGDST_PORT;
504
case 'c': /* --ctreplsrcport */
505
if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
506
param_act(P_BAD_VALUE, "conntrack",
507
"--ctreplsrcport", optarg);
508
info->match_flags |= XT_CONNTRACK_REPLSRC_PORT;
509
info->replsrc_port = htons(port);
511
info->invert_flags |= XT_CONNTRACK_REPLSRC_PORT;
514
case 'd': /* --ctrepldstport */
515
if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
516
param_act(P_BAD_VALUE, "conntrack",
517
"--ctrepldstport", optarg);
518
info->match_flags |= XT_CONNTRACK_REPLDST_PORT;
519
info->repldst_port = htons(port);
521
info->invert_flags |= XT_CONNTRACK_REPLDST_PORT;
524
case 'e': /* --ctdir */
525
param_act(P_NO_INVERT, "conntrack", "--ctdir", invert);
526
if (strcasecmp(optarg, "ORIGINAL") == 0) {
527
info->match_flags |= XT_CONNTRACK_DIRECTION;
528
info->invert_flags &= ~XT_CONNTRACK_DIRECTION;
529
} else if (strcasecmp(optarg, "REPLY") == 0) {
530
info->match_flags |= XT_CONNTRACK_DIRECTION;
531
info->invert_flags |= XT_CONNTRACK_DIRECTION;
533
param_act(P_BAD_VALUE, "conntrack", "--ctdir", optarg);
541
*flags = info->match_flags;
546
conntrack_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
547
const void *entry, struct xt_entry_match **match)
549
struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
550
struct in_addr *addr = NULL;
551
unsigned int naddrs = 0;
554
case '3': /* --ctorigsrc */
555
ipparse_hostnetworkmask(optarg, &addr, &info->origsrc_mask.in,
558
exit_error(PARAMETER_PROBLEM,
559
"multiple IP addresses not allowed");
561
memcpy(&info->origsrc_addr.in, addr, sizeof(*addr));
562
info->match_flags |= XT_CONNTRACK_ORIGSRC;
564
info->invert_flags |= XT_CONNTRACK_ORIGSRC;
567
case '4': /* --ctorigdst */
568
ipparse_hostnetworkmask(optarg, &addr, &info->origdst_mask.in,
571
exit_error(PARAMETER_PROBLEM,
572
"multiple IP addresses not allowed");
574
memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
575
info->match_flags |= XT_CONNTRACK_ORIGDST;
577
info->invert_flags |= XT_CONNTRACK_ORIGDST;
580
case '5': /* --ctreplsrc */
581
ipparse_hostnetworkmask(optarg, &addr, &info->replsrc_mask.in,
584
exit_error(PARAMETER_PROBLEM,
585
"multiple IP addresses not allowed");
587
memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
588
info->match_flags |= XT_CONNTRACK_REPLSRC;
590
info->invert_flags |= XT_CONNTRACK_REPLSRC;
593
case '6': /* --ctrepldst */
594
ipparse_hostnetworkmask(optarg, &addr, &info->repldst_mask.in,
597
exit_error(PARAMETER_PROBLEM,
598
"multiple IP addresses not allowed");
600
memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
601
info->match_flags |= XT_CONNTRACK_REPLDST;
603
info->invert_flags |= XT_CONNTRACK_REPLDST;
608
return conntrack_mt_parse(c, argv, invert, flags, match);
611
*flags = info->match_flags;
616
conntrack_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
617
const void *entry, struct xt_entry_match **match)
619
struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
620
struct in6_addr *addr = NULL;
621
unsigned int naddrs = 0;
624
case '3': /* --ctorigsrc */
625
ip6parse_hostnetworkmask(optarg, &addr,
626
&info->origsrc_mask.in6, &naddrs);
628
exit_error(PARAMETER_PROBLEM,
629
"multiple IP addresses not allowed");
631
memcpy(&info->origsrc_addr.in6, addr, sizeof(*addr));
632
info->match_flags |= XT_CONNTRACK_ORIGSRC;
634
info->invert_flags |= XT_CONNTRACK_ORIGSRC;
637
case '4': /* --ctorigdst */
638
ip6parse_hostnetworkmask(optarg, &addr,
639
&info->origdst_mask.in6, &naddrs);
641
exit_error(PARAMETER_PROBLEM,
642
"multiple IP addresses not allowed");
644
memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
645
info->match_flags |= XT_CONNTRACK_ORIGDST;
647
info->invert_flags |= XT_CONNTRACK_ORIGDST;
650
case '5': /* --ctreplsrc */
651
ip6parse_hostnetworkmask(optarg, &addr,
652
&info->replsrc_mask.in6, &naddrs);
654
exit_error(PARAMETER_PROBLEM,
655
"multiple IP addresses not allowed");
657
memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
658
info->match_flags |= XT_CONNTRACK_REPLSRC;
660
info->invert_flags |= XT_CONNTRACK_REPLSRC;
663
case '6': /* --ctrepldst */
664
ip6parse_hostnetworkmask(optarg, &addr,
665
&info->repldst_mask.in6, &naddrs);
667
exit_error(PARAMETER_PROBLEM,
668
"multiple IP addresses not allowed");
670
memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
671
info->match_flags |= XT_CONNTRACK_REPLDST;
673
info->invert_flags |= XT_CONNTRACK_REPLDST;
678
return conntrack_mt_parse(c, argv, invert, flags, match);
681
*flags = info->match_flags;
685
static void conntrack_mt_check(unsigned int flags)
688
exit_error(PARAMETER_PROBLEM, "conntrack: At least one option "
693
print_state(unsigned int statemask)
695
const char *sep = "";
697
if (statemask & XT_CONNTRACK_STATE_INVALID) {
698
printf("%sINVALID", sep);
701
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
702
printf("%sNEW", sep);
705
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
706
printf("%sRELATED", sep);
709
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
710
printf("%sESTABLISHED", sep);
713
if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
714
printf("%sUNTRACKED", sep);
717
if (statemask & XT_CONNTRACK_STATE_SNAT) {
718
printf("%sSNAT", sep);
721
if (statemask & XT_CONNTRACK_STATE_DNAT) {
722
printf("%sDNAT", sep);
729
print_status(unsigned int statusmask)
731
const char *sep = "";
733
if (statusmask & IPS_EXPECTED) {
734
printf("%sEXPECTED", sep);
737
if (statusmask & IPS_SEEN_REPLY) {
738
printf("%sSEEN_REPLY", sep);
741
if (statusmask & IPS_ASSURED) {
742
printf("%sASSURED", sep);
745
if (statusmask & IPS_CONFIRMED) {
746
printf("%sCONFIRMED", sep);
750
printf("%sNONE", sep);
755
conntrack_dump_addr(const union nf_inet_addr *addr,
756
const union nf_inet_addr *mask,
757
unsigned int family, bool numeric)
759
if (family == AF_INET) {
760
if (!numeric && addr->ip == 0) {
764
printf("%s ", ipaddr_to_anyname(&addr->in));
765
} else if (family == AF_INET6) {
766
if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
767
addr->ip6[2] == 0 && addr->ip6[3] == 0) {
771
printf("%s ", ip6addr_to_anyname(&addr->in6));
776
print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric)
783
if (mask->s_addr == 0L && !numeric)
784
printf("%s ", "anywhere");
787
sprintf(buf, "%s", ipaddr_to_numeric(addr));
789
sprintf(buf, "%s", ipaddr_to_anyname(addr));
790
strcat(buf, ipmask_to_numeric(mask));
795
/* Saves the matchinfo in parsable form to stdout. */
797
matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx)
799
struct xt_conntrack_info *sinfo = (void *)match->data;
801
if(sinfo->flags & XT_CONNTRACK_STATE) {
802
if (sinfo->invflags & XT_CONNTRACK_STATE)
804
printf("%sctstate ", optpfx);
805
print_state(sinfo->statemask);
808
if(sinfo->flags & XT_CONNTRACK_PROTO) {
809
if (sinfo->invflags & XT_CONNTRACK_PROTO)
811
printf("%sctproto ", optpfx);
812
printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
815
if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
816
if (sinfo->invflags & XT_CONNTRACK_ORIGSRC)
818
printf("%sctorigsrc ", optpfx);
821
(struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
822
&sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
827
if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
828
if (sinfo->invflags & XT_CONNTRACK_ORIGDST)
830
printf("%sctorigdst ", optpfx);
833
(struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
834
&sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
839
if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
840
if (sinfo->invflags & XT_CONNTRACK_REPLSRC)
842
printf("%sctreplsrc ", optpfx);
845
(struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
846
&sinfo->sipmsk[IP_CT_DIR_REPLY],
851
if(sinfo->flags & XT_CONNTRACK_REPLDST) {
852
if (sinfo->invflags & XT_CONNTRACK_REPLDST)
854
printf("%sctrepldst ", optpfx);
857
(struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
858
&sinfo->dipmsk[IP_CT_DIR_REPLY],
863
if(sinfo->flags & XT_CONNTRACK_STATUS) {
864
if (sinfo->invflags & XT_CONNTRACK_STATUS)
866
printf("%sctstatus ", optpfx);
867
print_status(sinfo->statusmask);
870
if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
871
if (sinfo->invflags & XT_CONNTRACK_EXPIRES)
873
printf("%sctexpire ", optpfx);
875
if (sinfo->expires_max == sinfo->expires_min)
876
printf("%lu ", sinfo->expires_min);
878
printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max);
883
conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
884
unsigned int family, bool numeric)
886
if (info->match_flags & XT_CONNTRACK_STATE) {
887
if (info->invert_flags & XT_CONNTRACK_STATE)
889
printf("%sctstate ", prefix);
890
print_state(info->state_mask);
893
if (info->match_flags & XT_CONNTRACK_PROTO) {
894
if (info->invert_flags & XT_CONNTRACK_PROTO)
896
printf("%sctproto %u ", prefix, info->l4proto);
899
if (info->match_flags & XT_CONNTRACK_ORIGSRC) {
900
if (info->invert_flags & XT_CONNTRACK_PROTO)
902
printf("%sctorigsrc ", prefix);
903
conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask,
907
if (info->match_flags & XT_CONNTRACK_ORIGDST) {
908
if (info->invert_flags & XT_CONNTRACK_PROTO)
910
printf("%sctorigdst ", prefix);
911
conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask,
915
if (info->match_flags & XT_CONNTRACK_REPLSRC) {
916
if (info->invert_flags & XT_CONNTRACK_PROTO)
918
printf("%sctreplsrc ", prefix);
919
conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask,
923
if (info->match_flags & XT_CONNTRACK_REPLDST) {
924
if (info->invert_flags & XT_CONNTRACK_PROTO)
926
printf("%sctrepldst ", prefix);
927
conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask,
931
if (info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) {
932
if (info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT)
934
printf("%sctorigsrcport %u ", prefix,
935
ntohs(info->origsrc_port));
938
if (info->match_flags & XT_CONNTRACK_ORIGDST_PORT) {
939
if (info->invert_flags & XT_CONNTRACK_ORIGDST_PORT)
941
printf("%sctorigdstport %u ", prefix,
942
ntohs(info->origdst_port));
945
if (info->match_flags & XT_CONNTRACK_REPLSRC_PORT) {
946
if (info->invert_flags & XT_CONNTRACK_REPLSRC_PORT)
948
printf("%sctreplsrcport %u ", prefix,
949
ntohs(info->replsrc_port));
952
if (info->match_flags & XT_CONNTRACK_REPLDST_PORT) {
953
if (info->invert_flags & XT_CONNTRACK_REPLDST_PORT)
955
printf("%sctrepldstport %u ", prefix,
956
ntohs(info->repldst_port));
959
if (info->match_flags & XT_CONNTRACK_STATUS) {
960
if (info->invert_flags & XT_CONNTRACK_STATUS)
962
printf("%sctstatus ", prefix);
963
print_status(info->status_mask);
966
if (info->match_flags & XT_CONNTRACK_EXPIRES) {
967
if (info->invert_flags & XT_CONNTRACK_EXPIRES)
969
printf("%sctexpire ", prefix);
971
if (info->expires_max == info->expires_min)
972
printf("%u ", (unsigned int)info->expires_min);
974
printf("%u:%u ", (unsigned int)info->expires_min,
975
(unsigned int)info->expires_max);
979
/* Prints out the matchinfo. */
980
static void conntrack_print(const void *ip, const struct xt_entry_match *match,
983
matchinfo_print(ip, match, numeric, "");
987
conntrack_mt_print(const void *ip, const struct xt_entry_match *match,
990
conntrack_dump((const void *)match->data, "", AF_INET, numeric);
994
conntrack_mt6_print(const void *ip, const struct xt_entry_match *match,
997
conntrack_dump((const void *)match->data, "", AF_INET6, numeric);
1000
/* Saves the matchinfo in parsable form to stdout. */
1001
static void conntrack_save(const void *ip, const struct xt_entry_match *match)
1003
matchinfo_print(ip, match, 1, "--");
1006
static void conntrack_mt_save(const void *ip,
1007
const struct xt_entry_match *match)
1009
conntrack_dump((const void *)match->data, "--", AF_INET, true);
1012
static void conntrack_mt6_save(const void *ip,
1013
const struct xt_entry_match *match)
1015
conntrack_dump((const void *)match->data, "--", AF_INET6, true);
1018
static struct xtables_match conntrack_match = {
1019
.version = XTABLES_VERSION,
1020
.name = "conntrack",
1023
.size = XT_ALIGN(sizeof(struct xt_conntrack_info)),
1024
.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)),
1025
.help = conntrack_mt_help,
1026
.parse = conntrack_parse,
1027
.final_check = conntrack_mt_check,
1028
.print = conntrack_print,
1029
.save = conntrack_save,
1030
.extra_opts = conntrack_mt_opts_v0,
1033
static struct xtables_match conntrack_mt_reg = {
1034
.version = XTABLES_VERSION,
1035
.name = "conntrack",
1038
.size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1039
.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1040
.help = conntrack_mt_help,
1041
.parse = conntrack_mt4_parse,
1042
.final_check = conntrack_mt_check,
1043
.print = conntrack_mt_print,
1044
.save = conntrack_mt_save,
1045
.extra_opts = conntrack_mt_opts,
1048
static struct xtables_match conntrack_mt6_reg = {
1049
.version = XTABLES_VERSION,
1050
.name = "conntrack",
1053
.size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1054
.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1055
.help = conntrack_mt_help,
1056
.parse = conntrack_mt6_parse,
1057
.final_check = conntrack_mt_check,
1058
.print = conntrack_mt6_print,
1059
.save = conntrack_mt6_save,
1060
.extra_opts = conntrack_mt_opts,
1065
xtables_register_match(&conntrack_match);
1066
xtables_register_match(&conntrack_mt_reg);
1067
xtables_register_match(&conntrack_mt6_reg);