All of lore.kernel.org
 help / color / mirror / Atom feed
* RE: Need a method to reset the ip_conntrack_count
@ 2005-10-13 11:59 ` Vincent
  0 siblings, 0 replies; 6+ messages in thread
From: Vincent @ 2005-10-13 11:59 UTC (permalink / raw)
  To: netfilter, 'Netfilter Development Mailinglist'

Hi,

Can I use the conntrack tools written by Harald Welte/Pablo Neira Ayuso
to flush the conntrack entries currently. 
And then I can reset the ip_conntrack_count which described as the
following problem.

And do we have the individual patch based on kernel 2.6.10 for the teses
contrack packages?

Thanks in advance

Vincent

> -----Original Message-----
> From: Vincent [mailto:cs83152@csie.chu.edu.tw] 
> Sent: Thursday, October 13, 2005 5:32 PM
> To: 'netfilter@lists.netfilter.org'
> Subject: Need a method to reset the ip_conntrack_count
> 
> 
> Hello folks,
> 
> I have encountered one question. Does it have a way to flush 
> the conntrack table beside reloading the ip_conntrack module  
> (because I use the method of building into kernel.
> 
> As far as I know, the current conntrack number was recorded 
> in the /proc/sys/net/ipv4/netfilter/ip_conntrack_count
> So I want to know whether it exists a method or not to reset 
> the current counter of conntrack.
> 
> My Enviroment:
> Kenel: 2.6.10
> Iptables: 1.2.9
> 
> Any hint are appreciated.
> 
> Vincent
> 
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH 2.4] Introducing Bidirectional conntrack mark
@ 2005-09-07  9:39 Jesse Peng
  2005-10-13  9:32 ` Need a method to reset the ip_conntrack_count Vincent
  0 siblings, 1 reply; 6+ messages in thread
From: Jesse Peng @ 2005-09-07  9:39 UTC (permalink / raw)
  To: Henrik Nordstrom, Wang Jian; +Cc: netfilter-devel

Greetings all,
This patch fully derive from Henrik Nordstrom's long known connmark patch but is extended to bidirectional solution.
The solution once discussed as the following link:
https://lists.netfilter.org/pipermail/netfilter-devel/2005-March/018784.html


Dear Henrik:
Feel free to give any advice for the work extending your existing famous connmark patch.

Dear Jian:
I got approved for quite a period,but sorry for this late posting this patch after a busy season.Hope this help!

Cheers
Jesse 
-------------- next part --------------
diff -Nru a/include/linux/netfilter_ipv4/ipt_ctdirmark.h b/include/linux/netfilter_ipv4/ipt_ctdirmark.h
--- a/include/linux/netfilter_ipv4/ipt_ctdirmark.h      Wed Sep  7 16:12:33 2005
+++ b/include/linux/netfilter_ipv4/ipt_ctdirmark.h   Wed Sep  7 15:23:40 2005
@@ -0,0 +1,16 @@
+#ifndef _IPT_CTDIRMARK_H
+#define _IPT_CTDIRMARK_H
+
+#define IPT_CTDIRMARK_ORIGINAL         0x01
+#define IPT_CTDIRMARK_REPLY            0x02
+
+#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
+
+struct ipt_ctdirmark_info {
+        u_int8_t bitmask;
+       unsigned long mark[IP_CT_DIR_MAX], mask[IP_CT_DIR_MAX];
+       u_int8_t invert;
+};
+
+#endif /*_IPT_CTDIRMARK_H*/
+
diff -Nru a/net/ipv4/netfilter/Config.in b/net/ipv4/n
etfilter/Config.in
--- a/net/ipv4/netfilter/Config.in   Wed Jan 19 22:10:13 2005
+++ b/net/ipv4/netfilter/Config.in      Wed Sep  7 16:00:31 2005
@@ -7,6 +7,7 @@
 tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
   dep_tristate '  FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
+  bool '  Bidirectional connection mark tracking support' CONFIG_IP_NF_CTDIRMARK
   dep_tristate '  Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
   dep_tristate '  TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
   dep_tristate '  IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
@@ -38,6 +39,9 @@
   fi
   if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
     dep_tristate '  Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
+    if [ "$CONFIG_IP_NF_CTDIRMARK" != "n" ]; then
+      dep_tristate '  Bidirectional Connection mark match support' CONFIG_IP_NF_MATCH_CTDIRMARK $CONFIG_IP_NF_IPTABLES
+    fi
     dep_tristate '  Connection tracking match support' CONFIG_IP_NF_MATCH_CONNTRACK $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IP
TABLES
   fi
   if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
@@ -105,6 +109,9 @@
     dep_tristate '    MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
   fi
   dep_tristate '  LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
+  if [ "$CONFIG_IP_NF_CTDIRMARK" != "n" ]; then
+    dep_tristate '  Bidirectional Connection mark target support' CONFIG_IP_NF_TARGET_CTDIRMARK $CONFIG_IP_NF_IPTABLES
+  fi
   dep_tristate '  ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES
   dep_tristate '  TCPMSS target support' CONFIG_IP_NF_TARGET_TCPMSS $CONFIG_IP_NF_IPTABLES
 fi
diff -Nru a/net/ipv4/netfilter/Makefile b/net/ipv4/ne
tfilter/Makefile
--- a/net/ipv4/netfilter/Makefile    Mon Aug 25 19:44:44 2003
+++ b/net/ipv4/netfilter/Makefile       Wed Sep  7 16:24:52 2005
@@ -83,6 +83,7 @@

 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CTDIRMARK) += ipt_ctdirmark.o
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
@@ -98,6 +99,7 @@
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_CTDIRMARK) += ipt_CTDIRMARK.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
diff -Nru a/net/ipv4/netfilter/ipt_ctdirmark.c b/net/ipv4/netfilter/ipt_ctdirmark.c
--- a/net/ipv4/netfilter/ipt_ctdirmark.c        Wed Sep  7 16:27:49 2005
+++ b/net/ipv4/netfilter/ipt_ctdirmark.c     Wed Sep  7 15:24:48 2005
@@ -0,0 +1,64 @@
+/* Kernel module to match bidirectional connection mark values. */
+#define __KERNEL__
+#define MODULE
+#define MATCH   1
+#define NOMATCH 0
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include "ipt_ctdirmark.h"
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+       const struct ipt_ctdirmark_info *info = matchinfo;
+       enum ip_conntrack_info ctinfo;
+       struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+       if (!ct)
+           return 0;
+        if ((info->bitmask & IPT_CTDIRMARK_ORIGINAL &&
+           (!((ct->mark_dir[IP_CT_DIR_ORIGINAL] & info->mask[IP_CT_DIR_ORIGINAL]) == info->mark[IP_CT_DIR_ORIGINAL]) ^ !!(in
fo->invert & IPT_CTDIRMARK_ORIGINAL))) ||
+           (info->bitmask & IPT_CTDIRMARK_REPLY &&
+           (!((ct->mark_dir[IP_CT_DIR_REPLY] & info->mask[IP_CT_DIR_REPLY]) == info->mark[IP_CT_DIR_REPLY]) ^ !!(info->inver
t & IPT_CTDIRMARK_REPLY))))
+           return NOMATCH;
+        return MATCH;
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+       if (matchsize != IPT_ALIGN(sizeof(struct ipt_ctdirmark_info)))
+               return 0;
+
+       return 1;
+}
+
+static struct ipt_match ctdirmark_match
+= { { NULL, NULL }, "ctdirmark", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+       return ipt_register_match(&ctdirmark_match);
+}
+
+static void __exit fini(void)
+{
+       ipt_unregister_match(&ctdirmark_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nru a/net/ipv4/netfilter/ipt_CTDIRMARK.c b/net/ipv4/netfilter/ipt_CTDIRMARK.c
--- a/net/ipv4/netfilter/ipt_CTDIRMARK.c        Wed Sep  7 16:31:08 2005
+++ b/net/ipv4/netfilter/ipt_CTDIRMARK.c     Wed Sep  7 15:25:19 2005
@@ -0,0 +1,103 @@
+/* This is a module which is used for setting/remembering the mark field of
+ * an connection, or optionally restore it to the skb
+ */
+#define __KERNEL__
+#define MODULE
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include "ipt_CTDIRMARK.h"
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static unsigned int
+target(struct sk_buff **pskb,
+       unsigned int hooknum,
+       const struct net_device *in,
+       const struct net_device *out,
+       const void *targinfo,
+       void *userinfo)
+{
+       const struct ipt_ctdirmark_target_info *info = targinfo;
+
+       enum ip_conntrack_info ctinfo;
+       struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
+       if (ct) {
+           switch(info->mode) {
+           case IPT_CTDIRMARK_SET:
+                if (info->bitmask & IPT_CTDIRMARK_ORIGINAL)
+                   ct->mark_dir[IP_CT_DIR_ORIGINAL] = info->mark[IP_CT_DIR_ORIGINAL];
+                if (info->bitmask & IPT_CTDIRMARK_REPLY)
+                   ct->mark_dir[IP_CT_DIR_REPLY] = info->mark[IP_CT_DIR_REPLY];
+               break;
+           case IPT_CTDIRMARK_SAVE:
+                if (info->bitmask & IPT_CTDIRMARK_ORIGINAL)
+                   ct->mark_dir[IP_CT_DIR_ORIGINAL] = (*pskb)->nfmark;
+                if (info->bitmask & IPT_CTDIRMARK_REPLY)
+                   ct->mark_dir[IP_CT_DIR_REPLY] = (*pskb)->nfmark;
+               break;
+           case IPT_CTDIRMARK_RESTORE:
+                if (info->bitmask & IPT_CTDIRMARK_ORIGINAL){
+                   if (ct->mark_dir[IP_CT_DIR_ORIGINAL] != (*pskb)->nfmark) {
+                       (*pskb)->nfmark = ct->mark_dir[IP_CT_DIR_ORIGINAL];
+                       (*pskb)->nfcache |= NFC_ALTERED;
+                    }
+                }else if (info->bitmask & IPT_CTDIRMARK_REPLY){
+                   if (ct->mark_dir[IP_CT_DIR_REPLY] != (*pskb)->nfmark) {
+                       (*pskb)->nfmark = ct->mark_dir[IP_CT_DIR_REPLY];
+                       (*pskb)->nfcache |= NFC_ALTERED;
+                    }
+               }
+               break;
+           }
+       }
+
+       return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+          const struct ipt_entry *e,
+           void *targinfo,
+           unsigned int targinfosize,
+           unsigned int hook_mask)
+{
+       struct ipt_ctdirmark_target_info *info = targinfo;
+       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info))) {
+               printk(KERN_WARNING "CTDIRMARK: targinfosize %u != %Zu\n",
+                      targinfosize,
+                      IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info)));
+               return 0;
+       }
+
+       if (info->mode == IPT_CTDIRMARK_RESTORE) {
+           if (strcmp(tablename, "mangle") != 0) {
+                   printk(KERN_WARNING "CTDIRMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablenam
e);
+                   return 0;
+           }
+       }
+
+       return 1;
+}
+
+static struct ipt_target ipt_ctdirmark_reg
+= { { NULL, NULL }, "CTDIRMARK", target, checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+       if (ipt_register_target(&ipt_ctdirmark_reg))
+               return -EINVAL;
+
+       return 0;
+}
+
+static void __exit fini(void)
+{
+       ipt_unregister_target(&ipt_ctdirmark_reg);
+}
+
+module_init(init);
+module_exit(fini);

-------------- next part --------------
diff -Nru a/extensions/Makefile b/extensions/Makefile
--- a/extensions/Makefile       Wed Sep  7 16:42:31 2005
+++ b/extensions/Makefile Wed Sep  7 16:40:11 2005
@@ -5,7 +5,7 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah conntrack dscp ecn esp helper icmp iplimit length limit mac mark multiport owner physdev pkttype rpc standar
d state tcp tcpmss tos ttl udp unclean DNAT DSCP ECN LOG MARK MASQUERADE MIRROR REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS T
TL ULOG
+PF_EXT_SLIB:=ah conntrack dscp ecn esp helper icmp iplimit length limit mac mark multiport owner physdev pkttype rpc standar
d state ctdirmark tcp tcpmss tos ttl udp unclean DNAT DSCP ECN LOG MARK MASQUERADE MIRROR REDIRECT REJECT SAME SNAT TARPIT TC
PMSS TOS TTL ULOG CTDIRMARK
 PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner standard tcp udp HL LOG MARK

 # Optionals
diff -Nru a/extensions/libipt_ctdirmark.c b/extensions/libipt_ctdirmark.c
--- a/extensions/libipt_ctdirmark.c     Wed Sep  7 16:46:18 2005
+++ b/extensions/libipt_ctdirmark.c       Wed Sep  7 15:28:33 2005
@@ -0,0 +1,171 @@
+/* Shared library add-on to iptables to add CTDIRMARK matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_CTDIRMARK.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+       printf(
+"ctdirmark match v%s options:\n"
+"[!] --mark_original value[/mask]         Match nfmark in dir original value with optional mask\n"
+"[!] --mark_reply value[/mask]         Match nfmark in dir reply value with optional mask\n"
+"\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+       { "mark_original", 1, 0, '1' },
+        { "mark_reply", 1, 0, '2' },
+       {0}
+};
+
+/* Initialize the match. */
+static void
+init(struct ipt_entry_match *m, unsigned int *nfcache)
+{
+       /* Can't cache this. */
+       *nfcache |= NFC_UNKNOWN;
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ipt_entry *entry,
+      unsigned int *nfcache,
+      struct ipt_entry_match **match)
+{
+       struct ipt_ctdirmark_info *info = (struct ipt_ctdirmark_info *)(*match)->data;
+
+       switch (c) {
+               char *end;
+       case '1':
+               if (*flags & IPT_CTDIRMARK_ORIGINAL)
+                        goto multiple_use;
+                check_inverse(optarg, &invert, &optind, 0);
+               info->mark[IP_CT_DIR_ORIGINAL] = strtoul(optarg, &end, 0);
+               if (*end == '/') {
+                       info->mask[IP_CT_DIR_ORIGINAL] = strtoul(end+1, &end, 0);
+               } else
+                       info->mask[IP_CT_DIR_ORIGINAL] = 0xffffffff;
+               if (*end != '\0' || end == optarg)
+                       exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+               if (invert)
+                       info->invert |= IPT_CTDIRMARK_ORIGINAL;
+               info->bitmask |= IPT_CTDIRMARK_ORIGINAL;
+               *flags |= IPT_CTDIRMARK_ORIGINAL;
+               break;
+
+        case '2':
+               if (*flags & IPT_CTDIRMARK_REPLY)
+                        goto multiple_use;
+                check_inverse(optarg, &invert, &optind, 0);
+               info->mark[IP_CT_DIR_REPLY] = strtoul(optarg, &end, 0);
+               if (*end == '/') {
+                       info->mask[IP_CT_DIR_REPLY] = strtoul(end+1, &end, 0);
+               } else
+                       info->mask[IP_CT_DIR_REPLY] = 0xffffffff;
+               if (*end != '\0' || end == optarg)
+                       exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+               if (invert)
+                       info->invert |= IPT_CTDIRMARK_REPLY;
+               info->bitmask |= IPT_CTDIRMARK_REPLY;
+               *flags |= IPT_CTDIRMARK_REPLY;
+               break;
+       default:
+               return 0;
+       }
+       return 1;
+        multiple_use:
+       exit_error(PARAMETER_PROBLEM,
+          "multiple use of the same ctdirmark  option is not allowed");
+}
+
+static void
+print_mark(unsigned long mark, unsigned long mask, int numeric)
+{
+       if(mask != 0xffffffff)
+               printf("0x%lx/0x%lx ", mark, mask);
+       else
+               printf("0x%lx ", mark);
+}
+
+/* Final check; must have specified --mark. */
+static void
+final_check(unsigned int flags)
+{
+       if (!flags)
+               exit_error(PARAMETER_PROBLEM,
+                          "MARK match: You must specify `--mark_original' or `--mark_reply'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ipt_ip *ip,
+      const struct ipt_entry_match *match,
+      int numeric)
+{
+       struct ipt_ctdirmark_info *info = (struct ipt_ctdirmark_info *)match->data;
+
+       printf("ctdirmark match ");
+        if (info->bitmask & IPT_CTDIRMARK_ORIGINAL) {
+           if (info->invert & IPT_CTDIRMARK_ORIGINAL)
+               printf("!");
+            printf("--mark_original ");
+           print_mark(info->mark[IP_CT_DIR_ORIGINAL], info->mask[IP_CT_DIR_ORIGINAL], numeric);
+        }
+        if (info->bitmask & IPT_CTDIRMARK_REPLY) {
+           if (info->invert & IPT_CTDIRMARK_REPLY)
+               printf("!");
+            printf("--mark_reply ");
+           print_mark(info->mark[IP_CT_DIR_REPLY], info->mask[IP_CT_DIR_REPLY], numeric);
+        }
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+{
+       struct ipt_ctdirmark_info *info = (struct ipt_ctdirmark_info *)match->data;
+
+       if (info->bitmask & IPT_CTDIRMARK_ORIGINAL) {
+           if (info->invert & IPT_CTDIRMARK_ORIGINAL)
+               printf("!");
+            printf("--mark_original ");
+           print_mark(info->mark[IP_CT_DIR_ORIGINAL], info->mask[IP_CT_DIR_ORIGINAL], 0);
+        }
+        if (info->bitmask & IPT_CTDIRMARK_REPLY) {
+           if (info->invert & IPT_CTDIRMARK_REPLY)
+               printf("!");
+            printf("--mark_reply ");
+           print_mark(info->mark[IP_CT_DIR_REPLY], info->mask[IP_CT_DIR_REPLY], 0);
+        }
+}
+
+static
+struct iptables_match mark
+= { NULL,
+    "ctdirmark",
+    NETFILTER_VERSION,
+    IPT_ALIGN(sizeof(struct ipt_ctdirmark_info)),
+    IPT_ALIGN(sizeof(struct ipt_ctdirmark_info)),
+    &help,
+    &init,
+    &parse,
+    &final_check,
+    &print,
+    &save,
+    opts
+};
+
+void _init(void)
+{
+       register_match(&mark);
+}
diff -Nru a/extensions/libipt_CTDIRMARK.c b/extensions/libipt_CTDIRMARK.c
--- a/extensions/libipt_CTDIRMARK.c     Wed Sep  7 16:48:53 2005
+++ b/extensions/libipt_CTDIRMARK.c       Wed Sep  7 15:28:52 2005
@@ -0,0 +1,221 @@
+/* Shared library add-on to iptables to add CTDIRMARK target support. */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_CTDIRMARK.h>
+
+/*
+#if 0
+struct markinfo {
+       struct ipt_entry_target t;
+       struct ipt_ctdirmark_target_info mark;
+};
+#endif
+*/
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+       printf(
+"CTDIRMARK target v%s options:\n"
+"  --set-mark_original value              Set ctdirmark mark value in original dir\n"
+"  --set-mark_reply value              Set ctdirmark mark value in reply dir\n"
+"  --save-mark                   Save the packet nfmark on the connection in the specified dir\n"
+"  --restore-mark                Restore saved nfmark value\n"
+"  --mark_original               specify original dir\n"
+"  --mark_reply                  specify reply dir\n"
+"\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+       { "set-mark_original", 1, 0, '1' },
+        { "set-mark_reply", 1, 0, '2' },
+       { "save-mark", 0, 0, '3' },
+       { "restore-mark", 0, 0, '4' },
+        { "mark_original", 0, 0, '5' },
+        { "mark_reply", 0, 0, '6' },
+       { 0 }
+};
+
+/* Initialize the target. */
+static void
+init(struct ipt_entry_target *t, unsigned int *nfcache)
+{
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ipt_entry *entry,
+      struct ipt_entry_target **target)
+{
+       struct ipt_ctdirmark_target_info *info
+               = (struct ipt_ctdirmark_target_info *)(*target)->data;
+
+       switch (c) {
+               char *end;
+       case '1':
+               if (*flags & ~IPT_CTDIRMARK_TARGET_SET_REPLY)
+                        goto multiple_use;
+                info->mode = IPT_CTDIRMARK_SET;
+                info->bitmask |= IPT_CTDIRMARK_ORIGINAL;
+               info->mark[IP_CT_DIR_ORIGINAL] = strtoul(optarg, &end, 0);
+               if (*end != '\0' || end == optarg)
+                       exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+               *flags |= IPT_CTDIRMARK_TARGET_SET_ORIGINAL;
+               break;
+        case '2':
+               if (*flags & ~IPT_CTDIRMARK_TARGET_SET_ORIGINAL)
+                        goto multiple_use;
+                info->mode = IPT_CTDIRMARK_SET;
+                info->bitmask |= IPT_CTDIRMARK_REPLY;
+               info->mark[IP_CT_DIR_REPLY] = strtoul(optarg, &end, 0);
+               if (*end != '\0' || end == optarg)
+                       exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+               *flags |= IPT_CTDIRMARK_TARGET_SET_REPLY;
+                break;
+       case '3':
+                if (*flags)
+                        goto multiple_use;
+               info->mode = IPT_CTDIRMARK_SAVE;
+               *flags |= IPT_CTDIRMARK_TARGET_SAVE;
+               break;
+       case '4':
+                if (*flags)
+                        goto multiple_use;
+               info->mode = IPT_CTDIRMARK_RESTORE;
+               *flags |= IPT_CTDIRMARK_TARGET_RESTORE;
+               break;
+        case '5':
+                if ((*flags & IPT_CTDIRMARK_TARGET_SET_ORIGINAL) ||
+                     (*flags & IPT_CTDIRMARK_TARGET_SET_REPLY) ||
+                      (*flags & IPT_CTDIRMARK_TARGET_ORIGINAL))
+                        goto multiple_use;
+                if (!(*flags & IPT_CTDIRMARK_TARGET_SAVE) &&
+                      !(*flags & IPT_CTDIRMARK_TARGET_RESTORE))
+                        goto wrong_use;
+                info->bitmask |= IPT_CTDIRMARK_ORIGINAL;
+                *flags |= IPT_CTDIRMARK_TARGET_ORIGINAL;
+               break;
+        case '6':
+                if ((*flags & IPT_CTDIRMARK_TARGET_SET_ORIGINAL) ||
+                     (*flags & IPT_CTDIRMARK_TARGET_SET_REPLY) ||
+                      (*flags & IPT_CTDIRMARK_TARGET_REPLY))
+                        goto multiple_use;
+                if (!(*flags & IPT_CTDIRMARK_TARGET_SAVE) &&
+                      !(*flags & IPT_CTDIRMARK_TARGET_RESTORE))
+                        goto wrong_use;
+                info->bitmask |= IPT_CTDIRMARK_REPLY;
+               *flags |= IPT_CTDIRMARK_TARGET_REPLY;
+               break;
+       default:
+               return 0;
+       }
+
+       return 1;
+multiple_use:
+       exit_error(PARAMETER_PROBLEM,
+          "multiple use of the same ctdirmark option is not allowed");
+wrong_use:
+       exit_error(PARAMETER_PROBLEM,
+          "without save or restore option in advance is not allowed");
+}
+
+static void
+final_check(unsigned int flags)
+{
+       if (!flags)
+               exit_error(PARAMETER_PROBLEM,
+                          "CTDIRMARK target: Parameter --set-mark_original or --set-mark_reply is required");
+}
+
+static void
+print_mark(unsigned long mark, int numeric)
+{
+       printf("0x%lx ", mark);
+}
+
+/* Prints out the targinfo. */
+static void
+print(const struct ipt_ip *ip,
+      const struct ipt_entry_target *target,
+      int numeric)
+{
+       const struct ipt_ctdirmark_target_info *info =
+               (const struct ipt_ctdirmark_target_info *)target->data;
+       switch (info->mode) {
+       case IPT_CTDIRMARK_SET:
+            if (info->bitmask & IPT_CTDIRMARK_ORIGINAL){
+           printf("CTDIRMARK set original");
+           print_mark(info->mark[IP_CT_DIR_ORIGINAL], numeric);
+            }
+            if (info->bitmask & IPT_CTDIRMARK_REPLY){
+            printf("CTDIRMARK set reply");
+           print_mark(info->mark[IP_CT_DIR_REPLY], numeric);
+            }
+           break;
+       case IPT_CTDIRMARK_SAVE:
+           printf("CTDIRMARK save ");
+           break;
+       case IPT_CTDIRMARK_RESTORE:
+           printf("CTDIRMARK restore ");
+           break;
+       default:
+           printf("ERROR: UNKNOWN CTDIRMARK MODE ");
+           break;
+       }
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+       const struct ipt_ctdirmark_target_info *info =
+               (const struct ipt_ctdirmark_target_info *)target->data;
+
+       switch (info->mode) {
+       case IPT_CTDIRMARK_SET:
+            if (info->bitmask & IPT_CTDIRMARK_ORIGINAL)
+              printf("--set-mark_original 0x%lx ", info->mark[IP_CT_DIR_ORIGINAL]);
+            if (info->bitmask & IPT_CTDIRMARK_REPLY)
+               printf("--set-mark_reply 0x%lx ", info->mark[IP_CT_DIR_REPLY]);
+           break;
+       case IPT_CTDIRMARK_SAVE:
+           printf("--save-mark ");
+           break;
+       case IPT_CTDIRMARK_RESTORE:
+           printf("--restore-mark ");
+           break;
+       default:
+           printf("ERROR: UNKNOWN CTDIRMARK MODE ");
+           break;
+       }
+}
+
+static
+struct iptables_target mark
+= { NULL,
+    "CTDIRMARK",
+    NETFILTER_VERSION,
+    IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info)),
+    IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info)),
+    &help,
+    &init,
+    &parse,
+    &final_check,
+    &print,
+    &save,
+    opts
+};
+
+void _init(void)
+{
+       register_target(&mark);
+}

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2005-10-13 21:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-13 11:59 Need a method to reset the ip_conntrack_count Vincent
2005-10-13 11:59 ` Vincent
2005-10-13 21:49 ` Henrik Nordstrom
  -- strict thread matches above, loose matches on Subject: below --
2005-09-07  9:39 [PATCH 2.4] Introducing Bidirectional conntrack mark Jesse Peng
2005-10-13  9:32 ` Need a method to reset the ip_conntrack_count Vincent
2005-10-13  9:55   ` Eric Leblond
2005-10-13 21:48   ` Henrik Nordstrom

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.