2 * src/f_ct.c Conntrack Filter
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation version 2.1
9 * Copyright (c) 2003-2006 Thomas Graf <tgraf@suug.ch>
10 * Copyright (c) 2007 Philip Craig <philipc@snapgear.com>
11 * Copyright (c) 2007 Secure Computing Corporation
14 static void get_filter(struct nfnl_ct *ct, int argc, char **argv, int idx)
19 if (arg_match("family")) {
21 int family = nl_str2af(argv[idx++]);
22 if (family == AF_UNSPEC)
24 nfnl_ct_set_family(ct, family);
26 } else if (arg_match("proto")) {
28 int proto = nl_str2ip_proto(argv[idx++]);
31 nfnl_ct_set_proto(ct, proto);
33 } else if (arg_match("tcpstate")) {
35 int state = nfnl_ct_str2tcp_state(argv[idx++]);
38 nfnl_ct_set_tcp_state(ct, state);
40 } else if (arg_match("status")) {
42 int status = strtoul(argv[idx++], NULL, 0);
43 nfnl_ct_set_status(ct, status);
44 nfnl_ct_unset_status(ct, ~status);
46 } else if (arg_match("timeout")) {
48 nfnl_ct_set_timeout(ct, strtoul(argv[idx++], NULL, 0));
49 } else if (arg_match("mark")) {
51 nfnl_ct_set_mark(ct, strtoul(argv[idx++], NULL, 0));
52 } else if (arg_match("use")) {
54 nfnl_ct_set_use(ct, strtoul(argv[idx++], NULL, 0));
55 } else if (arg_match("id")) {
57 nfnl_ct_set_id(ct, strtoul(argv[idx++], NULL, 0));
58 } else if (arg_match("origsrc")) {
60 a = nl_addr_parse(argv[idx++],
61 nfnl_ct_get_family(ct));
64 nfnl_ct_set_src(ct, 0, a);
67 } else if (arg_match("origdst")) {
69 a = nl_addr_parse(argv[idx++],
70 nfnl_ct_get_family(ct));
73 nfnl_ct_set_dst(ct, 0, a);
76 } else if (arg_match("origsrcport")) {
78 nfnl_ct_set_src_port(ct, 0, strtoul(argv[idx++], NULL, 0));
79 } else if (arg_match("origdstport")) {
81 nfnl_ct_set_dst_port(ct, 0, strtoul(argv[idx++], NULL, 0));
82 } else if (arg_match("origicmpid")) {
84 nfnl_ct_set_icmp_id(ct, 0, strtoul(argv[idx++], NULL, 0));
85 } else if (arg_match("origicmptype")) {
87 nfnl_ct_set_icmp_type(ct, 0, strtoul(argv[idx++], NULL, 0));
88 } else if (arg_match("origicmpcode")) {
90 nfnl_ct_set_icmp_code(ct, 0, strtoul(argv[idx++], NULL, 0));
91 } else if (arg_match("origpackets")) {
93 nfnl_ct_set_packets(ct, 0, strtoul(argv[idx++], NULL, 0));
94 } else if (arg_match("origbytes")) {
96 nfnl_ct_set_bytes(ct, 0, strtoul(argv[idx++], NULL, 0));
97 } else if (arg_match("replysrc")) {
99 a = nl_addr_parse(argv[idx++],
100 nfnl_ct_get_family(ct));
103 nfnl_ct_set_src(ct, 1, a);
106 } else if (arg_match("replydst")) {
108 a = nl_addr_parse(argv[idx++],
109 nfnl_ct_get_family(ct));
112 nfnl_ct_set_dst(ct, 1, a);
115 } else if (arg_match("replysrcport")) {
117 nfnl_ct_set_src_port(ct, 1, strtoul(argv[idx++], NULL, 0));
118 } else if (arg_match("replydstport")) {
120 nfnl_ct_set_dst_port(ct, 1, strtoul(argv[idx++], NULL, 0));
121 } else if (arg_match("replyicmpid")) {
123 nfnl_ct_set_icmp_id(ct, 1, strtoul(argv[idx++], NULL, 0));
124 } else if (arg_match("replyicmptype")) {
126 nfnl_ct_set_icmp_type(ct, 1, strtoul(argv[idx++], NULL, 0));
127 } else if (arg_match("replyicmpcode")) {
129 nfnl_ct_set_icmp_code(ct, 1, strtoul(argv[idx++], NULL, 0));
130 } else if (arg_match("replypackets")) {
132 nfnl_ct_set_packets(ct, 1, strtoul(argv[idx++], NULL, 0));
133 } else if (arg_match("replybytes")) {
135 nfnl_ct_set_bytes(ct, 1, strtoul(argv[idx++], NULL, 0));
137 #define MSTATUS(STR, STATUS) \
138 else if (!strcasecmp(argv[idx], STR)) { \
139 nfnl_ct_set_status(ct, STATUS); idx++; }
140 #define MNOSTATUS(STR, STATUS) \
141 else if (!strcasecmp(argv[idx], STR)) { \
142 nfnl_ct_unset_status(ct, STATUS); idx++; }
144 MSTATUS("replied", IPS_SEEN_REPLY)
145 MNOSTATUS("unreplied", IPS_SEEN_REPLY)
146 MSTATUS("assured", IPS_ASSURED)
147 MNOSTATUS("unassured", IPS_ASSURED)
151 fprintf(stderr, "What is '%s'?\n", argv[idx]);
159 fprintf(stderr, "Invalid IP protocol \"%s\".\n", argv[idx-1]);
162 fprintf(stderr, "Invalid TCP state \"%s\".\n", argv[idx-1]);
165 fprintf(stderr, "Invalid address family \"%s\"\n", argv[idx-1]);
168 fprintf(stderr, "Invalid address \"%s\": %s\n", argv[idx-1], nl_geterror());