3 * Shared library add-on to iptables for conntrack matching support.
5 * GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
6 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
7 * Jan Engelhardt <jengelh@computergmbh.de>
9 #include <sys/socket.h>
10 #include <sys/types.h>
20 #include <linux/netfilter.h>
21 #include <linux/netfilter/xt_conntrack.h>
22 #include <linux/netfilter/nf_conntrack_common.h>
23 #include <arpa/inet.h>
25 /* Function which prints out usage message. */
26 static void conntrack_mt_help(void)
29 "conntrack match options:\n"
30 "[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n"
31 " State(s) to match\n"
32 "[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n"
33 "[!] --ctorigsrc address[/mask]\n"
34 "[!] --ctorigdst address[/mask]\n"
35 "[!] --ctreplsrc address[/mask]\n"
36 "[!] --ctrepldst address[/mask]\n"
37 " Original/Reply source/destination address\n"
38 "[!] --ctorigsrcport port\n"
39 "[!] --ctorigdstport port\n"
40 "[!] --ctreplsrcport port\n"
41 "[!] --ctrepldstport port\n"
42 " TCP/UDP/SCTP orig./reply source/destination port\n"
43 "[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n"
44 " Status(es) to match\n"
45 "[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n"
46 " value or range of values (inclusive)\n"
47 " --ctdir {ORIGINAL|REPLY} Flow direction of packet\n");
50 static const struct option conntrack_mt_opts_v0[] = {
51 {.name = "ctstate", .has_arg = true, .val = '1'},
52 {.name = "ctproto", .has_arg = true, .val = '2'},
53 {.name = "ctorigsrc", .has_arg = true, .val = '3'},
54 {.name = "ctorigdst", .has_arg = true, .val = '4'},
55 {.name = "ctreplsrc", .has_arg = true, .val = '5'},
56 {.name = "ctrepldst", .has_arg = true, .val = '6'},
57 {.name = "ctstatus", .has_arg = true, .val = '7'},
58 {.name = "ctexpire", .has_arg = true, .val = '8'},
62 static const struct option conntrack_mt_opts[] = {
63 {.name = "ctstate", .has_arg = true, .val = '1'},
64 {.name = "ctproto", .has_arg = true, .val = '2'},
65 {.name = "ctorigsrc", .has_arg = true, .val = '3'},
66 {.name = "ctorigdst", .has_arg = true, .val = '4'},
67 {.name = "ctreplsrc", .has_arg = true, .val = '5'},
68 {.name = "ctrepldst", .has_arg = true, .val = '6'},
69 {.name = "ctstatus", .has_arg = true, .val = '7'},
70 {.name = "ctexpire", .has_arg = true, .val = '8'},
71 {.name = "ctorigsrcport", .has_arg = true, .val = 'a'},
72 {.name = "ctorigdstport", .has_arg = true, .val = 'b'},
73 {.name = "ctreplsrcport", .has_arg = true, .val = 'c'},
74 {.name = "ctrepldstport", .has_arg = true, .val = 'd'},
75 {.name = "ctdir", .has_arg = true, .val = 'e'},
80 parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo)
82 if (strncasecmp(state, "INVALID", len) == 0)
83 sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
84 else if (strncasecmp(state, "NEW", len) == 0)
85 sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
86 else if (strncasecmp(state, "ESTABLISHED", len) == 0)
87 sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
88 else if (strncasecmp(state, "RELATED", len) == 0)
89 sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
90 else if (strncasecmp(state, "UNTRACKED", len) == 0)
91 sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
92 else if (strncasecmp(state, "SNAT", len) == 0)
93 sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
94 else if (strncasecmp(state, "DNAT", len) == 0)
95 sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
102 parse_states(const char *arg, struct xt_conntrack_info *sinfo)
106 while ((comma = strchr(arg, ',')) != NULL) {
107 if (comma == arg || !parse_state(arg, comma-arg, sinfo))
108 exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
112 if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
113 exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
117 conntrack_ps_state(struct xt_conntrack_mtinfo1 *info, const char *state,
120 if (strncasecmp(state, "INVALID", z) == 0)
121 info->state_mask |= XT_CONNTRACK_STATE_INVALID;
122 else if (strncasecmp(state, "NEW", z) == 0)
123 info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
124 else if (strncasecmp(state, "ESTABLISHED", z) == 0)
125 info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
126 else if (strncasecmp(state, "RELATED", z) == 0)
127 info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
128 else if (strncasecmp(state, "UNTRACKED", z) == 0)
129 info->state_mask |= XT_CONNTRACK_STATE_UNTRACKED;
130 else if (strncasecmp(state, "SNAT", z) == 0)
131 info->state_mask |= XT_CONNTRACK_STATE_SNAT;
132 else if (strncasecmp(state, "DNAT", z) == 0)
133 info->state_mask |= XT_CONNTRACK_STATE_DNAT;
140 conntrack_ps_states(struct xt_conntrack_mtinfo1 *info, const char *arg)
144 while ((comma = strchr(arg, ',')) != NULL) {
145 if (comma == arg || !conntrack_ps_state(info, arg, comma - arg))
146 exit_error(PARAMETER_PROBLEM,
147 "Bad ctstate \"%s\"", arg);
151 if (strlen(arg) == 0 || !conntrack_ps_state(info, arg, strlen(arg)))
152 exit_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
156 parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo)
158 if (strncasecmp(status, "NONE", len) == 0)
159 sinfo->statusmask |= 0;
160 else if (strncasecmp(status, "EXPECTED", len) == 0)
161 sinfo->statusmask |= IPS_EXPECTED;
162 else if (strncasecmp(status, "SEEN_REPLY", len) == 0)
163 sinfo->statusmask |= IPS_SEEN_REPLY;
164 else if (strncasecmp(status, "ASSURED", len) == 0)
165 sinfo->statusmask |= IPS_ASSURED;
167 else if (strncasecmp(status, "CONFIRMED", len) == 0)
168 sinfo->statusmask |= IPS_CONFIRMED;
176 parse_statuses(const char *arg, struct xt_conntrack_info *sinfo)
180 while ((comma = strchr(arg, ',')) != NULL) {
181 if (comma == arg || !parse_status(arg, comma-arg, sinfo))
182 exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
186 if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo))
187 exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
191 conntrack_ps_status(struct xt_conntrack_mtinfo1 *info, const char *status,
194 if (strncasecmp(status, "NONE", z) == 0)
195 info->status_mask |= 0;
196 else if (strncasecmp(status, "EXPECTED", z) == 0)
197 info->status_mask |= IPS_EXPECTED;
198 else if (strncasecmp(status, "SEEN_REPLY", z) == 0)
199 info->status_mask |= IPS_SEEN_REPLY;
200 else if (strncasecmp(status, "ASSURED", z) == 0)
201 info->status_mask |= IPS_ASSURED;
202 else if (strncasecmp(status, "CONFIRMED", z) == 0)
203 info->status_mask |= IPS_CONFIRMED;
210 conntrack_ps_statuses(struct xt_conntrack_mtinfo1 *info, const char *arg)
214 while ((comma = strchr(arg, ',')) != NULL) {
215 if (comma == arg || !conntrack_ps_status(info, arg, comma - arg))
216 exit_error(PARAMETER_PROBLEM,
217 "Bad ctstatus \"%s\"", arg);
221 if (strlen(arg) == 0 || !conntrack_ps_status(info, arg, strlen(arg)))
222 exit_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
226 parse_expire(const char *s)
230 if (string_to_number(s, 0, 0, &len) == -1)
231 exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s);
236 /* If a single value is provided, min and max are both set to the value */
238 parse_expires(const char *s, struct xt_conntrack_info *sinfo)
244 if ((cp = strchr(buffer, ':')) == NULL)
245 sinfo->expires_min = sinfo->expires_max =
246 parse_expire(buffer);
251 sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0;
252 sinfo->expires_max = cp[0]
258 if (sinfo->expires_min > sinfo->expires_max)
259 exit_error(PARAMETER_PROBLEM,
260 "expire min. range value `%lu' greater than max. "
261 "range value `%lu'", sinfo->expires_min, sinfo->expires_max);
265 conntrack_ps_expires(struct xt_conntrack_mtinfo1 *info, const char *s)
267 unsigned int min, max;
270 if (!strtonum(s, &end, &min, 0, ~0))
271 param_act(P_BAD_VALUE, "conntrack", "--expires", s);
274 if (!strtonum(s, &end, &max, 0, ~0U))
275 param_act(P_BAD_VALUE, "conntrack", "--expires", s);
277 param_act(P_BAD_VALUE, "conntrack", "--expires", s);
280 exit_error(PARAMETER_PROBLEM,
281 "expire min. range value \"%u\" greater than max. "
282 "range value \"%u\"", min, max);
284 info->expires_min = min;
285 info->expires_max = max;
288 /* Function which parses command options; returns true if it
290 static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
291 const void *entry, struct xt_entry_match **match)
293 struct xt_conntrack_info *sinfo = (void *)(*match)->data;
294 char *protocol = NULL;
295 unsigned int naddrs = 0;
296 struct in_addr *addrs = NULL;
301 check_inverse(optarg, &invert, &optind, 0);
303 parse_states(argv[optind-1], sinfo);
305 sinfo->invflags |= XT_CONNTRACK_STATE;
307 sinfo->flags |= XT_CONNTRACK_STATE;
311 check_inverse(optarg, &invert, &optind, 0);
314 sinfo->invflags |= XT_CONNTRACK_PROTO;
316 /* Canonicalize into lower case */
317 for (protocol = argv[optind-1]; *protocol; protocol++)
318 *protocol = tolower(*protocol);
320 protocol = argv[optind-1];
321 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = parse_protocol(protocol);
323 if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
324 && (sinfo->invflags & XT_INV_PROTO))
325 exit_error(PARAMETER_PROBLEM,
326 "rule would never match protocol");
328 sinfo->flags |= XT_CONNTRACK_PROTO;
332 check_inverse(optarg, &invert, &optind, 0);
335 sinfo->invflags |= XT_CONNTRACK_ORIGSRC;
337 ipparse_hostnetworkmask(argv[optind-1], &addrs,
338 &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
341 exit_error(PARAMETER_PROBLEM,
342 "multiple IP addresses not allowed");
345 sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr;
348 sinfo->flags |= XT_CONNTRACK_ORIGSRC;
352 check_inverse(optarg, &invert, &optind, 0);
355 sinfo->invflags |= XT_CONNTRACK_ORIGDST;
357 ipparse_hostnetworkmask(argv[optind-1], &addrs,
358 &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
361 exit_error(PARAMETER_PROBLEM,
362 "multiple IP addresses not allowed");
365 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr;
368 sinfo->flags |= XT_CONNTRACK_ORIGDST;
372 check_inverse(optarg, &invert, &optind, 0);
375 sinfo->invflags |= XT_CONNTRACK_REPLSRC;
377 ipparse_hostnetworkmask(argv[optind-1], &addrs,
378 &sinfo->sipmsk[IP_CT_DIR_REPLY],
381 exit_error(PARAMETER_PROBLEM,
382 "multiple IP addresses not allowed");
385 sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr;
388 sinfo->flags |= XT_CONNTRACK_REPLSRC;
392 check_inverse(optarg, &invert, &optind, 0);
395 sinfo->invflags |= XT_CONNTRACK_REPLDST;
397 ipparse_hostnetworkmask(argv[optind-1], &addrs,
398 &sinfo->dipmsk[IP_CT_DIR_REPLY],
401 exit_error(PARAMETER_PROBLEM,
402 "multiple IP addresses not allowed");
405 sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr;
408 sinfo->flags |= XT_CONNTRACK_REPLDST;
412 check_inverse(optarg, &invert, &optind, 0);
414 parse_statuses(argv[optind-1], sinfo);
416 sinfo->invflags |= XT_CONNTRACK_STATUS;
418 sinfo->flags |= XT_CONNTRACK_STATUS;
422 check_inverse(optarg, &invert, &optind, 0);
424 parse_expires(argv[optind-1], sinfo);
426 sinfo->invflags |= XT_CONNTRACK_EXPIRES;
428 sinfo->flags |= XT_CONNTRACK_EXPIRES;
435 *flags = sinfo->flags;
440 conntrack_mt_parse(int c, char **argv, int invert, unsigned int *flags,
441 struct xt_entry_match **match)
443 struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
448 case '1': /* --ctstate */
449 conntrack_ps_states(info, optarg);
450 info->match_flags |= XT_CONNTRACK_STATE;
452 info->invert_flags |= XT_CONNTRACK_STATE;
455 case '2': /* --ctproto */
456 /* Canonicalize into lower case */
457 for (p = optarg; *p != '\0'; ++p)
459 info->l4proto = parse_protocol(optarg);
461 if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
462 exit_error(PARAMETER_PROBLEM, "conntrack: rule would "
463 "never match protocol");
465 info->match_flags |= XT_CONNTRACK_PROTO;
467 info->invert_flags |= XT_CONNTRACK_PROTO;
470 case '7': /* --ctstatus */
471 conntrack_ps_statuses(info, optarg);
472 info->match_flags |= XT_CONNTRACK_STATUS;
474 info->invert_flags |= XT_CONNTRACK_STATUS;
477 case '8': /* --ctexpire */
478 conntrack_ps_expires(info, optarg);
479 info->match_flags |= XT_CONNTRACK_EXPIRES;
481 info->invert_flags |= XT_CONNTRACK_EXPIRES;
484 case 'a': /* --ctorigsrcport */
485 if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
486 param_act(P_BAD_VALUE, "conntrack",
487 "--ctorigsrcport", optarg);
488 info->match_flags |= XT_CONNTRACK_ORIGSRC_PORT;
489 info->origsrc_port = htons(port);
491 info->invert_flags |= XT_CONNTRACK_ORIGSRC_PORT;
494 case 'b': /* --ctorigdstport */
495 if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
496 param_act(P_BAD_VALUE, "conntrack",
497 "--ctorigdstport", optarg);
498 info->match_flags |= XT_CONNTRACK_ORIGDST_PORT;
499 info->origdst_port = htons(port);
501 info->invert_flags |= XT_CONNTRACK_ORIGDST_PORT;
504 case 'c': /* --ctreplsrcport */
505 if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
506 param_act(P_BAD_VALUE, "conntrack",
507 "--ctreplsrcport", optarg);
508 info->match_flags |= XT_CONNTRACK_REPLSRC_PORT;
509 info->replsrc_port = htons(port);
511 info->invert_flags |= XT_CONNTRACK_REPLSRC_PORT;
514 case 'd': /* --ctrepldstport */
515 if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
516 param_act(P_BAD_VALUE, "conntrack",
517 "--ctrepldstport", optarg);
518 info->match_flags |= XT_CONNTRACK_REPLDST_PORT;
519 info->repldst_port = htons(port);
521 info->invert_flags |= XT_CONNTRACK_REPLDST_PORT;
524 case 'e': /* --ctdir */
525 param_act(P_NO_INVERT, "conntrack", "--ctdir", invert);
526 if (strcasecmp(optarg, "ORIGINAL") == 0) {
527 info->match_flags |= XT_CONNTRACK_DIRECTION;
528 info->invert_flags &= ~XT_CONNTRACK_DIRECTION;
529 } else if (strcasecmp(optarg, "REPLY") == 0) {
530 info->match_flags |= XT_CONNTRACK_DIRECTION;
531 info->invert_flags |= XT_CONNTRACK_DIRECTION;
533 param_act(P_BAD_VALUE, "conntrack", "--ctdir", optarg);
541 *flags = info->match_flags;
546 conntrack_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
547 const void *entry, struct xt_entry_match **match)
549 struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
550 struct in_addr *addr = NULL;
551 unsigned int naddrs = 0;
554 case '3': /* --ctorigsrc */
555 ipparse_hostnetworkmask(optarg, &addr, &info->origsrc_mask.in,
558 exit_error(PARAMETER_PROBLEM,
559 "multiple IP addresses not allowed");
561 memcpy(&info->origsrc_addr.in, addr, sizeof(*addr));
562 info->match_flags |= XT_CONNTRACK_ORIGSRC;
564 info->invert_flags |= XT_CONNTRACK_ORIGSRC;
567 case '4': /* --ctorigdst */
568 ipparse_hostnetworkmask(optarg, &addr, &info->origdst_mask.in,
571 exit_error(PARAMETER_PROBLEM,
572 "multiple IP addresses not allowed");
574 memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
575 info->match_flags |= XT_CONNTRACK_ORIGDST;
577 info->invert_flags |= XT_CONNTRACK_ORIGDST;
580 case '5': /* --ctreplsrc */
581 ipparse_hostnetworkmask(optarg, &addr, &info->replsrc_mask.in,
584 exit_error(PARAMETER_PROBLEM,
585 "multiple IP addresses not allowed");
587 memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
588 info->match_flags |= XT_CONNTRACK_REPLSRC;
590 info->invert_flags |= XT_CONNTRACK_REPLSRC;
593 case '6': /* --ctrepldst */
594 ipparse_hostnetworkmask(optarg, &addr, &info->repldst_mask.in,
597 exit_error(PARAMETER_PROBLEM,
598 "multiple IP addresses not allowed");
600 memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
601 info->match_flags |= XT_CONNTRACK_REPLDST;
603 info->invert_flags |= XT_CONNTRACK_REPLDST;
608 return conntrack_mt_parse(c, argv, invert, flags, match);
611 *flags = info->match_flags;
616 conntrack_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
617 const void *entry, struct xt_entry_match **match)
619 struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
620 struct in6_addr *addr = NULL;
621 unsigned int naddrs = 0;
624 case '3': /* --ctorigsrc */
625 ip6parse_hostnetworkmask(optarg, &addr,
626 &info->origsrc_mask.in6, &naddrs);
628 exit_error(PARAMETER_PROBLEM,
629 "multiple IP addresses not allowed");
631 memcpy(&info->origsrc_addr.in6, addr, sizeof(*addr));
632 info->match_flags |= XT_CONNTRACK_ORIGSRC;
634 info->invert_flags |= XT_CONNTRACK_ORIGSRC;
637 case '4': /* --ctorigdst */
638 ip6parse_hostnetworkmask(optarg, &addr,
639 &info->origdst_mask.in6, &naddrs);
641 exit_error(PARAMETER_PROBLEM,
642 "multiple IP addresses not allowed");
644 memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
645 info->match_flags |= XT_CONNTRACK_ORIGDST;
647 info->invert_flags |= XT_CONNTRACK_ORIGDST;
650 case '5': /* --ctreplsrc */
651 ip6parse_hostnetworkmask(optarg, &addr,
652 &info->replsrc_mask.in6, &naddrs);
654 exit_error(PARAMETER_PROBLEM,
655 "multiple IP addresses not allowed");
657 memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
658 info->match_flags |= XT_CONNTRACK_REPLSRC;
660 info->invert_flags |= XT_CONNTRACK_REPLSRC;
663 case '6': /* --ctrepldst */
664 ip6parse_hostnetworkmask(optarg, &addr,
665 &info->repldst_mask.in6, &naddrs);
667 exit_error(PARAMETER_PROBLEM,
668 "multiple IP addresses not allowed");
670 memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
671 info->match_flags |= XT_CONNTRACK_REPLDST;
673 info->invert_flags |= XT_CONNTRACK_REPLDST;
678 return conntrack_mt_parse(c, argv, invert, flags, match);
681 *flags = info->match_flags;
685 static void conntrack_mt_check(unsigned int flags)
688 exit_error(PARAMETER_PROBLEM, "conntrack: At least one option "
693 print_state(unsigned int statemask)
695 const char *sep = "";
697 if (statemask & XT_CONNTRACK_STATE_INVALID) {
698 printf("%sINVALID", sep);
701 if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
702 printf("%sNEW", sep);
705 if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
706 printf("%sRELATED", sep);
709 if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
710 printf("%sESTABLISHED", sep);
713 if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
714 printf("%sUNTRACKED", sep);
717 if (statemask & XT_CONNTRACK_STATE_SNAT) {
718 printf("%sSNAT", sep);
721 if (statemask & XT_CONNTRACK_STATE_DNAT) {
722 printf("%sDNAT", sep);
729 print_status(unsigned int statusmask)
731 const char *sep = "";
733 if (statusmask & IPS_EXPECTED) {
734 printf("%sEXPECTED", sep);
737 if (statusmask & IPS_SEEN_REPLY) {
738 printf("%sSEEN_REPLY", sep);
741 if (statusmask & IPS_ASSURED) {
742 printf("%sASSURED", sep);
745 if (statusmask & IPS_CONFIRMED) {
746 printf("%sCONFIRMED", sep);
750 printf("%sNONE", sep);
755 conntrack_dump_addr(const union nf_inet_addr *addr,
756 const union nf_inet_addr *mask,
757 unsigned int family, bool numeric)
759 if (family == AF_INET) {
760 if (!numeric && addr->ip == 0) {
764 printf("%s ", ipaddr_to_anyname(&addr->in));
765 } else if (family == AF_INET6) {
766 if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
767 addr->ip6[2] == 0 && addr->ip6[3] == 0) {
771 printf("%s ", ip6addr_to_anyname(&addr->in6));
776 print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric)
783 if (mask->s_addr == 0L && !numeric)
784 printf("%s ", "anywhere");
787 sprintf(buf, "%s", ipaddr_to_numeric(addr));
789 sprintf(buf, "%s", ipaddr_to_anyname(addr));
790 strcat(buf, ipmask_to_numeric(mask));
795 /* Saves the matchinfo in parsable form to stdout. */
797 matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx)
799 struct xt_conntrack_info *sinfo = (void *)match->data;
801 if(sinfo->flags & XT_CONNTRACK_STATE) {
802 if (sinfo->invflags & XT_CONNTRACK_STATE)
804 printf("%sctstate ", optpfx);
805 print_state(sinfo->statemask);
808 if(sinfo->flags & XT_CONNTRACK_PROTO) {
809 if (sinfo->invflags & XT_CONNTRACK_PROTO)
811 printf("%sctproto ", optpfx);
812 printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
815 if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
816 if (sinfo->invflags & XT_CONNTRACK_ORIGSRC)
818 printf("%sctorigsrc ", optpfx);
821 (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
822 &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
827 if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
828 if (sinfo->invflags & XT_CONNTRACK_ORIGDST)
830 printf("%sctorigdst ", optpfx);
833 (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
834 &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
839 if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
840 if (sinfo->invflags & XT_CONNTRACK_REPLSRC)
842 printf("%sctreplsrc ", optpfx);
845 (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
846 &sinfo->sipmsk[IP_CT_DIR_REPLY],
851 if(sinfo->flags & XT_CONNTRACK_REPLDST) {
852 if (sinfo->invflags & XT_CONNTRACK_REPLDST)
854 printf("%sctrepldst ", optpfx);
857 (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
858 &sinfo->dipmsk[IP_CT_DIR_REPLY],
863 if(sinfo->flags & XT_CONNTRACK_STATUS) {
864 if (sinfo->invflags & XT_CONNTRACK_STATUS)
866 printf("%sctstatus ", optpfx);
867 print_status(sinfo->statusmask);
870 if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
871 if (sinfo->invflags & XT_CONNTRACK_EXPIRES)
873 printf("%sctexpire ", optpfx);
875 if (sinfo->expires_max == sinfo->expires_min)
876 printf("%lu ", sinfo->expires_min);
878 printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max);
883 conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
884 unsigned int family, bool numeric)
886 if (info->match_flags & XT_CONNTRACK_STATE) {
887 if (info->invert_flags & XT_CONNTRACK_STATE)
889 printf("%sctstate ", prefix);
890 print_state(info->state_mask);
893 if (info->match_flags & XT_CONNTRACK_PROTO) {
894 if (info->invert_flags & XT_CONNTRACK_PROTO)
896 printf("%sctproto %u ", prefix, info->l4proto);
899 if (info->match_flags & XT_CONNTRACK_ORIGSRC) {
900 if (info->invert_flags & XT_CONNTRACK_PROTO)
902 printf("%sctorigsrc ", prefix);
903 conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask,
907 if (info->match_flags & XT_CONNTRACK_ORIGDST) {
908 if (info->invert_flags & XT_CONNTRACK_PROTO)
910 printf("%sctorigdst ", prefix);
911 conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask,
915 if (info->match_flags & XT_CONNTRACK_REPLSRC) {
916 if (info->invert_flags & XT_CONNTRACK_PROTO)
918 printf("%sctreplsrc ", prefix);
919 conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask,
923 if (info->match_flags & XT_CONNTRACK_REPLDST) {
924 if (info->invert_flags & XT_CONNTRACK_PROTO)
926 printf("%sctrepldst ", prefix);
927 conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask,
931 if (info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) {
932 if (info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT)
934 printf("%sctorigsrcport %u ", prefix,
935 ntohs(info->origsrc_port));
938 if (info->match_flags & XT_CONNTRACK_ORIGDST_PORT) {
939 if (info->invert_flags & XT_CONNTRACK_ORIGDST_PORT)
941 printf("%sctorigdstport %u ", prefix,
942 ntohs(info->origdst_port));
945 if (info->match_flags & XT_CONNTRACK_REPLSRC_PORT) {
946 if (info->invert_flags & XT_CONNTRACK_REPLSRC_PORT)
948 printf("%sctreplsrcport %u ", prefix,
949 ntohs(info->replsrc_port));
952 if (info->match_flags & XT_CONNTRACK_REPLDST_PORT) {
953 if (info->invert_flags & XT_CONNTRACK_REPLDST_PORT)
955 printf("%sctrepldstport %u ", prefix,
956 ntohs(info->repldst_port));
959 if (info->match_flags & XT_CONNTRACK_STATUS) {
960 if (info->invert_flags & XT_CONNTRACK_STATUS)
962 printf("%sctstatus ", prefix);
963 print_status(info->status_mask);
966 if (info->match_flags & XT_CONNTRACK_EXPIRES) {
967 if (info->invert_flags & XT_CONNTRACK_EXPIRES)
969 printf("%sctexpire ", prefix);
971 if (info->expires_max == info->expires_min)
972 printf("%u ", (unsigned int)info->expires_min);
974 printf("%u:%u ", (unsigned int)info->expires_min,
975 (unsigned int)info->expires_max);
979 /* Prints out the matchinfo. */
980 static void conntrack_print(const void *ip, const struct xt_entry_match *match,
983 matchinfo_print(ip, match, numeric, "");
987 conntrack_mt_print(const void *ip, const struct xt_entry_match *match,
990 conntrack_dump((const void *)match->data, "", AF_INET, numeric);
994 conntrack_mt6_print(const void *ip, const struct xt_entry_match *match,
997 conntrack_dump((const void *)match->data, "", AF_INET6, numeric);
1000 /* Saves the matchinfo in parsable form to stdout. */
1001 static void conntrack_save(const void *ip, const struct xt_entry_match *match)
1003 matchinfo_print(ip, match, 1, "--");
1006 static void conntrack_mt_save(const void *ip,
1007 const struct xt_entry_match *match)
1009 conntrack_dump((const void *)match->data, "--", AF_INET, true);
1012 static void conntrack_mt6_save(const void *ip,
1013 const struct xt_entry_match *match)
1015 conntrack_dump((const void *)match->data, "--", AF_INET6, true);
1018 static struct xtables_match conntrack_match = {
1019 .version = XTABLES_VERSION,
1020 .name = "conntrack",
1023 .size = XT_ALIGN(sizeof(struct xt_conntrack_info)),
1024 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)),
1025 .help = conntrack_mt_help,
1026 .parse = conntrack_parse,
1027 .final_check = conntrack_mt_check,
1028 .print = conntrack_print,
1029 .save = conntrack_save,
1030 .extra_opts = conntrack_mt_opts_v0,
1033 static struct xtables_match conntrack_mt_reg = {
1034 .version = XTABLES_VERSION,
1035 .name = "conntrack",
1038 .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1039 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1040 .help = conntrack_mt_help,
1041 .parse = conntrack_mt4_parse,
1042 .final_check = conntrack_mt_check,
1043 .print = conntrack_mt_print,
1044 .save = conntrack_mt_save,
1045 .extra_opts = conntrack_mt_opts,
1048 static struct xtables_match conntrack_mt6_reg = {
1049 .version = XTABLES_VERSION,
1050 .name = "conntrack",
1053 .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1054 .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1055 .help = conntrack_mt_help,
1056 .parse = conntrack_mt6_parse,
1057 .final_check = conntrack_mt_check,
1058 .print = conntrack_mt6_print,
1059 .save = conntrack_mt6_save,
1060 .extra_opts = conntrack_mt_opts,
1065 xtables_register_match(&conntrack_match);
1066 xtables_register_match(&conntrack_mt_reg);
1067 xtables_register_match(&conntrack_mt6_reg);
git://git.onelab.eu / iptables.git / blob