src/f_ct.c

   1 /*
   2  * src/f_ct.c           Conntrack Filter
   3  *
   4  *      This library is free software; you can redistribute it and/or
   5  *      modify it under the terms of the GNU Lesser General Public
   6  *      License as published by the Free Software Foundation version 2.1
   7  *      of the License.
   8  *
   9  * Copyright (c) 2003-2006 Thomas Graf <tgraf@suug.ch>
  10  * Copyright (c) 2007 Philip Craig <philipc@snapgear.com>
  11  * Copyright (c) 2007 Secure Computing Corporation
  12  */
  13
  14 static void get_filter(struct nfnl_ct *ct, int argc, char **argv, int idx)
  15 {
  16         struct nl_addr *a;
  17
  18         while (argc > idx) {
  19                 if (arg_match("family")) {
  20                         if (argc > ++idx) {
  21                                 int family = nl_str2af(argv[idx++]);
  22                                 if (family == AF_UNSPEC)
  23                                         goto err_invaf;
  24                                 nfnl_ct_set_family(ct, family);
  25                         }
  26                 } else if (arg_match("proto")) {
  27                         if (argc > ++idx) {
  28                                 int proto = nl_str2ip_proto(argv[idx++]);
  29                                 if (proto < 0)
  30                                         goto err_invproto;
  31                                 nfnl_ct_set_proto(ct, proto);
  32                         }
  33                 } else if (arg_match("tcpstate")) {
  34                         if (argc > ++idx) {
  35                                 int state = nfnl_ct_str2tcp_state(argv[idx++]);
  36                                 if (state < 0)
  37                                         goto err_invtcpstate;
  38                                 nfnl_ct_set_tcp_state(ct, state);
  39                         }
  40                 } else if (arg_match("status")) {
  41                         if (argc > ++idx) {
  42                                 int status = strtoul(argv[idx++], NULL, 0);
  43                                 nfnl_ct_set_status(ct, status);
  44                                 nfnl_ct_unset_status(ct, ~status);
  45                         }
  46                 } else if (arg_match("timeout")) {
  47                         if (argc > ++idx)
  48                                 nfnl_ct_set_timeout(ct, strtoul(argv[idx++], NULL, 0));
  49                 } else if (arg_match("mark")) {
  50                         if (argc > ++idx)
  51                                 nfnl_ct_set_mark(ct, strtoul(argv[idx++], NULL, 0));
  52                 } else if (arg_match("use")) {
  53                         if (argc > ++idx)
  54                                 nfnl_ct_set_use(ct, strtoul(argv[idx++], NULL, 0));
  55                 } else if (arg_match("id")) {
  56                         if (argc > ++idx)
  57                                 nfnl_ct_set_id(ct, strtoul(argv[idx++], NULL, 0));
  58                 } else if (arg_match("origsrc")) {
  59                         if (argc > ++idx) {
  60                                 a = nl_addr_parse(argv[idx++],
  61                                                   nfnl_ct_get_family(ct));
  62                                 if (!a)
  63                                         goto err_invaddr;
  64                                 nfnl_ct_set_src(ct, 0, a);
  65                                 nl_addr_put(a);
  66                         }
  67                 } else if (arg_match("origdst")) {
  68                         if (argc > ++idx) {
  69                                 a = nl_addr_parse(argv[idx++],
  70                                                   nfnl_ct_get_family(ct));
  71                                 if (!a)
  72                                         goto err_invaddr;
  73                                 nfnl_ct_set_dst(ct, 0, a);
  74                                 nl_addr_put(a);
  75                         }
  76                 } else if (arg_match("origsrcport")) {
  77                         if (argc > ++idx)
  78                                 nfnl_ct_set_src_port(ct, 0, strtoul(argv[idx++], NULL, 0));
  79                 } else if (arg_match("origdstport")) {
  80                         if (argc > ++idx)
  81                                 nfnl_ct_set_dst_port(ct, 0, strtoul(argv[idx++], NULL, 0));
  82                 } else if (arg_match("origicmpid")) {
  83                         if (argc > ++idx)
  84                                 nfnl_ct_set_icmp_id(ct, 0, strtoul(argv[idx++], NULL, 0));
  85                 } else if (arg_match("origicmptype")) {
  86                         if (argc > ++idx)
  87                                 nfnl_ct_set_icmp_type(ct, 0, strtoul(argv[idx++], NULL, 0));
  88                 } else if (arg_match("origicmpcode")) {
  89                         if (argc > ++idx)
  90                                 nfnl_ct_set_icmp_code(ct, 0, strtoul(argv[idx++], NULL, 0));
  91                 } else if (arg_match("origpackets")) {
  92                         if (argc > ++idx)
  93                                 nfnl_ct_set_packets(ct, 0, strtoul(argv[idx++], NULL, 0));
  94                 } else if (arg_match("origbytes")) {
  95                         if (argc > ++idx)
  96                                 nfnl_ct_set_bytes(ct, 0, strtoul(argv[idx++], NULL, 0));
  97                 } else if (arg_match("replysrc")) {
  98                         if (argc > ++idx) {
  99                                 a = nl_addr_parse(argv[idx++],
 100                                                   nfnl_ct_get_family(ct));
 101                                 if (!a)
 102                                         goto err_invaddr;
 103                                 nfnl_ct_set_src(ct, 1, a);
 104                                 nl_addr_put(a);
 105                         }
 106                 } else if (arg_match("replydst")) {
 107                         if (argc > ++idx) {
 108                                 a = nl_addr_parse(argv[idx++],
 109                                                   nfnl_ct_get_family(ct));
 110                                 if (!a)
 111                                         goto err_invaddr;
 112                                 nfnl_ct_set_dst(ct, 1, a);
 113                                 nl_addr_put(a);
 114                         }
 115                 } else if (arg_match("replysrcport")) {
 116                         if (argc > ++idx)
 117                                 nfnl_ct_set_src_port(ct, 1, strtoul(argv[idx++], NULL, 0));
 118                 } else if (arg_match("replydstport")) {
 119                         if (argc > ++idx)
 120                                 nfnl_ct_set_dst_port(ct, 1, strtoul(argv[idx++], NULL, 0));
 121                 } else if (arg_match("replyicmpid")) {
 122                         if (argc > ++idx)
 123                                 nfnl_ct_set_icmp_id(ct, 1, strtoul(argv[idx++], NULL, 0));
 124                 } else if (arg_match("replyicmptype")) {
 125                         if (argc > ++idx)
 126                                 nfnl_ct_set_icmp_type(ct, 1, strtoul(argv[idx++], NULL, 0));
 127                 } else if (arg_match("replyicmpcode")) {
 128                         if (argc > ++idx)
 129                                 nfnl_ct_set_icmp_code(ct, 1, strtoul(argv[idx++], NULL, 0));
 130                 } else if (arg_match("replypackets")) {
 131                         if (argc > ++idx)
 132                                 nfnl_ct_set_packets(ct, 1, strtoul(argv[idx++], NULL, 0));
 133                 } else if (arg_match("replybytes")) {
 134                         if (argc > ++idx)
 135                                 nfnl_ct_set_bytes(ct, 1, strtoul(argv[idx++], NULL, 0));
 136                 }
 137 #define MSTATUS(STR, STATUS) \
 138         else if (!strcasecmp(argv[idx], STR)) { \
 139                 nfnl_ct_set_status(ct, STATUS); idx++; }
 140 #define MNOSTATUS(STR, STATUS) \
 141         else if (!strcasecmp(argv[idx], STR)) { \
 142                 nfnl_ct_unset_status(ct, STATUS); idx++; }
 143
 144                 MSTATUS("replied", IPS_SEEN_REPLY)
 145                 MNOSTATUS("unreplied", IPS_SEEN_REPLY)
 146                 MSTATUS("assured", IPS_ASSURED)
 147                 MNOSTATUS("unassured", IPS_ASSURED)
 148 #undef MSTATUS
 149 #undef MNOSTATUS
 150                 else {
 151                         fprintf(stderr, "What is '%s'?\n", argv[idx]);
 152                         exit(1);
 153                 }
 154         }
 155
 156         return;
 157
 158 err_invproto:
 159         fprintf(stderr, "Invalid IP protocol \"%s\".\n", argv[idx-1]);
 160         exit(1);
 161 err_invtcpstate:
 162         fprintf(stderr, "Invalid TCP state \"%s\".\n", argv[idx-1]);
 163         exit(1);
 164 err_invaf:
 165         fprintf(stderr, "Invalid address family \"%s\"\n", argv[idx-1]);
 166         exit(1);
 167 err_invaddr:
 168         fprintf(stderr, "Invalid address \"%s\": %s\n", argv[idx-1], nl_geterror());
 169         exit(1);
 170 }