* RE: Need a method to reset the ip_conntrack_count
@ 2005-10-13 11:59 ` Vincent
0 siblings, 0 replies; 6+ messages in thread
From: Vincent @ 2005-10-13 11:59 UTC (permalink / raw)
To: netfilter, 'Netfilter Development Mailinglist'
Hi,
Can I use the conntrack tools written by Harald Welte/Pablo Neira Ayuso
to flush the conntrack entries currently.
And then I can reset the ip_conntrack_count which described as the
following problem.
And do we have the individual patch based on kernel 2.6.10 for the teses
contrack packages?
Thanks in advance
Vincent
> -----Original Message-----
> From: Vincent [mailto:cs83152@csie.chu.edu.tw]
> Sent: Thursday, October 13, 2005 5:32 PM
> To: 'netfilter@lists.netfilter.org'
> Subject: Need a method to reset the ip_conntrack_count
>
>
> Hello folks,
>
> I have encountered one question. Does it have a way to flush
> the conntrack table beside reloading the ip_conntrack module
> (because I use the method of building into kernel.
>
> As far as I know, the current conntrack number was recorded
> in the /proc/sys/net/ipv4/netfilter/ip_conntrack_count
> So I want to know whether it exists a method or not to reset
> the current counter of conntrack.
>
> My Enviroment:
> Kenel: 2.6.10
> Iptables: 1.2.9
>
> Any hint are appreciated.
>
> Vincent
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Need a method to reset the ip_conntrack_count
@ 2005-10-13 11:59 ` Vincent
0 siblings, 0 replies; 6+ messages in thread
From: Vincent @ 2005-10-13 11:59 UTC (permalink / raw)
To: netfilter, 'Netfilter Development Mailinglist'
Hi,
Can I use the conntrack tools written by Harald Welte/Pablo Neira Ayuso
to flush the conntrack entries currently.
And then I can reset the ip_conntrack_count which described as the
following problem.
And do we have the individual patch based on kernel 2.6.10 for the teses
contrack packages?
Thanks in advance
Vincent
> -----Original Message-----
> From: Vincent [mailto:cs83152@csie.chu.edu.tw]
> Sent: Thursday, October 13, 2005 5:32 PM
> To: 'netfilter@lists.netfilter.org'
> Subject: Need a method to reset the ip_conntrack_count
>
>
> Hello folks,
>
> I have encountered one question. Does it have a way to flush
> the conntrack table beside reloading the ip_conntrack module
> (because I use the method of building into kernel.
>
> As far as I know, the current conntrack number was recorded
> in the /proc/sys/net/ipv4/netfilter/ip_conntrack_count
> So I want to know whether it exists a method or not to reset
> the current counter of conntrack.
>
> My Enviroment:
> Kenel: 2.6.10
> Iptables: 1.2.9
>
> Any hint are appreciated.
>
> Vincent
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Need a method to reset the ip_conntrack_count
2005-10-13 11:59 ` Vincent
(?)
@ 2005-10-13 21:49 ` Henrik Nordstrom
-1 siblings, 0 replies; 6+ messages in thread
From: Henrik Nordstrom @ 2005-10-13 21:49 UTC (permalink / raw)
To: Vincent; +Cc: 'Netfilter Development Mailinglist', netfilter
On Thu, 13 Oct 2005, Vincent wrote:
> And do we have the individual patch based on kernel 2.6.10 for the teses
> contrack packages?
It is quite unlikely you will find patches to 2.6.10 for this.
Any reason why you can not upgrade the kernel?
Regards
Henrik
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 2.4] Introducing Bidirectional conntrack mark
@ 2005-09-07 9:39 Jesse Peng
2005-10-13 9:32 ` Need a method to reset the ip_conntrack_count Vincent
0 siblings, 1 reply; 6+ messages in thread
From: Jesse Peng @ 2005-09-07 9:39 UTC (permalink / raw)
To: Henrik Nordstrom, Wang Jian; +Cc: netfilter-devel
Greetings all,
This patch fully derive from Henrik Nordstrom's long known connmark patch but is extended to bidirectional solution.
The solution once discussed as the following link:
https://lists.netfilter.org/pipermail/netfilter-devel/2005-March/018784.html
Dear Henrik:
Feel free to give any advice for the work extending your existing famous connmark patch.
Dear Jian:
I got approved for quite a period,but sorry for this late posting this patch after a busy season.Hope this help!
Cheers
Jesse
-------------- next part --------------
diff -Nru a/include/linux/netfilter_ipv4/ipt_ctdirmark.h b/include/linux/netfilter_ipv4/ipt_ctdirmark.h
--- a/include/linux/netfilter_ipv4/ipt_ctdirmark.h Wed Sep 7 16:12:33 2005
+++ b/include/linux/netfilter_ipv4/ipt_ctdirmark.h Wed Sep 7 15:23:40 2005
@@ -0,0 +1,16 @@
+#ifndef _IPT_CTDIRMARK_H
+#define _IPT_CTDIRMARK_H
+
+#define IPT_CTDIRMARK_ORIGINAL 0x01
+#define IPT_CTDIRMARK_REPLY 0x02
+
+#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
+
+struct ipt_ctdirmark_info {
+ u_int8_t bitmask;
+ unsigned long mark[IP_CT_DIR_MAX], mask[IP_CT_DIR_MAX];
+ u_int8_t invert;
+};
+
+#endif /*_IPT_CTDIRMARK_H*/
+
diff -Nru a/net/ipv4/netfilter/Config.in b/net/ipv4/n
etfilter/Config.in
--- a/net/ipv4/netfilter/Config.in Wed Jan 19 22:10:13 2005
+++ b/net/ipv4/netfilter/Config.in Wed Sep 7 16:00:31 2005
@@ -7,6 +7,7 @@
tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
+ bool ' Bidirectional connection mark tracking support' CONFIG_IP_NF_CTDIRMARK
dep_tristate ' Amanda protocol support' CONFIG_IP_NF_AMANDA $CONFIG_IP_NF_CONNTRACK
dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
@@ -38,6 +39,9 @@
fi
if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
+ if [ "$CONFIG_IP_NF_CTDIRMARK" != "n" ]; then
+ dep_tristate ' Bidirectional Connection mark match support' CONFIG_IP_NF_MATCH_CTDIRMARK $CONFIG_IP_NF_IPTABLES
+ fi
dep_tristate ' Connection tracking match support' CONFIG_IP_NF_MATCH_CONNTRACK $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IP
TABLES
fi
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
@@ -105,6 +109,9 @@
dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
fi
dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
+ if [ "$CONFIG_IP_NF_CTDIRMARK" != "n" ]; then
+ dep_tristate ' Bidirectional Connection mark target support' CONFIG_IP_NF_TARGET_CTDIRMARK $CONFIG_IP_NF_IPTABLES
+ fi
dep_tristate ' ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES
dep_tristate ' TCPMSS target support' CONFIG_IP_NF_TARGET_TCPMSS $CONFIG_IP_NF_IPTABLES
fi
diff -Nru a/net/ipv4/netfilter/Makefile b/net/ipv4/ne
tfilter/Makefile
--- a/net/ipv4/netfilter/Makefile Mon Aug 25 19:44:44 2003
+++ b/net/ipv4/netfilter/Makefile Wed Sep 7 16:24:52 2005
@@ -83,6 +83,7 @@
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CTDIRMARK) += ipt_ctdirmark.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
@@ -98,6 +99,7 @@
obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_CTDIRMARK) += ipt_CTDIRMARK.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
diff -Nru a/net/ipv4/netfilter/ipt_ctdirmark.c b/net/ipv4/netfilter/ipt_ctdirmark.c
--- a/net/ipv4/netfilter/ipt_ctdirmark.c Wed Sep 7 16:27:49 2005
+++ b/net/ipv4/netfilter/ipt_ctdirmark.c Wed Sep 7 15:24:48 2005
@@ -0,0 +1,64 @@
+/* Kernel module to match bidirectional connection mark values. */
+#define __KERNEL__
+#define MODULE
+#define MATCH 1
+#define NOMATCH 0
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include "ipt_ctdirmark.h"
+
+static int
+match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *matchinfo,
+ int offset,
+ const void *hdr,
+ u_int16_t datalen,
+ int *hotdrop)
+{
+ const struct ipt_ctdirmark_info *info = matchinfo;
+ enum ip_conntrack_info ctinfo;
+ struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+ if (!ct)
+ return 0;
+ if ((info->bitmask & IPT_CTDIRMARK_ORIGINAL &&
+ (!((ct->mark_dir[IP_CT_DIR_ORIGINAL] & info->mask[IP_CT_DIR_ORIGINAL]) == info->mark[IP_CT_DIR_ORIGINAL]) ^ !!(in
fo->invert & IPT_CTDIRMARK_ORIGINAL))) ||
+ (info->bitmask & IPT_CTDIRMARK_REPLY &&
+ (!((ct->mark_dir[IP_CT_DIR_REPLY] & info->mask[IP_CT_DIR_REPLY]) == info->mark[IP_CT_DIR_REPLY]) ^ !!(info->inver
t & IPT_CTDIRMARK_REPLY))))
+ return NOMATCH;
+ return MATCH;
+}
+
+static int
+checkentry(const char *tablename,
+ const struct ipt_ip *ip,
+ void *matchinfo,
+ unsigned int matchsize,
+ unsigned int hook_mask)
+{
+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_ctdirmark_info)))
+ return 0;
+
+ return 1;
+}
+
+static struct ipt_match ctdirmark_match
+= { { NULL, NULL }, "ctdirmark", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+ return ipt_register_match(&ctdirmark_match);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_match(&ctdirmark_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nru a/net/ipv4/netfilter/ipt_CTDIRMARK.c b/net/ipv4/netfilter/ipt_CTDIRMARK.c
--- a/net/ipv4/netfilter/ipt_CTDIRMARK.c Wed Sep 7 16:31:08 2005
+++ b/net/ipv4/netfilter/ipt_CTDIRMARK.c Wed Sep 7 15:25:19 2005
@@ -0,0 +1,103 @@
+/* This is a module which is used for setting/remembering the mark field of
+ * an connection, or optionally restore it to the skb
+ */
+#define __KERNEL__
+#define MODULE
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include "ipt_CTDIRMARK.h"
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static unsigned int
+target(struct sk_buff **pskb,
+ unsigned int hooknum,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *targinfo,
+ void *userinfo)
+{
+ const struct ipt_ctdirmark_target_info *info = targinfo;
+
+ enum ip_conntrack_info ctinfo;
+ struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
+ if (ct) {
+ switch(info->mode) {
+ case IPT_CTDIRMARK_SET:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL)
+ ct->mark_dir[IP_CT_DIR_ORIGINAL] = info->mark[IP_CT_DIR_ORIGINAL];
+ if (info->bitmask & IPT_CTDIRMARK_REPLY)
+ ct->mark_dir[IP_CT_DIR_REPLY] = info->mark[IP_CT_DIR_REPLY];
+ break;
+ case IPT_CTDIRMARK_SAVE:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL)
+ ct->mark_dir[IP_CT_DIR_ORIGINAL] = (*pskb)->nfmark;
+ if (info->bitmask & IPT_CTDIRMARK_REPLY)
+ ct->mark_dir[IP_CT_DIR_REPLY] = (*pskb)->nfmark;
+ break;
+ case IPT_CTDIRMARK_RESTORE:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL){
+ if (ct->mark_dir[IP_CT_DIR_ORIGINAL] != (*pskb)->nfmark) {
+ (*pskb)->nfmark = ct->mark_dir[IP_CT_DIR_ORIGINAL];
+ (*pskb)->nfcache |= NFC_ALTERED;
+ }
+ }else if (info->bitmask & IPT_CTDIRMARK_REPLY){
+ if (ct->mark_dir[IP_CT_DIR_REPLY] != (*pskb)->nfmark) {
+ (*pskb)->nfmark = ct->mark_dir[IP_CT_DIR_REPLY];
+ (*pskb)->nfcache |= NFC_ALTERED;
+ }
+ }
+ break;
+ }
+ }
+
+ return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+ const struct ipt_entry *e,
+ void *targinfo,
+ unsigned int targinfosize,
+ unsigned int hook_mask)
+{
+ struct ipt_ctdirmark_target_info *info = targinfo;
+ if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info))) {
+ printk(KERN_WARNING "CTDIRMARK: targinfosize %u != %Zu\n",
+ targinfosize,
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info)));
+ return 0;
+ }
+
+ if (info->mode == IPT_CTDIRMARK_RESTORE) {
+ if (strcmp(tablename, "mangle") != 0) {
+ printk(KERN_WARNING "CTDIRMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablenam
e);
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+static struct ipt_target ipt_ctdirmark_reg
+= { { NULL, NULL }, "CTDIRMARK", target, checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+ if (ipt_register_target(&ipt_ctdirmark_reg))
+ return -EINVAL;
+
+ return 0;
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_target(&ipt_ctdirmark_reg);
+}
+
+module_init(init);
+module_exit(fini);
-------------- next part --------------
diff -Nru a/extensions/Makefile b/extensions/Makefile
--- a/extensions/Makefile Wed Sep 7 16:42:31 2005
+++ b/extensions/Makefile Wed Sep 7 16:40:11 2005
@@ -5,7 +5,7 @@
# header files are present in the include/linux directory of this iptables
# package (HW)
#
-PF_EXT_SLIB:=ah conntrack dscp ecn esp helper icmp iplimit length limit mac mark multiport owner physdev pkttype rpc standar
d state tcp tcpmss tos ttl udp unclean DNAT DSCP ECN LOG MARK MASQUERADE MIRROR REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS T
TL ULOG
+PF_EXT_SLIB:=ah conntrack dscp ecn esp helper icmp iplimit length limit mac mark multiport owner physdev pkttype rpc standar
d state ctdirmark tcp tcpmss tos ttl udp unclean DNAT DSCP ECN LOG MARK MASQUERADE MIRROR REDIRECT REJECT SAME SNAT TARPIT TC
PMSS TOS TTL ULOG CTDIRMARK
PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner standard tcp udp HL LOG MARK
# Optionals
diff -Nru a/extensions/libipt_ctdirmark.c b/extensions/libipt_ctdirmark.c
--- a/extensions/libipt_ctdirmark.c Wed Sep 7 16:46:18 2005
+++ b/extensions/libipt_ctdirmark.c Wed Sep 7 15:28:33 2005
@@ -0,0 +1,171 @@
+/* Shared library add-on to iptables to add CTDIRMARK matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_CTDIRMARK.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"ctdirmark match v%s options:\n"
+"[!] --mark_original value[/mask] Match nfmark in dir original value with optional mask\n"
+"[!] --mark_reply value[/mask] Match nfmark in dir reply value with optional mask\n"
+"\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+ { "mark_original", 1, 0, '1' },
+ { "mark_reply", 1, 0, '2' },
+ {0}
+};
+
+/* Initialize the match. */
+static void
+init(struct ipt_entry_match *m, unsigned int *nfcache)
+{
+ /* Can't cache this. */
+ *nfcache |= NFC_UNKNOWN;
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ unsigned int *nfcache,
+ struct ipt_entry_match **match)
+{
+ struct ipt_ctdirmark_info *info = (struct ipt_ctdirmark_info *)(*match)->data;
+
+ switch (c) {
+ char *end;
+ case '1':
+ if (*flags & IPT_CTDIRMARK_ORIGINAL)
+ goto multiple_use;
+ check_inverse(optarg, &invert, &optind, 0);
+ info->mark[IP_CT_DIR_ORIGINAL] = strtoul(optarg, &end, 0);
+ if (*end == '/') {
+ info->mask[IP_CT_DIR_ORIGINAL] = strtoul(end+1, &end, 0);
+ } else
+ info->mask[IP_CT_DIR_ORIGINAL] = 0xffffffff;
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ if (invert)
+ info->invert |= IPT_CTDIRMARK_ORIGINAL;
+ info->bitmask |= IPT_CTDIRMARK_ORIGINAL;
+ *flags |= IPT_CTDIRMARK_ORIGINAL;
+ break;
+
+ case '2':
+ if (*flags & IPT_CTDIRMARK_REPLY)
+ goto multiple_use;
+ check_inverse(optarg, &invert, &optind, 0);
+ info->mark[IP_CT_DIR_REPLY] = strtoul(optarg, &end, 0);
+ if (*end == '/') {
+ info->mask[IP_CT_DIR_REPLY] = strtoul(end+1, &end, 0);
+ } else
+ info->mask[IP_CT_DIR_REPLY] = 0xffffffff;
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ if (invert)
+ info->invert |= IPT_CTDIRMARK_REPLY;
+ info->bitmask |= IPT_CTDIRMARK_REPLY;
+ *flags |= IPT_CTDIRMARK_REPLY;
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+ multiple_use:
+ exit_error(PARAMETER_PROBLEM,
+ "multiple use of the same ctdirmark option is not allowed");
+}
+
+static void
+print_mark(unsigned long mark, unsigned long mask, int numeric)
+{
+ if(mask != 0xffffffff)
+ printf("0x%lx/0x%lx ", mark, mask);
+ else
+ printf("0x%lx ", mark);
+}
+
+/* Final check; must have specified --mark. */
+static void
+final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "MARK match: You must specify `--mark_original' or `--mark_reply'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match,
+ int numeric)
+{
+ struct ipt_ctdirmark_info *info = (struct ipt_ctdirmark_info *)match->data;
+
+ printf("ctdirmark match ");
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL) {
+ if (info->invert & IPT_CTDIRMARK_ORIGINAL)
+ printf("!");
+ printf("--mark_original ");
+ print_mark(info->mark[IP_CT_DIR_ORIGINAL], info->mask[IP_CT_DIR_ORIGINAL], numeric);
+ }
+ if (info->bitmask & IPT_CTDIRMARK_REPLY) {
+ if (info->invert & IPT_CTDIRMARK_REPLY)
+ printf("!");
+ printf("--mark_reply ");
+ print_mark(info->mark[IP_CT_DIR_REPLY], info->mask[IP_CT_DIR_REPLY], numeric);
+ }
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+{
+ struct ipt_ctdirmark_info *info = (struct ipt_ctdirmark_info *)match->data;
+
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL) {
+ if (info->invert & IPT_CTDIRMARK_ORIGINAL)
+ printf("!");
+ printf("--mark_original ");
+ print_mark(info->mark[IP_CT_DIR_ORIGINAL], info->mask[IP_CT_DIR_ORIGINAL], 0);
+ }
+ if (info->bitmask & IPT_CTDIRMARK_REPLY) {
+ if (info->invert & IPT_CTDIRMARK_REPLY)
+ printf("!");
+ printf("--mark_reply ");
+ print_mark(info->mark[IP_CT_DIR_REPLY], info->mask[IP_CT_DIR_REPLY], 0);
+ }
+}
+
+static
+struct iptables_match mark
+= { NULL,
+ "ctdirmark",
+ NETFILTER_VERSION,
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_info)),
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_info)),
+ &help,
+ &init,
+ &parse,
+ &final_check,
+ &print,
+ &save,
+ opts
+};
+
+void _init(void)
+{
+ register_match(&mark);
+}
diff -Nru a/extensions/libipt_CTDIRMARK.c b/extensions/libipt_CTDIRMARK.c
--- a/extensions/libipt_CTDIRMARK.c Wed Sep 7 16:48:53 2005
+++ b/extensions/libipt_CTDIRMARK.c Wed Sep 7 15:28:52 2005
@@ -0,0 +1,221 @@
+/* Shared library add-on to iptables to add CTDIRMARK target support. */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_CTDIRMARK.h>
+
+/*
+#if 0
+struct markinfo {
+ struct ipt_entry_target t;
+ struct ipt_ctdirmark_target_info mark;
+};
+#endif
+*/
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"CTDIRMARK target v%s options:\n"
+" --set-mark_original value Set ctdirmark mark value in original dir\n"
+" --set-mark_reply value Set ctdirmark mark value in reply dir\n"
+" --save-mark Save the packet nfmark on the connection in the specified dir\n"
+" --restore-mark Restore saved nfmark value\n"
+" --mark_original specify original dir\n"
+" --mark_reply specify reply dir\n"
+"\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+ { "set-mark_original", 1, 0, '1' },
+ { "set-mark_reply", 1, 0, '2' },
+ { "save-mark", 0, 0, '3' },
+ { "restore-mark", 0, 0, '4' },
+ { "mark_original", 0, 0, '5' },
+ { "mark_reply", 0, 0, '6' },
+ { 0 }
+};
+
+/* Initialize the target. */
+static void
+init(struct ipt_entry_target *t, unsigned int *nfcache)
+{
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ struct ipt_entry_target **target)
+{
+ struct ipt_ctdirmark_target_info *info
+ = (struct ipt_ctdirmark_target_info *)(*target)->data;
+
+ switch (c) {
+ char *end;
+ case '1':
+ if (*flags & ~IPT_CTDIRMARK_TARGET_SET_REPLY)
+ goto multiple_use;
+ info->mode = IPT_CTDIRMARK_SET;
+ info->bitmask |= IPT_CTDIRMARK_ORIGINAL;
+ info->mark[IP_CT_DIR_ORIGINAL] = strtoul(optarg, &end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ *flags |= IPT_CTDIRMARK_TARGET_SET_ORIGINAL;
+ break;
+ case '2':
+ if (*flags & ~IPT_CTDIRMARK_TARGET_SET_ORIGINAL)
+ goto multiple_use;
+ info->mode = IPT_CTDIRMARK_SET;
+ info->bitmask |= IPT_CTDIRMARK_REPLY;
+ info->mark[IP_CT_DIR_REPLY] = strtoul(optarg, &end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ *flags |= IPT_CTDIRMARK_TARGET_SET_REPLY;
+ break;
+ case '3':
+ if (*flags)
+ goto multiple_use;
+ info->mode = IPT_CTDIRMARK_SAVE;
+ *flags |= IPT_CTDIRMARK_TARGET_SAVE;
+ break;
+ case '4':
+ if (*flags)
+ goto multiple_use;
+ info->mode = IPT_CTDIRMARK_RESTORE;
+ *flags |= IPT_CTDIRMARK_TARGET_RESTORE;
+ break;
+ case '5':
+ if ((*flags & IPT_CTDIRMARK_TARGET_SET_ORIGINAL) ||
+ (*flags & IPT_CTDIRMARK_TARGET_SET_REPLY) ||
+ (*flags & IPT_CTDIRMARK_TARGET_ORIGINAL))
+ goto multiple_use;
+ if (!(*flags & IPT_CTDIRMARK_TARGET_SAVE) &&
+ !(*flags & IPT_CTDIRMARK_TARGET_RESTORE))
+ goto wrong_use;
+ info->bitmask |= IPT_CTDIRMARK_ORIGINAL;
+ *flags |= IPT_CTDIRMARK_TARGET_ORIGINAL;
+ break;
+ case '6':
+ if ((*flags & IPT_CTDIRMARK_TARGET_SET_ORIGINAL) ||
+ (*flags & IPT_CTDIRMARK_TARGET_SET_REPLY) ||
+ (*flags & IPT_CTDIRMARK_TARGET_REPLY))
+ goto multiple_use;
+ if (!(*flags & IPT_CTDIRMARK_TARGET_SAVE) &&
+ !(*flags & IPT_CTDIRMARK_TARGET_RESTORE))
+ goto wrong_use;
+ info->bitmask |= IPT_CTDIRMARK_REPLY;
+ *flags |= IPT_CTDIRMARK_TARGET_REPLY;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+multiple_use:
+ exit_error(PARAMETER_PROBLEM,
+ "multiple use of the same ctdirmark option is not allowed");
+wrong_use:
+ exit_error(PARAMETER_PROBLEM,
+ "without save or restore option in advance is not allowed");
+}
+
+static void
+final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "CTDIRMARK target: Parameter --set-mark_original or --set-mark_reply is required");
+}
+
+static void
+print_mark(unsigned long mark, int numeric)
+{
+ printf("0x%lx ", mark);
+}
+
+/* Prints out the targinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_ctdirmark_target_info *info =
+ (const struct ipt_ctdirmark_target_info *)target->data;
+ switch (info->mode) {
+ case IPT_CTDIRMARK_SET:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL){
+ printf("CTDIRMARK set original");
+ print_mark(info->mark[IP_CT_DIR_ORIGINAL], numeric);
+ }
+ if (info->bitmask & IPT_CTDIRMARK_REPLY){
+ printf("CTDIRMARK set reply");
+ print_mark(info->mark[IP_CT_DIR_REPLY], numeric);
+ }
+ break;
+ case IPT_CTDIRMARK_SAVE:
+ printf("CTDIRMARK save ");
+ break;
+ case IPT_CTDIRMARK_RESTORE:
+ printf("CTDIRMARK restore ");
+ break;
+ default:
+ printf("ERROR: UNKNOWN CTDIRMARK MODE ");
+ break;
+ }
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+ const struct ipt_ctdirmark_target_info *info =
+ (const struct ipt_ctdirmark_target_info *)target->data;
+
+ switch (info->mode) {
+ case IPT_CTDIRMARK_SET:
+ if (info->bitmask & IPT_CTDIRMARK_ORIGINAL)
+ printf("--set-mark_original 0x%lx ", info->mark[IP_CT_DIR_ORIGINAL]);
+ if (info->bitmask & IPT_CTDIRMARK_REPLY)
+ printf("--set-mark_reply 0x%lx ", info->mark[IP_CT_DIR_REPLY]);
+ break;
+ case IPT_CTDIRMARK_SAVE:
+ printf("--save-mark ");
+ break;
+ case IPT_CTDIRMARK_RESTORE:
+ printf("--restore-mark ");
+ break;
+ default:
+ printf("ERROR: UNKNOWN CTDIRMARK MODE ");
+ break;
+ }
+}
+
+static
+struct iptables_target mark
+= { NULL,
+ "CTDIRMARK",
+ NETFILTER_VERSION,
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info)),
+ IPT_ALIGN(sizeof(struct ipt_ctdirmark_target_info)),
+ &help,
+ &init,
+ &parse,
+ &final_check,
+ &print,
+ &save,
+ opts
+};
+
+void _init(void)
+{
+ register_target(&mark);
+}
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-10-13 21:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-13 11:59 Need a method to reset the ip_conntrack_count Vincent
2005-10-13 11:59 ` Vincent
2005-10-13 21:49 ` Henrik Nordstrom
-- strict thread matches above, loose matches on Subject: below --
2005-09-07 9:39 [PATCH 2.4] Introducing Bidirectional conntrack mark Jesse Peng
2005-10-13 9:32 ` Need a method to reset the ip_conntrack_count Vincent
2005-10-13 9:55 ` Eric Leblond
2005-10-13 21:48 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.