1 /*
2 * Copyright (c) 2010-2013 Patrick McHardy <kaber@trash.net>
3 */
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <xtables.h>
8 #include <linux/netfilter/nf_conntrack_common.h>
9 #include <linux/netfilter/xt_CT.h>
10
ct_help(void)11 static void ct_help(void)
12 {
13 printf(
14 "CT target options:\n"
15 " --notrack Don't track connection\n"
16 " --helper name Use conntrack helper 'name' for connection\n"
17 " --ctevents event[,event...] Generate specified conntrack events for connection\n"
18 " --expevents event[,event...] Generate specified expectation events for connection\n"
19 " --zone {ID|mark} Assign/Lookup connection in zone ID/packet nfmark\n"
20 " --zone-orig {ID|mark} Same as 'zone' option, but only applies to ORIGINAL direction\n"
21 " --zone-reply {ID|mark} Same as 'zone' option, but only applies to REPLY direction\n"
22 );
23 }
24
ct_help_v1(void)25 static void ct_help_v1(void)
26 {
27 printf(
28 "CT target options:\n"
29 " --notrack Don't track connection\n"
30 " --helper name Use conntrack helper 'name' for connection\n"
31 " --timeout name Use timeout policy 'name' for connection\n"
32 " --ctevents event[,event...] Generate specified conntrack events for connection\n"
33 " --expevents event[,event...] Generate specified expectation events for connection\n"
34 " --zone {ID|mark} Assign/Lookup connection in zone ID/packet nfmark\n"
35 " --zone-orig {ID|mark} Same as 'zone' option, but only applies to ORIGINAL direction\n"
36 " --zone-reply {ID|mark} Same as 'zone' option, but only applies to REPLY direction\n"
37 );
38 }
39
40 enum {
41 O_NOTRACK = 0,
42 O_HELPER,
43 O_TIMEOUT,
44 O_CTEVENTS,
45 O_EXPEVENTS,
46 O_ZONE,
47 O_ZONE_ORIG,
48 O_ZONE_REPLY,
49 };
50
51 #define s struct xt_ct_target_info
52 static const struct xt_option_entry ct_opts[] = {
53 {.name = "notrack", .id = O_NOTRACK, .type = XTTYPE_NONE},
54 {.name = "helper", .id = O_HELPER, .type = XTTYPE_STRING,
55 .flags = XTOPT_PUT, XTOPT_POINTER(s, helper)},
56 {.name = "ctevents", .id = O_CTEVENTS, .type = XTTYPE_STRING},
57 {.name = "expevents", .id = O_EXPEVENTS, .type = XTTYPE_STRING},
58 {.name = "zone-orig", .id = O_ZONE_ORIG, .type = XTTYPE_STRING},
59 {.name = "zone-reply", .id = O_ZONE_REPLY, .type = XTTYPE_STRING},
60 {.name = "zone", .id = O_ZONE, .type = XTTYPE_STRING},
61 XTOPT_TABLEEND,
62 };
63 #undef s
64
65 #define s struct xt_ct_target_info_v1
66 static const struct xt_option_entry ct_opts_v1[] = {
67 {.name = "notrack", .id = O_NOTRACK, .type = XTTYPE_NONE},
68 {.name = "helper", .id = O_HELPER, .type = XTTYPE_STRING,
69 .flags = XTOPT_PUT, XTOPT_POINTER(s, helper)},
70 {.name = "timeout", .id = O_TIMEOUT, .type = XTTYPE_STRING,
71 .flags = XTOPT_PUT, XTOPT_POINTER(s, timeout)},
72 {.name = "ctevents", .id = O_CTEVENTS, .type = XTTYPE_STRING},
73 {.name = "expevents", .id = O_EXPEVENTS, .type = XTTYPE_STRING},
74 {.name = "zone-orig", .id = O_ZONE_ORIG, .type = XTTYPE_STRING},
75 {.name = "zone-reply", .id = O_ZONE_REPLY, .type = XTTYPE_STRING},
76 {.name = "zone", .id = O_ZONE, .type = XTTYPE_STRING},
77 XTOPT_TABLEEND,
78 };
79 #undef s
80
81 struct event_tbl {
82 const char *name;
83 unsigned int event;
84 };
85
86 static const struct event_tbl ct_event_tbl[] = {
87 { "new", IPCT_NEW },
88 { "related", IPCT_RELATED },
89 { "destroy", IPCT_DESTROY },
90 { "reply", IPCT_REPLY },
91 { "assured", IPCT_ASSURED },
92 { "protoinfo", IPCT_PROTOINFO },
93 { "helper", IPCT_HELPER },
94 { "mark", IPCT_MARK },
95 { "natseqinfo", IPCT_NATSEQADJ },
96 { "secmark", IPCT_SECMARK },
97 };
98
99 static const struct event_tbl exp_event_tbl[] = {
100 { "new", IPEXP_NEW },
101 };
102
ct_parse_zone_id(const char * opt,unsigned int opt_id,uint16_t * zone_id,uint16_t * flags)103 static void ct_parse_zone_id(const char *opt, unsigned int opt_id,
104 uint16_t *zone_id, uint16_t *flags)
105 {
106 if (opt_id == O_ZONE_ORIG)
107 *flags |= XT_CT_ZONE_DIR_ORIG;
108 if (opt_id == O_ZONE_REPLY)
109 *flags |= XT_CT_ZONE_DIR_REPL;
110
111 *zone_id = 0;
112
113 if (strcasecmp(opt, "mark") == 0) {
114 *flags |= XT_CT_ZONE_MARK;
115 } else {
116 uintmax_t val;
117
118 if (!xtables_strtoul(opt, NULL, &val, 0, UINT16_MAX))
119 xtables_error(PARAMETER_PROBLEM,
120 "Cannot parse %s as a zone ID\n", opt);
121
122 *zone_id = (uint16_t)val;
123 }
124 }
125
ct_print_zone_id(const char * pfx,uint16_t zone_id,uint16_t flags)126 static void ct_print_zone_id(const char *pfx, uint16_t zone_id, uint16_t flags)
127 {
128 printf(" %s", pfx);
129
130 if ((flags & (XT_CT_ZONE_DIR_ORIG |
131 XT_CT_ZONE_DIR_REPL)) == XT_CT_ZONE_DIR_ORIG)
132 printf("-orig");
133 if ((flags & (XT_CT_ZONE_DIR_ORIG |
134 XT_CT_ZONE_DIR_REPL)) == XT_CT_ZONE_DIR_REPL)
135 printf("-reply");
136 if (flags & XT_CT_ZONE_MARK)
137 printf(" mark");
138 else
139 printf(" %u", zone_id);
140 }
141
ct_parse_events(const struct event_tbl * tbl,unsigned int size,const char * events)142 static uint32_t ct_parse_events(const struct event_tbl *tbl, unsigned int size,
143 const char *events)
144 {
145 char str[strlen(events) + 1], *e = str, *t;
146 unsigned int mask = 0, i;
147
148 strcpy(str, events);
149 while ((t = strsep(&e, ","))) {
150 for (i = 0; i < size; i++) {
151 if (strcmp(t, tbl[i].name))
152 continue;
153 mask |= 1 << tbl[i].event;
154 break;
155 }
156
157 if (i == size)
158 xtables_error(PARAMETER_PROBLEM, "Unknown event type \"%s\"", t);
159 }
160
161 return mask;
162 }
163
ct_print_events(const char * pfx,const struct event_tbl * tbl,unsigned int size,uint32_t mask)164 static void ct_print_events(const char *pfx, const struct event_tbl *tbl,
165 unsigned int size, uint32_t mask)
166 {
167 const char *sep = "";
168 unsigned int i;
169
170 printf(" %s ", pfx);
171 for (i = 0; i < size; i++) {
172 if (mask & (1 << tbl[i].event)) {
173 printf("%s%s", sep, tbl[i].name);
174 sep = ",";
175 }
176 }
177 }
178
ct_parse(struct xt_option_call * cb)179 static void ct_parse(struct xt_option_call *cb)
180 {
181 struct xt_ct_target_info *info = cb->data;
182
183 xtables_option_parse(cb);
184 switch (cb->entry->id) {
185 case O_NOTRACK:
186 info->flags |= XT_CT_NOTRACK;
187 break;
188 case O_ZONE_ORIG:
189 case O_ZONE_REPLY:
190 case O_ZONE:
191 ct_parse_zone_id(cb->arg, cb->entry->id, &info->zone,
192 &info->flags);
193 break;
194 case O_CTEVENTS:
195 info->ct_events = ct_parse_events(ct_event_tbl, ARRAY_SIZE(ct_event_tbl), cb->arg);
196 break;
197 case O_EXPEVENTS:
198 info->exp_events = ct_parse_events(exp_event_tbl, ARRAY_SIZE(exp_event_tbl), cb->arg);
199 break;
200 }
201 }
202
ct_parse_v1(struct xt_option_call * cb)203 static void ct_parse_v1(struct xt_option_call *cb)
204 {
205 struct xt_ct_target_info_v1 *info = cb->data;
206
207 xtables_option_parse(cb);
208 switch (cb->entry->id) {
209 case O_NOTRACK:
210 info->flags |= XT_CT_NOTRACK;
211 break;
212 case O_ZONE_ORIG:
213 case O_ZONE_REPLY:
214 case O_ZONE:
215 ct_parse_zone_id(cb->arg, cb->entry->id, &info->zone,
216 &info->flags);
217 break;
218 case O_CTEVENTS:
219 info->ct_events = ct_parse_events(ct_event_tbl,
220 ARRAY_SIZE(ct_event_tbl),
221 cb->arg);
222 break;
223 case O_EXPEVENTS:
224 info->exp_events = ct_parse_events(exp_event_tbl,
225 ARRAY_SIZE(exp_event_tbl),
226 cb->arg);
227 break;
228 }
229 }
230
ct_print(const void * ip,const struct xt_entry_target * target,int numeric)231 static void ct_print(const void *ip, const struct xt_entry_target *target, int numeric)
232 {
233 const struct xt_ct_target_info *info =
234 (const struct xt_ct_target_info *)target->data;
235
236 printf(" CT");
237 if (info->flags & XT_CT_NOTRACK)
238 printf(" notrack");
239 if (info->helper[0])
240 printf(" helper %s", info->helper);
241 if (info->ct_events)
242 ct_print_events("ctevents", ct_event_tbl,
243 ARRAY_SIZE(ct_event_tbl), info->ct_events);
244 if (info->exp_events)
245 ct_print_events("expevents", exp_event_tbl,
246 ARRAY_SIZE(exp_event_tbl), info->exp_events);
247 if (info->flags & XT_CT_ZONE_MARK || info->zone)
248 ct_print_zone_id("zone", info->zone, info->flags);
249 }
250
251 static void
ct_print_v1(const void * ip,const struct xt_entry_target * target,int numeric)252 ct_print_v1(const void *ip, const struct xt_entry_target *target, int numeric)
253 {
254 const struct xt_ct_target_info_v1 *info =
255 (const struct xt_ct_target_info_v1 *)target->data;
256
257 if (info->flags & XT_CT_NOTRACK_ALIAS) {
258 printf (" NOTRACK");
259 return;
260 }
261 printf(" CT");
262 if (info->flags & XT_CT_NOTRACK)
263 printf(" notrack");
264 if (info->helper[0])
265 printf(" helper %s", info->helper);
266 if (info->timeout[0])
267 printf(" timeout %s", info->timeout);
268 if (info->ct_events)
269 ct_print_events("ctevents", ct_event_tbl,
270 ARRAY_SIZE(ct_event_tbl), info->ct_events);
271 if (info->exp_events)
272 ct_print_events("expevents", exp_event_tbl,
273 ARRAY_SIZE(exp_event_tbl), info->exp_events);
274 if (info->flags & XT_CT_ZONE_MARK || info->zone)
275 ct_print_zone_id("zone", info->zone, info->flags);
276 }
277
ct_save(const void * ip,const struct xt_entry_target * target)278 static void ct_save(const void *ip, const struct xt_entry_target *target)
279 {
280 const struct xt_ct_target_info *info =
281 (const struct xt_ct_target_info *)target->data;
282
283 if (info->flags & XT_CT_NOTRACK_ALIAS)
284 return;
285 if (info->flags & XT_CT_NOTRACK)
286 printf(" --notrack");
287 if (info->helper[0])
288 printf(" --helper %s", info->helper);
289 if (info->ct_events)
290 ct_print_events("--ctevents", ct_event_tbl,
291 ARRAY_SIZE(ct_event_tbl), info->ct_events);
292 if (info->exp_events)
293 ct_print_events("--expevents", exp_event_tbl,
294 ARRAY_SIZE(exp_event_tbl), info->exp_events);
295 if (info->flags & XT_CT_ZONE_MARK || info->zone)
296 ct_print_zone_id("--zone", info->zone, info->flags);
297 }
298
ct_save_v1(const void * ip,const struct xt_entry_target * target)299 static void ct_save_v1(const void *ip, const struct xt_entry_target *target)
300 {
301 const struct xt_ct_target_info_v1 *info =
302 (const struct xt_ct_target_info_v1 *)target->data;
303
304 if (info->flags & XT_CT_NOTRACK_ALIAS)
305 return;
306 if (info->flags & XT_CT_NOTRACK)
307 printf(" --notrack");
308 if (info->helper[0])
309 printf(" --helper %s", info->helper);
310 if (info->timeout[0])
311 printf(" --timeout %s", info->timeout);
312 if (info->ct_events)
313 ct_print_events("--ctevents", ct_event_tbl,
314 ARRAY_SIZE(ct_event_tbl), info->ct_events);
315 if (info->exp_events)
316 ct_print_events("--expevents", exp_event_tbl,
317 ARRAY_SIZE(exp_event_tbl), info->exp_events);
318 if (info->flags & XT_CT_ZONE_MARK || info->zone)
319 ct_print_zone_id("--zone", info->zone, info->flags);
320 }
321
322 static const char *
ct_print_name_alias(const struct xt_entry_target * target)323 ct_print_name_alias(const struct xt_entry_target *target)
324 {
325 struct xt_ct_target_info *info = (void *)target->data;
326
327 return info->flags & XT_CT_NOTRACK_ALIAS ? "NOTRACK" : "CT";
328 }
329
notrack_ct0_tg_init(struct xt_entry_target * target)330 static void notrack_ct0_tg_init(struct xt_entry_target *target)
331 {
332 struct xt_ct_target_info *info = (void *)target->data;
333
334 info->flags = XT_CT_NOTRACK;
335 }
336
notrack_ct1_tg_init(struct xt_entry_target * target)337 static void notrack_ct1_tg_init(struct xt_entry_target *target)
338 {
339 struct xt_ct_target_info_v1 *info = (void *)target->data;
340
341 info->flags = XT_CT_NOTRACK;
342 }
343
notrack_ct2_tg_init(struct xt_entry_target * target)344 static void notrack_ct2_tg_init(struct xt_entry_target *target)
345 {
346 struct xt_ct_target_info_v1 *info = (void *)target->data;
347
348 info->flags = XT_CT_NOTRACK | XT_CT_NOTRACK_ALIAS;
349 }
350
351 static struct xtables_target ct_target_reg[] = {
352 {
353 .family = NFPROTO_UNSPEC,
354 .name = "CT",
355 .version = XTABLES_VERSION,
356 .size = XT_ALIGN(sizeof(struct xt_ct_target_info)),
357 .userspacesize = offsetof(struct xt_ct_target_info, ct),
358 .help = ct_help,
359 .print = ct_print,
360 .save = ct_save,
361 .x6_parse = ct_parse,
362 .x6_options = ct_opts,
363 },
364 {
365 .family = NFPROTO_UNSPEC,
366 .name = "CT",
367 .revision = 1,
368 .version = XTABLES_VERSION,
369 .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
370 .userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
371 .help = ct_help_v1,
372 .print = ct_print_v1,
373 .save = ct_save_v1,
374 .x6_parse = ct_parse_v1,
375 .x6_options = ct_opts_v1,
376 },
377 {
378 .family = NFPROTO_UNSPEC,
379 .name = "CT",
380 .revision = 2,
381 .version = XTABLES_VERSION,
382 .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
383 .userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
384 .help = ct_help_v1,
385 .print = ct_print_v1,
386 .save = ct_save_v1,
387 .alias = ct_print_name_alias,
388 .x6_parse = ct_parse_v1,
389 .x6_options = ct_opts_v1,
390 },
391 {
392 .family = NFPROTO_UNSPEC,
393 .name = "NOTRACK",
394 .real_name = "CT",
395 .revision = 0,
396 .version = XTABLES_VERSION,
397 .size = XT_ALIGN(sizeof(struct xt_ct_target_info)),
398 .userspacesize = offsetof(struct xt_ct_target_info, ct),
399 .init = notrack_ct0_tg_init,
400 },
401 {
402 .family = NFPROTO_UNSPEC,
403 .name = "NOTRACK",
404 .real_name = "CT",
405 .revision = 1,
406 .version = XTABLES_VERSION,
407 .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
408 .userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
409 .init = notrack_ct1_tg_init,
410 },
411 {
412 .family = NFPROTO_UNSPEC,
413 .name = "NOTRACK",
414 .real_name = "CT",
415 .revision = 2,
416 .ext_flags = XTABLES_EXT_ALIAS,
417 .version = XTABLES_VERSION,
418 .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
419 .userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
420 .init = notrack_ct2_tg_init,
421 },
422 {
423 .family = NFPROTO_UNSPEC,
424 .name = "NOTRACK",
425 .revision = 0,
426 .version = XTABLES_VERSION,
427 },
428 };
429
_init(void)430 void _init(void)
431 {
432 xtables_register_targets(ct_target_reg, ARRAY_SIZE(ct_target_reg));
433 }
434