[PATCH] ct-event API port to 2.6.11

[PATCH] ct-event API port to 2.6.11

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 461 bytes --]

I sent this patch to Krisztian Kovacs some time ago in private but 
forgot to post it in mailing list. It is currently used by ct_sync.

BTW, I also ported this to nf_conntrack some time ago:

https://lists.netfilter.org/pipermail/netfilter-devel/2005-January/018219.html

I guess that such patch doesn't apply anymore since Rusty's changes. If 
I ported it again, could it be merge to the nf_conntrack tree or better 
wait until it's pushed forward?

--
Pablo

[-- Attachment #2: ctevent-API-2.6.11-rc5.patch --]
[-- Type: text/x-patch, Size: 17779 bytes --]

===== include/linux/netfilter.h 1.15 vs edited =====
--- 1.15/include/linux/netfilter.h	2005-01-10 21:23:55 +01:00
+++ edited/include/linux/netfilter.h	2005-02-24 19:43:20 +01:00
@@ -21,7 +21,7 @@
 #define NF_MAX_VERDICT NF_REPEAT
 
 /* Generic cache responses from hook functions.
-   <= 0x2000 is used for protocol-flags. */
+   <= 0x2000 is reserved for conntrack event cache. */
 #define NFC_UNKNOWN 0x4000
 #define NFC_ALTERED 0x8000
 
===== include/linux/netfilter_ipv4.h 1.7 vs edited =====
--- 1.7/include/linux/netfilter_ipv4.h	2004-03-30 06:24:38 +02:00
+++ edited/include/linux/netfilter_ipv4.h	2005-02-24 19:43:20 +01:00
@@ -8,34 +8,6 @@
 #include <linux/config.h>
 #include <linux/netfilter.h>
 
-/* IP Cache bits. */
-/* Src IP address. */
-#define NFC_IP_SRC		0x0001
-/* Dest IP address. */
-#define NFC_IP_DST		0x0002
-/* Input device. */
-#define NFC_IP_IF_IN		0x0004
-/* Output device. */
-#define NFC_IP_IF_OUT		0x0008
-/* TOS. */
-#define NFC_IP_TOS		0x0010
-/* Protocol. */
-#define NFC_IP_PROTO		0x0020
-/* IP options. */
-#define NFC_IP_OPTIONS		0x0040
-/* Frag & flags. */
-#define NFC_IP_FRAG		0x0080
-
-/* Per-protocol information: only matters if proto match. */
-/* TCP flags. */
-#define NFC_IP_TCPFLAGS		0x0100
-/* Source port. */
-#define NFC_IP_SRC_PT		0x0200
-/* Dest port. */
-#define NFC_IP_DST_PT		0x0400
-/* Something else about the proto */
-#define NFC_IP_PROTO_UNKNOWN	0x2000
-
 /* IP Hooks */
 /* After promisc drops, checksum checks. */
 #define NF_IP_PRE_ROUTING	0
===== include/linux/netfilter_ipv4/ip_conntrack.h 1.35 vs edited =====
--- 1.35/include/linux/netfilter_ipv4/ip_conntrack.h	2005-01-27 07:03:17 +01:00
+++ edited/include/linux/netfilter_ipv4/ip_conntrack.h	2005-02-26 20:19:28 +01:00
@@ -65,6 +65,58 @@ enum ip_conntrack_status {
 
 	/* Both together */
 	IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+
+	/* Connection is destroyed (removed from lists), can not be unset. */
+	IPS_DESTROYED_BIT = 9,
+	IPS_DESTROYED = (1 << IPS_DESTROYED_BIT),
+};
+
+/* Connection tracking event bits */
+enum ip_conntrack_events
+{
+	/* New conntrack */
+	IPCT_NEW_BIT = 0,
+	IPCT_NEW = (1 << IPCT_NEW_BIT),
+
+	/* Expected connection */
+	IPCT_RELATED_BIT = 1,
+	IPCT_RELATED = (1 << IPCT_RELATED_BIT),
+
+	/* Destroyed conntrack */
+	IPCT_DESTROY_BIT = 2,
+	IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
+
+	/* Timer has been refreshed */
+	IPCT_REFRESH_BIT = 3,
+	IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
+
+	/* Status has changed */
+	IPCT_STATUS_BIT = 4,
+	IPCT_STATUS = (1 << IPCT_STATUS_BIT),
+
+	/* Update of protocol info */
+	IPCT_PROTOINFO_BIT = 5,
+	IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
+
+	/* Volatile protocol info */
+	IPCT_PROTOINFO_VOLATILE_BIT = 6,
+	IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
+
+	/* New helper for conntrack */
+	IPCT_HELPER_BIT = 7,
+	IPCT_HELPER = (1 << IPCT_HELPER_BIT),
+
+	/* Update of helper info */
+	IPCT_HELPINFO_BIT = 8,
+	IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
+
+	/* Volatile helper info */
+	IPCT_HELPINFO_VOLATILE_BIT = 9,
+	IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
+
+	/* NAT info */
+	IPCT_NATINFO_BIT = 10,
+	IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
 };
 
 #ifdef __KERNEL__
@@ -247,7 +299,7 @@ extern int invert_tuplepr(struct ip_conn
 /* Refresh conntrack for this many jiffies */
 extern void ip_ct_refresh_acct(struct ip_conntrack *ct,
 			       enum ip_conntrack_info ctinfo,
-			       const struct sk_buff *skb,
+			       struct sk_buff *skb,
 			       unsigned long extra_jiffies);
 
 /* These are for NAT.  Icky. */
@@ -277,6 +329,11 @@ static inline int is_confirmed(struct ip
 	return test_bit(IPS_CONFIRMED_BIT, &ct->status);
 }
 
+static inline int is_destroyed(struct ip_conntrack *ct)
+{
+	return test_bit(IPS_DESTROYED_BIT, &ct->status);
+}
+
 extern unsigned int ip_conntrack_htable_size;
  
 struct ip_conntrack_stat
@@ -299,6 +356,57 @@ struct ip_conntrack_stat
 };
 
 #define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
+
+#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
+#include <linux/notifier.h>
+ 
+extern struct notifier_block *ip_conntrack_chain;
+ 
+static inline int ip_conntrack_register_notifier(struct notifier_block *nb)
+{
+	return notifier_chain_register(&ip_conntrack_chain, nb);
+}
+
+static inline int ip_conntrack_unregister_notifier(struct notifier_block *nb)
+{
+	return notifier_chain_unregister(&ip_conntrack_chain, nb);
+}
+
+static inline void ip_conntrack_event_cache_init(struct sk_buff *skb)
+{
+	/* Set to zero first 14 bits, see netfilter.h */
+	skb->nfcache &= 0xc000;
+}
+
+static inline void 
+ip_conntrack_event_cache(enum ip_conntrack_events event, struct sk_buff *skb)
+{
+	skb->nfcache |= event;
+}
+
+static inline void 
+ip_conntrack_deliver_cached_events(struct sk_buff *skb)
+{
+	struct ip_conntrack *ct = (struct ip_conntrack *) skb->nfct;
+
+	if (ct != NULL && is_confirmed(ct) && !is_destroyed(ct) && skb->nfcache)
+		notifier_call_chain(&ip_conntrack_chain, skb->nfcache, ct);
+}
+
+static inline void ip_conntrack_event(enum ip_conntrack_events event,
+				      struct ip_conntrack *ct)
+{
+	if (is_confirmed(ct) && !is_destroyed(ct))
+		notifier_call_chain(&ip_conntrack_chain, event, ct);
+}
+#else /* CONFIG_IP_NF_CONNTRACK_EVENTS */
+static inline void ip_conntrack_event_cache_init(struct sk_buff *skb) {}
+static inline void ip_conntrack_event_cache(enum ip_conntrack_events event,
+					    struct sk_buff *skb) {}
+static inline void ip_conntrack_event(enum ip_conntrack_events event,
+				      struct ip_conntrack *ct) {}
+static inline void ip_conntrack_deliver_cached_events(struct sk_buff *skb) {}
+#endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
 
 #ifdef CONFIG_IP_NF_NAT_NEEDED
 static inline int ip_nat_initialized(struct ip_conntrack *conntrack,
===== include/linux/netfilter_ipv4/ip_conntrack_core.h 1.13 vs edited =====
--- 1.13/include/linux/netfilter_ipv4/ip_conntrack_core.h	2005-01-17 22:55:17 +01:00
+++ edited/include/linux/netfilter_ipv4/ip_conntrack_core.h	2005-02-26 19:38:51 +01:00
@@ -39,10 +39,14 @@ extern int __ip_conntrack_confirm(struct
 /* Confirm a connection: returns NF_DROP if packet must be dropped. */
 static inline int ip_conntrack_confirm(struct sk_buff **pskb)
 {
+	int ret = NF_ACCEPT;
+
 	if ((*pskb)->nfct
 	    && !is_confirmed((struct ip_conntrack *)(*pskb)->nfct))
-		return __ip_conntrack_confirm(pskb);
-	return NF_ACCEPT;
+		ret = __ip_conntrack_confirm(pskb);
+	ip_conntrack_deliver_cached_events(*pskb);
+
+	return ret;
 }
 
 extern struct list_head *ip_conntrack_hash;
===== include/linux/netfilter_ipv4/ip_conntrack_protocol.h 1.11 vs edited =====
--- 1.11/include/linux/netfilter_ipv4/ip_conntrack_protocol.h	2005-01-17 22:45:00 +01:00
+++ edited/include/linux/netfilter_ipv4/ip_conntrack_protocol.h	2005-02-24 19:43:20 +01:00
@@ -34,7 +34,7 @@ struct ip_conntrack_protocol
 
 	/* Returns verdict for packet, or -1 for invalid. */
 	int (*packet)(struct ip_conntrack *conntrack,
-		      const struct sk_buff *skb,
+		      struct sk_buff *skb,
 		      enum ip_conntrack_info ctinfo);
 
 	/* Called when a new connection for this protocol found;
===== net/ipv4/netfilter/Kconfig 1.35 vs edited =====
--- 1.35/net/ipv4/netfilter/Kconfig	2005-01-15 23:31:06 +01:00
+++ edited/net/ipv4/netfilter/Kconfig	2005-02-24 19:43:20 +01:00
@@ -692,5 +692,15 @@ config IP_NF_ARP_MANGLE
 	  Allows altering the ARP packet payload: source and destination
 	  hardware and network addresses.
 
+config IP_NF_CONNTRACK_EVENTS
+	bool "Connection tracking events"
+	depends on IP_NF_CONNTRACK
+	help
+	  If this option is enabled, the connection tracking code will
+	  provide a notifier chain that can be used by other kernel code
+	  to get notified about changes in the connection tracking state.
+	  
+	  IF unsure, say `N'.
+
 endmenu
 
===== net/ipv4/netfilter/ip_conntrack_proto_icmp.c 1.15 vs edited =====
--- 1.15/net/ipv4/netfilter/ip_conntrack_proto_icmp.c	2005-01-17 23:02:05 +01:00
+++ edited/net/ipv4/netfilter/ip_conntrack_proto_icmp.c	2005-02-24 19:43:20 +01:00
@@ -89,7 +89,7 @@ static int icmp_print_conntrack(struct s
 
 /* Returns verdict for packet, or -1 for invalid. */
 static int icmp_packet(struct ip_conntrack *ct,
-		       const struct sk_buff *skb,
+		       struct sk_buff *skb,
 		       enum ip_conntrack_info ctinfo)
 {
 	/* Try to delete connection immediately after all replies:
@@ -102,6 +102,7 @@ static int icmp_packet(struct ip_conntra
 			ct->timeout.function((unsigned long)ct);
 	} else {
 		atomic_inc(&ct->proto.icmp.count);
+		ip_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
 		ip_ct_refresh_acct(ct, ctinfo, skb, ip_ct_icmp_timeout);
 	}
 
===== net/ipv4/netfilter/ip_conntrack_proto_generic.c 1.10 vs edited =====
--- 1.10/net/ipv4/netfilter/ip_conntrack_proto_generic.c	2004-09-13 02:00:29 +02:00
+++ edited/net/ipv4/netfilter/ip_conntrack_proto_generic.c	2005-02-24 19:43:20 +01:00
@@ -49,7 +49,7 @@ static int generic_print_conntrack(struc
 
 /* Returns verdict for packet, or -1 for invalid. */
 static int packet(struct ip_conntrack *conntrack,
-		  const struct sk_buff *skb,
+		  struct sk_buff *skb,
 		  enum ip_conntrack_info ctinfo)
 {
 	ip_ct_refresh_acct(conntrack, ctinfo, skb, ip_ct_generic_timeout);
===== net/ipv4/netfilter/ip_conntrack_proto_sctp.c 1.11 vs edited =====
--- 1.11/net/ipv4/netfilter/ip_conntrack_proto_sctp.c	2005-01-17 22:58:33 +01:00
+++ edited/net/ipv4/netfilter/ip_conntrack_proto_sctp.c	2005-02-24 19:43:20 +01:00
@@ -310,7 +310,7 @@ static int new_state(enum ip_conntrack_d
 
 /* Returns verdict for packet, or -1 for invalid. */
 static int sctp_packet(struct ip_conntrack *conntrack,
-		       const struct sk_buff *skb,
+		       struct sk_buff *skb,
 		       enum ip_conntrack_info ctinfo)
 {
 	enum sctp_conntrack newconntrack, oldsctpstate;
@@ -405,6 +405,8 @@ static int sctp_packet(struct ip_conntra
 		}
 
 		conntrack->proto.sctp.state = newconntrack;
+		if (oldsctpstate != newconntrack)
+			ip_conntrack_event_cache(IPCT_PROTOINFO, skb);
 		WRITE_UNLOCK(&sctp_lock);
 	}
 
===== net/ipv4/netfilter/ip_conntrack_core.c 1.86 vs edited =====
--- 1.86/net/ipv4/netfilter/ip_conntrack_core.c	2005-01-27 07:03:17 +01:00
+++ edited/net/ipv4/netfilter/ip_conntrack_core.c	2005-02-26 19:38:09 +01:00
@@ -37,6 +37,7 @@
 #include <linux/err.h>
 #include <linux/percpu.h>
 #include <linux/moduleparam.h>
+#include <linux/notifier.h>
 
 /* This rwlock protects the main hash table, protocol/helper/expected
    registrations, conntrack timers*/
@@ -76,6 +77,10 @@ unsigned int ip_ct_log_invalid;
 static LIST_HEAD(unconfirmed);
 static int ip_conntrack_vmalloc;
 
+#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
+struct notifier_block *ip_conntrack_chain;
+#endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
+
 DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat);
 
 void 
@@ -230,6 +235,8 @@ destroy_conntrack(struct nf_conntrack *n
 	IP_NF_ASSERT(atomic_read(&nfct->use) == 0);
 	IP_NF_ASSERT(!timer_pending(&ct->timeout));
 
+	set_bit(IPS_DESTROYED_BIT, &ct->status);
+
 	/* To make sure we don't get any weird locking issues here:
 	 * destroy_conntrack() MUST NOT be called with a write lock
 	 * to ip_conntrack_lock!!! -HW */
@@ -268,6 +275,7 @@ static void death_by_timeout(unsigned lo
 {
 	struct ip_conntrack *ct = (void *)ul_conntrack;
 
+	ip_conntrack_event(IPCT_DESTROY, ct);
 	WRITE_LOCK(&ip_conntrack_lock);
 	/* Inside lock so preempt is disabled on module removal path.
 	 * Otherwise we can get spurious warnings. */
@@ -381,6 +389,16 @@ __ip_conntrack_confirm(struct sk_buff **
 		set_bit(IPS_CONFIRMED_BIT, &ct->status);
 		CONNTRACK_STAT_INC(insert);
 		WRITE_UNLOCK(&ip_conntrack_lock);
+		if (ct->helper)
+			ip_conntrack_event_cache(IPCT_HELPER, *pskb);
+#ifdef CONFIG_IP_NF_NAT_NEEDED
+		if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
+		    test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
+			ip_conntrack_event_cache(IPCT_NATINFO, *pskb);
+#endif
+		ip_conntrack_event_cache(master_ct(ct) ?
+					 IPCT_RELATED : IPCT_NEW, *pskb);
+
 		return NF_ACCEPT;
 	}
 
@@ -630,6 +648,8 @@ unsigned int ip_conntrack_in(unsigned in
 	/* FIXME: Do this right please. --RR */
 	(*pskb)->nfcache |= NFC_UNKNOWN;
 
+	ip_conntrack_event_cache_init(*pskb);
+
 /* Doesn't cover locally-generated broadcast, so not worth it. */
 #if 0
 	/* Ignore broadcast: no `connection'. */
@@ -681,8 +701,8 @@ unsigned int ip_conntrack_in(unsigned in
 		return -ret;
 	}
 
-	if (set_reply)
-		set_bit(IPS_SEEN_REPLY_BIT, &ct->status);
+	if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
+		ip_conntrack_event_cache(IPCT_STATUS, *pskb);
 
 	return ret;
 }
@@ -867,8 +887,10 @@ int ip_conntrack_helper_register(struct 
 static inline int unhelp(struct ip_conntrack_tuple_hash *i,
 			 const struct ip_conntrack_helper *me)
 {
-	if (tuplehash_to_ctrack(i)->helper == me)
+	if (tuplehash_to_ctrack(i)->helper == me) {
+ 		ip_conntrack_event(IPCT_HELPER, tuplehash_to_ctrack(i));
 		tuplehash_to_ctrack(i)->helper = NULL;
+	}
 	return 0;
 }
 
@@ -915,7 +937,7 @@ static inline void ct_add_counters(struc
 /* Refresh conntrack for this many jiffies and do accounting (if skb != NULL) */
 void ip_ct_refresh_acct(struct ip_conntrack *ct, 
 		        enum ip_conntrack_info ctinfo,
-			const struct sk_buff *skb,
+			struct sk_buff *skb,
 			unsigned long extra_jiffies)
 {
 	IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct);
@@ -930,6 +952,7 @@ void ip_ct_refresh_acct(struct ip_conntr
 		if (del_timer(&ct->timeout)) {
 			ct->timeout.expires = jiffies + extra_jiffies;
 			add_timer(&ct->timeout);
+			ip_conntrack_event_cache(IPCT_REFRESH, skb);
 		}
 		ct_add_counters(ct, ctinfo, skb);
 		WRITE_UNLOCK(&ip_conntrack_lock);
===== net/ipv4/netfilter/ip_conntrack_ftp.c 1.31 vs edited =====
--- 1.31/net/ipv4/netfilter/ip_conntrack_ftp.c	2005-02-01 14:24:15 +01:00
+++ edited/net/ipv4/netfilter/ip_conntrack_ftp.c	2005-02-24 22:06:05 +01:00
@@ -263,7 +263,8 @@ static int find_nl_seq(u16 seq, const st
 }
 
 /* We don't update if it's older than what we have. */
-static void update_nl_seq(u16 nl_seq, struct ip_ct_ftp_master *info, int dir)
+static void update_nl_seq(u16 nl_seq, struct ip_ct_ftp_master *info, int dir,
+			  struct sk_buff *skb)
 {
 	unsigned int i, oldest = NUM_SEQ_TO_REMEMBER;
 
@@ -277,10 +278,13 @@ static void update_nl_seq(u16 nl_seq, st
 			oldest = i;
 	}
 
-	if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER)
+	if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
 		info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
-	else if (oldest != NUM_SEQ_TO_REMEMBER)
+		ip_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
+	} else if (oldest != NUM_SEQ_TO_REMEMBER) {
 		info->seq_aft_nl[dir][oldest] = nl_seq;
+		ip_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
+	}
 }
 
 static int help(struct sk_buff **pskb,
@@ -440,7 +444,7 @@ out_update_nl:
 	/* Now if this ends in \n, update ftp info.  Seq may have been
 	 * adjusted by NAT code. */
 	if (ends_in_nl)
-		update_nl_seq(seq, ct_ftp_info,dir);
+		update_nl_seq(seq, ct_ftp_info,dir, *pskb);
  out:
 	UNLOCK_BH(&ip_ftp_lock);
 	return ret;
===== net/ipv4/netfilter/ip_conntrack_standalone.c 1.63 vs edited =====
--- 1.63/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-01-27 07:03:17 +01:00
+++ edited/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-02-26 20:22:16 +01:00
@@ -890,6 +890,11 @@ void need_ip_conntrack(void)
 {
 }
 
+#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
+EXPORT_SYMBOL(ip_conntrack_chain);
+EXPORT_SYMBOL(ip_conntrack_register_notifier);
+EXPORT_SYMBOL(ip_conntrack_unregister_notifier);
+#endif
 EXPORT_SYMBOL(ip_conntrack_protocol_register);
 EXPORT_SYMBOL(ip_conntrack_protocol_unregister);
 EXPORT_SYMBOL(ip_ct_get_tuple);
===== net/ipv4/netfilter/ip_conntrack_proto_tcp.c 1.28 vs edited =====
--- 1.28/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-02-01 14:14:08 +01:00
+++ edited/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-02-24 19:43:20 +01:00
@@ -826,7 +826,7 @@ static int tcp_error(struct sk_buff *skb
 
 /* Returns verdict for packet, or -1 for invalid. */
 static int tcp_packet(struct ip_conntrack *conntrack,
-		      const struct sk_buff *skb,
+		      struct sk_buff *skb,
 		      enum ip_conntrack_info ctinfo)
 {
 	enum tcp_conntrack new_state, old_state;
@@ -948,6 +948,10 @@ static int tcp_packet(struct ip_conntrac
 		  && *tcp_timeouts[new_state] > ip_ct_tcp_timeout_max_retrans
 		  ? ip_ct_tcp_timeout_max_retrans : *tcp_timeouts[new_state];
 	WRITE_UNLOCK(&tcp_lock);
+
+	ip_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
+	if (new_state != old_state)
+		ip_conntrack_event_cache(IPCT_PROTOINFO, skb);
 
 	if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) {
 		/* If only reply is a RST, we can consider ourselves not to
===== net/ipv4/netfilter/ip_conntrack_proto_udp.c 1.14 vs edited =====
--- 1.14/net/ipv4/netfilter/ip_conntrack_proto_udp.c	2004-09-26 23:18:26 +02:00
+++ edited/net/ipv4/netfilter/ip_conntrack_proto_udp.c	2005-02-25 10:57:39 +01:00
@@ -64,7 +64,7 @@ static int udp_print_conntrack(struct se
 
 /* Returns verdict for packet, and may modify conntracktype */
 static int udp_packet(struct ip_conntrack *conntrack,
-		      const struct sk_buff *skb,
+		      struct sk_buff *skb,
 		      enum ip_conntrack_info ctinfo)
 {
 	/* If we've seen traffic both ways, this is some kind of UDP
@@ -73,7 +73,8 @@ static int udp_packet(struct ip_conntrac
 		ip_ct_refresh_acct(conntrack, ctinfo, skb, 
 				   ip_ct_udp_timeout_stream);
 		/* Also, more likely to be important, and not a probe */
-		set_bit(IPS_ASSURED_BIT, &conntrack->status);
+		if (!test_and_set_bit(IPS_ASSURED_BIT, &conntrack->status))
+			ip_conntrack_event_cache(IPCT_STATUS, skb);
 	} else
 		ip_ct_refresh_acct(conntrack, ctinfo, skb, ip_ct_udp_timeout);
 

Re: [PATCH] ct-event API port to 2.6.11

[Patrick McHardy]

Pablo Neira wrote:
> I sent this patch to Krisztian Kovacs some time ago in private but 
> forgot to post it in mailing list. It is currently used by ct_sync.
> 
> BTW, I also ported this to nf_conntrack some time ago:
> 
> https://lists.netfilter.org/pipermail/netfilter-devel/2005-January/018219.html 
> 
> 
> I guess that such patch doesn't apply anymore since Rusty's changes. If 
> I ported it again, could it be merge to the nf_conntrack tree or better 
> wait until it's pushed forward?

I think it would be better to wait to avoid delaying both.
Is there already a user of this API for nf_conntrack?

Regards
Patrick

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

Patrick McHardy wrote:
> Pablo Neira wrote:
> 
>> I sent this patch to Krisztian Kovacs some time ago in private but 
>> forgot to post it in mailing list. It is currently used by ct_sync.
>>
>> BTW, I also ported this to nf_conntrack some time ago:
>>
>> https://lists.netfilter.org/pipermail/netfilter-devel/2005-January/018219.html 
>>
>>
>> I guess that such patch doesn't apply anymore since Rusty's changes. 
>> If I ported it again, could it be merge to the nf_conntrack tree or 
>> better wait until it's pushed forward?
> 
> I think it would be better to wait to avoid delaying both.
> Is there already a user of this API for nf_conntrack?

It appears that pom-ng nfnetlink-ctnetlink-0.13 (ported by Pablo?) 
requires ct-event (although this is not listed in the pom-ng dependancies).

Pablo, can you confirm this?

Are these changes of Rusty likly to have been applied to the released 
kernel or to ip_tables?

Although this patch is against 2.6.11, are there any strong reasons for 
it to fail on 2.6.10? I ask because the layer 7 pattern matching which 
I'm also using is reported to leak memory with 2.6.11.

Right now ct-event fails badly to apply to 2.6.10 with context like:
  IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
missing entirely from the file-to-be-patched, but which is present in 
the 2.6.11 version.

Is there any sane route to getting Pablo's nfnetlink-ctnetlink-0.13 
applied to 2.6.10?

Looks like I'm bound to 2.6.11 and try and get nfnetlink-ctnetlink-0.13 
to apply, unless I have misunderstood something.

Thanks

Amin

Re: [PATCH] ct-event API port to 2.6.11

[Pablo Neira]

Amin Azez wrote:
> It appears that pom-ng nfnetlink-ctnetlink-0.13 (ported by Pablo?) 
> requires ct-event (although this is not listed in the pom-ng dependancies).
> 
> Pablo, can you confirm this?

I've just merged Harald's and my port. You can get it from:

http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/

--
Pablo

Re: [PATCH] ct-event API port to 2.6.11

[Wang Jian]

Hi Pablo Neira,

I suggest that we split ctnetlink-nfnetlink into two parts: notification
and manipulation.

The notification part is very useful and supposed to be stable (I mean,
not changing so often) and I think we can make it work once and ever.

The manipulation part, however, is not needed by most of people, and apt
to changing from time to time when the conntrack core changes.

I have a suggestion on the notification part, that we can provide a
/proc/net/netfilter/notification. It is a bit mask that controls what
kinds of notification should be sent.


On Wed, 06 Apr 2005 20:11:43 +0200, Pablo Neira <pablo@eurodev.net> wrote:

> Amin Azez wrote:
> > It appears that pom-ng nfnetlink-ctnetlink-0.13 (ported by Pablo?) 
> > requires ct-event (although this is not listed in the pom-ng dependancies).
> > 
> > Pablo, can you confirm this?
> 
> I've just merged Harald's and my port. You can get it from:
> 
> http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/
> 
> --
> Pablo



-- 
  lark

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

Pablo Neira wrote:
> Amin Azez wrote:
> 
>> It appears that pom-ng nfnetlink-ctnetlink-0.13 (ported by Pablo?) 
>> requires ct-event (although this is not listed in the pom-ng 
>> dependancies).
>>
>> Pablo, can you confirm this?
> 
> 
> I've just merged Harald's and my port. You can get it from:
> 
> http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/

Thanks Pablo, thats swell, the kernel seemed to patch and make just 
fine. I'll begin testing shortly and report back.

I'm now compiling libctnetlink 20050406 snapshot to use with this 
kernel.  I applied your patch from "[PATCH] updates for libctnetlink"

A note to others, I had to use automake-1.4

Amin

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

Pablo Neira wrote:
> Amin Azez wrote:
>> It appears that pom-ng nfnetlink-ctnetlink-0.13 (ported by Pablo?) 
>> requires ct-event (although this is not listed in the pom-ng 
>> dependancies).
>>
>> Pablo, can you confirm this?
> 
> I've just merged Harald's and my port. You can get it from:
> 
> http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/

I had thought that your merge with Harald replaced 
nfnetlink-ctnetlink-0.13 on pom-ng.

After your new patch (which applies cleanly to 2.6.11) trying to compile 
libctnetlink fails on not finding nfnetlink_conntrack.h which can't be 
found in any kernel sources (patched or otherwise) but only be found in:
patch-o-matic-ng/nfnetlink-ctnetlink-0.13/linux/include/linux/nfnetlink_conntrack.h

Do I still need to grab any files from nfnetlink-ctnetlink-0.13 in pom-ng?

Amin

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

[Pablo, sorry, you got missed in the followups to the message I'm 
responding to, which is a shame as it was addressed to you, but I quoted 
the whole message here]

Amin Azez wrote:
> Pablo Neira wrote:
> 
>> Amin Azez wrote:
>>
>>> It appears that pom-ng nfnetlink-ctnetlink-0.13 (ported by Pablo?) 
>>> requires ct-event (although this is not listed in the pom-ng 
>>> dependancies).
>>>
>>> Pablo, can you confirm this?
>>
>>
>> I've just merged Harald's and my port. You can get it from:
>>
>> http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/ 
> 
> I had thought that your merge with Harald replaced 
> nfnetlink-ctnetlink-0.13 on pom-ng.
> 
> After your new patch (which applies cleanly to 2.6.11) trying to compile 
> libctnetlink fails on not finding nfnetlink_conntrack.h which can't be 
> found in any kernel sources (patched or otherwise) but only be found in:
> patch-o-matic-ng/nfnetlink-ctnetlink-0.13/linux/include/linux/nfnetlink_conntrack.h 
> 
> Do I still need to grab any files from nfnetlink-ctnetlink-0.13 in pom-ng?

Another libctnetlink compile problem relates to linux/compiler.h not 
being included. I guess the best way to bring linux/compiler.h in is 
libctnetlink.c or some other new .h file whose purpose will be to bring 
in some of the global include files that are applied when the kernel is 
compiled.

I've not done enough nf hacking to be able to make this judgement; what 
usually happens when kernel headers that applications want to use end up 
using magic kernel defines like "likely"? Do we try and generally fake 
that sort of environment for the whole project, or just 
per-file-that-needs-it?

In file included from /lib/modules/2.6.11.6/build/include/asm/atomic.h:6,
                  from 
/lib/modules/2.6.11.6/build/include/linux/netfilter_ipv4/ip_conntrack_icmp.h:4,
                  from 
/lib/modules/2.6.11.6/build/include/linux/netfilter_ipv4/ip_conntrack.h:129,
                  from libctnetlink.c:27:
/lib/modules/2.6.11.6/build/include/asm/processor.h: In function 
`load_esp0':
/lib/modules/2.6.11.6/build/include/asm/processor.h:474: warning: 
implicit declaration of function `unlikely'

Sam

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

Amin Azez wrote:
>> After your new patch (which applies cleanly to 2.6.11) trying to 
>> compile libctnetlink fails on not finding nfnetlink_conntrack.h which 
>> can't be found in any kernel sources (patched or otherwise) but only 
>> be found in:
>> patch-o-matic-ng/nfnetlink-ctnetlink-0.13/linux/include/linux/nfnetlink_conntrack.h 
>>
>> Do I still need to grab any files from nfnetlink-ctnetlink-0.13 in 
>> pom-ng?

I've transferred the whole source files from nfnetlink-ctnetlink-0.13 to 
the 2.6.11 source tree and read the pom-ng source to work out what ladd 
files are for, and I'm applying those by hand.

There seems to be a conceptual clash between IP_NF_CONNTRACK_NETLINK in 
Kconfig and IP_NF_NETLINK_CONNTRACK in the ladd file which both have 
exactly the same description "Connection tracking netlink interface", 
similar names but different dependancies

// from Kconfig ipv4/netfilter (2.6.11)
config IP_NF_CONNTRACK_NETLINK
         tristate 'Connection tracking netlink interface'
         depends on IP_NF_CONNTRACK && 
NETFILTER_NETLINK&&IP_NF_CONNTRACK_EVENTS

//from Kconfig.ladd (nfnetlink-ctnetlink-0.13)
config IP_NF_NETLINK_CONNTRACK
         tristate  'Connection tracking netlink interface'
         depends on IP_NF_NETLINK && IP_NF_CONNTRACK


Kconfig depends on NETFILTER_NETLINK which might be the same as the 
KConfig.ladd's IP_NF_NETLINK

The indication then is, that in kernel 2.6.11.6 the 
IP_NF_CONNTRACK_NETLINK fragment is trying to do the same thing as the 
IP_NF_NETLINK_CONNTRACK fragment in the ladd file.

As neither of these definitions seems to be used in any of the source it 
is all the more puzzling as there are no clues to resolve the question.

Anyway, it looks like only the Makefile.ladd and the whole source files 
from the pomg-ng/nfnetlink-ctnetlink-0.13 need importing in conjunction 
with Pablo's new combined patch.

So I'm giving that a go.

Sam

Re: [PATCH] ct-event API port to 2.6.11

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 745 bytes --]

Amin Azez wrote:
> Pablo Neira wrote:
> 
>> Amin Azez wrote:
>>
>>> Anyway, it looks like only the Makefile.ladd and the whole source 
>>> files from the pomg-ng/nfnetlink-ctnetlink-0.13 need importing in 
>>> conjunction with Pablo's new combined patch.
>>
>>
>> You don't have to combine anything. This is a complete misconception, 
>> just apply patches in:
>>
>> http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/ 
>>
> 
> 
> Hmm; I did that first but libctnetlink needs linux/nfnetlink_conntrack.h 
> which I can't find anywhere but p-o-m/nfnetlink-ctnetlink-0.13
> 
> I seem to have missed something obvious, is that libctnetlink dependancy 
> out of date?

yes, include files have changed its location.

--
Pablo

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 9551 bytes --]

Index: libctnetlink.c
===================================================================
--- libctnetlink.c	(revision 3742)
+++ libctnetlink.c	(working copy)
@@ -27,14 +27,12 @@
 #include <linux/netfilter_ipv4/ip_conntrack.h>
 #include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
 #include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
 #include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
-#include <linux/nfnetlink_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_netlink.h>
 
 #include "libctnetlink.h"
 
-#define ctnl_error(format, args...) \
-	fprintf(stderr, "%s: " format, __FUNCTION__, ## args)
+#define ctnl_error printf
 
 /***********************************************************************
  * low level stuff 
@@ -65,11 +63,17 @@
 	int type = NFNL_MSG_TYPE(n->nlmsg_type);
 	struct ctnl_msg_handler *hdlr = cth->handler[type];
 	int ret;
+	struct nlmsgerr *msgerr;
 
 	/* end of messages reached, let's return */
 	if (n->nlmsg_type == NLMSG_DONE)
 		return -100;
 
+	if (n->nlmsg_type == NLMSG_ERROR) {
+		msgerr = NLMSG_DATA(n);
+		return msgerr->error;
+	}
+
 	if (NFNL_SUBSYS_ID(n->nlmsg_type) != NFNL_SUBSYS_CTNETLINK) {
 		ctnl_error("received message for wrong subsys, skipping\n");
 		nfnl_dump_packet(n, n->nlmsg_len, "list_conntrack_handler");
@@ -81,28 +85,16 @@
 		return 0;
 	}
 
+	if (!hdlr->handler) {
+		ctnl_error("no handler function for type %d\n", type);
+		return 0;
+	}
+
 	ret = hdlr->handler(nladdr, n, arg);
 
 	return ret;
 }
 
-/* handler used for nfnl_listen */
-static int get_conntrack_handler(struct sockaddr_nl *nladdr,
-                                  struct nlmsghdr *n, void *arg)
-{
-	struct nfgenmsg *cm = NLMSG_DATA(n);
-	struct nfattr **cb = (struct nfattr **)arg;
-
-	/* this is what we get when there's no match */
-	if (NFNL_SUBSYS_ID(n->nlmsg_type) != NFNL_SUBSYS_CTNETLINK)
-		return -1;
-        
-	nfnl_parse_attr(cb, CTA_MAX, NFM_NFA(cm), n->nlmsg_len);
-	
-	return -100; /* to get nfnl_listen to break out of the loop */
-}
-
-
 /***********************************************************************
  * high level stuff 
  ***********************************************************************/
@@ -149,7 +141,7 @@
 int ctnl_register_handler(struct ctnl_handle *cth, 
 			  struct ctnl_msg_handler *hndlr)
 {
-	if (hndlr->type >= CTNL_MSG_COUNT)
+	if (hndlr->type >= IPCTNL_MSG_COUNT)
 		return -EINVAL;
 
 	cth->handler[hndlr->type] = hndlr;
@@ -165,7 +157,7 @@
  */
 int ctnl_unregister_handler(struct ctnl_handle *cth, int type)
 {
-	if (type >= CTNL_MSG_COUNT)
+	if (type >= IPCTNL_MSG_COUNT)
 		return -EINVAL;
 
 	cth->handler[type] = NULL;
@@ -180,7 +172,7 @@
  */
 int ctnl_list_conntrack(struct ctnl_handle *cth, int family)
 {
-	if (ctnl_wilddump_request(cth, family, CTNL_MSG_GETCONNTRACK) < 0) {
+	if (ctnl_wilddump_request(cth, family, IPCTNL_MSG_GETCONNTRACK) < 0) {
 		ctnl_error("error during ctnl_wilddump_request\n");
 		return -1;
 	}
@@ -189,42 +181,54 @@
 
 }
 
+/* TODO: Don't user list_conntrack_handler */
+int ctnl_event_conntrack(struct ctnl_handle *cth, int family)
+{
+	return nfnl_listen(&cth->nfnlh, &list_conntrack_handler, cth);
+}
+
 /**
  * ctnl_get_conntrack - get a connection from conntrack hashtable
  * cth: libctnetlink handle
  * t: tuple of connection to get
  * cb: a struct nfattr to put the connection in
  */
-int ctnl_get_conntrack(struct ctnl_handle *cth,
-		     struct ip_conntrack_tuple *t,
-		     struct nfattr **cb)
+int ctnl_get_conntrack(struct ctnl_handle *cth, 
+		       struct ip_conntrack_tuple *tuple,
+		       enum ctattr_type_t t)
 {
 	struct {
 		struct nlmsghdr nlh;
 		struct nfgenmsg g;
 	} *req;
 
-	char buf[sizeof(*req) + NFA_LENGTH(sizeof(*t))];
+	char buf[sizeof(*req) + NFA_LENGTH(sizeof(*tuple))
+		 + NFA_LENGTH(sizeof(unsigned long))];
 	memset(&buf, 0, sizeof(buf));
 
 	req = (void *) &buf;
-	
+
+	if (tuple == NULL) {
+		ctnl_error("tuple must be specified\n");
+		return -1;
+	}
+
 	nfnl_fill_hdr(&cth->nfnlh, (struct nlmsghdr *) &buf,
-			0, AF_INET, CTNL_MSG_GETCONNTRACK,
+			0, AF_INET, IPCTNL_MSG_GETCONNTRACK,
 			NLM_F_REQUEST);
 
-	if (nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_ORIG, t,
-			sizeof(*t)) < 0) {
+	if (nfnl_addattr_l(&req->nlh, sizeof(buf), t, tuple,
+				sizeof(*tuple)) < 0) {
 		ctnl_error("error during nfnl_addattr_l\n");
 		return -1;
 	}
-	
+
 	if (nfnl_send(&cth->nfnlh, (struct nlmsghdr *)&buf) < 0 ) {
 		ctnl_error("error while nfnl_send\n");
 		return -1;
 	}
 
-	return nfnl_listen(&cth->nfnlh, &get_conntrack_handler, cb);
+	return nfnl_listen(&cth->nfnlh, &list_conntrack_handler, cth);
 }
 
 /**
@@ -232,24 +236,32 @@
  * cth: libctnetlink handle
  * t: tuple of to-be-deleted connection
  */
-int ctnl_del_conntrack(struct ctnl_handle *cth, struct ip_conntrack_tuple *t)
+int ctnl_del_conntrack(struct ctnl_handle *cth, 
+		       struct ip_conntrack_tuple *tuple,
+		       enum ctattr_type_t t)
 {
 	struct {
 		struct nlmsghdr nlh;
 		struct nfgenmsg nfmsg;
 	} *req;
 
-	char buf[sizeof(*req) + NFA_LENGTH(sizeof(*t))];
+	char buf[sizeof(*req) + NFA_LENGTH(sizeof(*tuple))
+		 + NFA_LENGTH(sizeof(unsigned long))];
 	memset(&buf, 0, sizeof(buf));
 
 	req = (void *) &buf;
 
+	if (tuple == NULL) {
+		ctnl_error("tuple must be specified\n");
+		return -1;
+	}
+	
 	nfnl_fill_hdr(&cth->nfnlh, (struct nlmsghdr *) &buf,
-		      0, AF_INET, CTNL_MSG_DELCONNTRACK,
+		      0, AF_INET, IPCTNL_MSG_DELCONNTRACK,
 		      NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST);
 
-	if (nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_ORIG, t, 
-			   sizeof(*t)) < 0) {
+	if (nfnl_addattr_l(&req->nlh, sizeof(buf), t, tuple, 
+			   sizeof(*tuple)) < 0) {
 		ctnl_error("error during nfnl_addattr_l\n");
 		return -1;
 	}
@@ -258,13 +270,75 @@
 }
 
 /**
+ * ctnl_new_conntrack - create a connection in the conntrack hashtable
+ * cth: libctnetlink handle
+ * t: tuple of to-be-created connection
+ */
+int ctnl_new_conntrack(struct ctnl_handle *cth,
+		       struct ip_conntrack_tuple *orig,
+		       struct ip_conntrack_tuple *reply, 
+		       unsigned long timeout, struct cta_proto *proto,
+		       unsigned int status)
+{
+	struct {
+		struct nlmsghdr nlh;
+		struct nfgenmsg nfmsg;
+	} *req;
+
+	char buf[sizeof(*req) + NFA_LENGTH(sizeof(*orig))
+		 + NFA_LENGTH(sizeof(*reply)) 
+		 + NFA_LENGTH(sizeof(unsigned long))
+		 + NFA_LENGTH(sizeof(*proto))
+		 + NFA_LENGTH(sizeof(unsigned int))];
+	memset(&buf, 0, sizeof(buf));
+
+	req = (void *) &buf;
+
+	nfnl_fill_hdr(&cth->nfnlh, (struct nlmsghdr *) &buf,
+		      0, AF_INET, IPCTNL_MSG_NEWCONNTRACK,
+		      NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST|NLM_F_CREATE);
+
+	if (nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_ORIG, orig, 
+			   sizeof(*orig)) < 0) {
+		ctnl_error("error during nfnl_addattr_l\n");
+		return -1;
+	}
+
+	if (nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_RPLY, reply, 
+			   sizeof(*reply)) < 0) {
+		ctnl_error("error during nfnl_addattr_l\n");
+		return -1;
+	}
+
+	if (nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_TIMEOUT, &timeout, 
+			   sizeof(unsigned long)) < 0) {
+		ctnl_error("error during nfnl_addattr_l\n");
+		return -1;
+	}
+
+	if (nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_PROTOINFO, proto, 
+			   sizeof(*proto)) < 0) {
+		ctnl_error("error during nfnl_addattr_l\n");
+		return -1;
+	}
+
+	if (nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_STATUS, &status,
+			   sizeof(unsigned int)) < 0) {
+		ctnl_error("error during nfnl_addattr_l\n");
+		return -1;
+	}
+
+	return nfnl_send(&cth->nfnlh, (struct nlmsghdr *)&buf);
+}
+
+/**
  * ctnl_list_expect - retrieve a list of expectations from conntrack subsys
  * cth: libctnetlink handle
  * family: AF_INET, ...
  */
 int ctnl_list_expect(struct ctnl_handle *cth, int family)
 {
-	if (ctnl_wilddump_request(cth, family, CTNL_MSG_GETEXPECT) < 0) {
+	if (ctnl_wilddump_request(cth, family, IPCTNL_MSG_GETEXPECT) < 0) {
 		ctnl_error("error during ctnl_wilddump_request\n");
 		return -1;
 	}
@@ -292,7 +366,7 @@
 	req = (void *) &buf;
 
 	nfnl_fill_hdr(&cth->nfnlh, (struct nlmsghdr *) &buf,
-		      0, AF_INET, CTNL_MSG_DELEXPECT,
+		      0, AF_INET, IPCTNL_MSG_DELEXPECT,
 		      NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST);
 
 	if (nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_ORIG, t, 
Index: libctnetlink.h
===================================================================
--- libctnetlink.h	(revision 3742)
+++ libctnetlink.h	(working copy)
@@ -13,8 +13,8 @@
 #include <netinet/in.h>
 #include <asm/types.h>
 #include <linux/if.h>
-#include <linux/nfnetlink.h>
-#include <linux/nfnetlink_conntrack.h> 
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter_ipv4/ip_conntrack_netlink.h> 
 #include <linux/netfilter_ipv4/ip_conntrack.h>
 #include "../libnfnetlink/libnfnetlink.h"
 
@@ -27,7 +27,7 @@
 
 struct ctnl_handle {
 	struct nfnl_handle nfnlh;
-	struct ctnl_msg_handler *handler[CTNL_MSG_COUNT];
+	struct ctnl_msg_handler *handler[IPCTNL_MSG_COUNT];
 };
 
 extern int ctnl_open(struct ctnl_handle *cth, unsigned subscriptions);
@@ -37,9 +37,10 @@
 				 struct ctnl_msg_handler *hndlr);
 extern int ctnl_get_conntrack(struct ctnl_handle *cth,
 			      struct ip_conntrack_tuple *tuple,
-			      struct nfattr **cb);
+			      enum ctattr_type_t t);
 extern int ctnl_del_conntrack(struct ctnl_handle *cth,
-			      struct ip_conntrack_tuple *t);
+			      struct ip_conntrack_tuple *tuple,
+			      enum ctattr_type_t t);
 extern int ctnl_list_conntrack(struct ctnl_handle *cth, int family);
 
 extern int ctnl_list_expect(struct ctnl_handle *cth, int family);

[-- Attachment #3: y --]
[-- Type: text/plain, Size: 334 bytes --]

Index: libnfnetlink.h
===================================================================
--- libnfnetlink.h	(revision 3742)
+++ libnfnetlink.h	(working copy)
@@ -8,7 +8,7 @@
 
 #include <linux/types.h>
 #include <linux/netlink.h>
-#include <linux/nfnetlink.h>
+#include <linux/netfilter/nfnetlink.h>
 
 #define NFNL_BUFFSIZE		8192
 

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

[-- Attachment #1: Type: text/plain, Size: 1578 bytes --]

[attached is a candidate patch for ctnltest.c]

Pablo Neira wrote:
> Amin Azez wrote:
>> I seem to have missed something obvious, is that libctnetlink 
>> dependancy out of date?
> 
> 
> yes, include files have changed its location.

Thanks for the patches Pablo, they seemed to do the trick.
ctnl_del_conntrack has been expanded to 3 args, should I be using 
CTA_UNSPEC or CTA_ORIG or CTA_STATUS as the 3rd arg on line 118 of 
ctnltest.c?

ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]),XXXXX);

For the record, to help those who follow, to get libctnetlink and 
libnfnetlink working, here are the instructions.

1) unpack the pristine kernel sources of 2.6.11
2) apply pablos patches from 
http://people.netfilter.org/pablo/patches/nfnetlink-conntrack-0.50-2.6.11/
3) build and install your kernel & modules with all the right NF options 
enabled
4) unpack a recent libctnetlink from 
ftp://ftp.netfilter.org/pub/libctnetlink/snapshot/
5) run:
   automake-1.4
   autoconf
6) unpack a recent libnfnetlink from 
ftp://ftp.netfilter.org/pub/libnfnetlink/snapshot/
make a symlink from libnfnetlink-2005xxxx to libnfnetlink so that 
libctnetlink can find it
7) run:
   automake-1.4
   autoconf
8) inside the libctnetlink dir
./configure
make
make install
9) inside the libnfnetlink dir
./configure
make
make install

Attached is my candidate patch for ctnltest.c which can be compiled with:
gcc -o ctnltest ctnltest.c -L/usr/local/lib 
-I/opt/KERNEL/linux-2.6.11.6/include/ -lctnetlink -lnfnetlink

(you might need to put /usr/local/lib in your /etc/ld.so.conf and run 
ldconfig)


[-- Attachment #2: ctnltest.patch --]
[-- Type: text/x-patch, Size: 989 bytes --]

--- ctnltest.c.orig     2005-04-08 15:38:22.000000000 -0400
+++ ctnltest.c  2005-04-08 16:18:58.000000000 -0400
@@ -10,7 +10,7 @@

 #include <linux/types.h>
 #include <linux/netlink.h>
-#include <linux/nfnetlink_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_netlink.h>

 #include "libctnetlink.h"

@@ -115,7 +115,7 @@
        if (cb[CTA_ORIG]) {
                printf("orig: %s\n",
                                display_tuple_flat(NFA_DATA(cb[CTA_ORIG])));
-               ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]));
+               ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]),CTA_UNSPEC);
        }
        if (cb[CTA_RPLY])
                printf("rply: %s\n",
@@ -169,7 +169,7 @@
                exit(2);
        }

-       ctnl_wilddump_request(cth, AF_INET, CTNL_MSG_GETCONNTRACK);
+       ctnl_wilddump_request(cth, AF_INET, IPCTNL_MSG_GETCONNTRACK);

        while (len = recv(cth->nfnlh.fd, &buf, sizeof(buf), 0)) {
                printf("pkt received\n");

Re: [PATCH] ct-event API port to 2.6.11

[Pablo Neira]

Amin Azez wrote:
> Thanks for the patches Pablo, they seemed to do the trick.
> ctnl_del_conntrack has been expanded to 3 args, should I be using 
> CTA_UNSPEC or CTA_ORIG or CTA_STATUS as the 3rd arg on line 118 of 
> ctnltest.c?

+int ctnl_del_conntrack(struct ctnl_handle *cth,
+                      struct ip_conntrack_tuple *tuple,
+                      enum ctattr_type_t t)

The 3rd arguments says if you're referring to CTA_ORIG or CTA_RPLY. So 
you can kill conntracks based on the direction.

This stuff is under development so nobody can't assure that the API will 
change in future.

> ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]),XXXXX);
> 
> For the record, to help those who follow, to get libctnetlink and 
> libnfnetlink working, here are the instructions.
> 
> 1) unpack the pristine kernel sources of 2.6.11
> 2) apply pablos patches from 
> http://people.netfilter.org/pablo/patches/nfnetlink-conntrack-0.50-2.6.11/
> 3) build and install your kernel & modules with all the right NF options 
> enabled
> 4) unpack a recent libctnetlink from 
> ftp://ftp.netfilter.org/pub/libctnetlink/snapshot/
> 5) run:
>   automake-1.4
>   autoconf
> 6) unpack a recent libnfnetlink from 
> ftp://ftp.netfilter.org/pub/libnfnetlink/snapshot/
> make a symlink from libnfnetlink-2005xxxx to libnfnetlink so that 
> libctnetlink can find it
> 7) run:
>   automake-1.4
>   autoconf
> 8) inside the libctnetlink dir
> ./configure
> make
> make install
> 9) inside the libnfnetlink dir
> ./configure
> make
> make install

Thanks, people surely would appreciate this to save time.

> Attached is my candidate patch for ctnltest.c which can be compiled with:

fix ctnl_del_conntrack, CTA_UNSPEC isn't ok as 3rd param.

--
Pablo

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

For the record I forgot to say:
add Pablos patches from the post I was replying to (see 
http://lists.netfilter.org/pipermail/netfilter-devel/2005-April/019182.html
)
to the unpacked libctnetlink and libnfnetlink before you compile them.

What is ctnltest supposed to do?

Running ctnltest I only ever get one packet where the subsys id is 
NFNL_SUBSYS_CTNETLINK_EXP

I can bring connections up and down all day and ctnltest doesn't receive 
any more packets.

I'm so close now to completing this path through the jungle, when I'm 
done I shall walk up and down it to make the path wider and explore the 
side roads.

I was hoping that ctnltest would start spitting out reports when 
connections came up and down.

I'm currently investigating how libctnetlink goes through libnfnetlink 
and touches ct-event to see if it even should do what I think, but any 
tips anyone has will be appreciated.

Sam



Pablo Neira wrote:
> Amin Azez wrote:
> 
>> Thanks for the patches Pablo, they seemed to do the trick.
>> ctnl_del_conntrack has been expanded to 3 args, should I be using 
>> CTA_UNSPEC or CTA_ORIG or CTA_STATUS as the 3rd arg on line 118 of 
>> ctnltest.c?
> 
> 
> +int ctnl_del_conntrack(struct ctnl_handle *cth,
> +                      struct ip_conntrack_tuple *tuple,
> +                      enum ctattr_type_t t)
> 
> The 3rd arguments says if you're referring to CTA_ORIG or CTA_RPLY. So 
> you can kill conntracks based on the direction.

Hmmm... in the context of ctnltest.c its hard to say what is required.
I'm not even sure why ctnltest is calling ctnl_del_conntrack for packets 
where (NFNL_SUBSYS_ID(nlh->nlmsg_type) == 
           NFNL_SUBSYS_CTNETLINK)

> fix ctnl_del_conntrack, CTA_UNSPEC isn't ok as 3rd param.

will do: really dumb question, why is ctnltest even calling 
ctnl_del_contrack?

Amin

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

The procedure I outline below is not complete;

I found that I can't set CONFIG_NETFILTER_NETLINK in the config file using
make xconfig (which I use to sanity check .config done by hand)

beause of this, IP_NF_CONNTRACK_NETLINK cannot be set, and so 
ip_conntrack_netlink.c is never compiled.

CONFIG_NETFILTER_NETLINK is available from 
linux-2.6.11.6/net/netfilter/Kconfig (as opposed to ipv4/netfilter/Kconfig)

For some reason it has spaces instead of tabs in it (most Kconfig have 
tabs) but even if I fix this I still can't get NETFILTER_NETLINK to show 
in the gui kernel config tools, which indicates something is wrong.

Amin

Pablo Neira wrote:
> Amin Azez wrote:
> 
>> Thanks for the patches Pablo, they seemed to do the trick.
>> ctnl_del_conntrack has been expanded to 3 args, should I be using 
>> CTA_UNSPEC or CTA_ORIG or CTA_STATUS as the 3rd arg on line 118 of 
>> ctnltest.c?
> 
> 
> +int ctnl_del_conntrack(struct ctnl_handle *cth,
> +                      struct ip_conntrack_tuple *tuple,
> +                      enum ctattr_type_t t)
> 
> The 3rd arguments says if you're referring to CTA_ORIG or CTA_RPLY. So 
> you can kill conntracks based on the direction.
> 
> This stuff is under development so nobody can't assure that the API will 
> change in future.
> 
>> ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]),XXXXX);
>>
>> For the record, to help those who follow, to get libctnetlink and 
>> libnfnetlink working, here are the instructions.
>>
>> 1) unpack the pristine kernel sources of 2.6.11
>> 2) apply pablos patches from 
>> http://people.netfilter.org/pablo/patches/nfnetlink-conntrack-0.50-2.6.11/ 
>>
>> 3) build and install your kernel & modules with all the right NF 
>> options enabled
>> 4) unpack a recent libctnetlink from 
>> ftp://ftp.netfilter.org/pub/libctnetlink/snapshot/
>> 5) run:
>>   automake-1.4
>>   autoconf
>> 6) unpack a recent libnfnetlink from 
>> ftp://ftp.netfilter.org/pub/libnfnetlink/snapshot/
>> make a symlink from libnfnetlink-2005xxxx to libnfnetlink so that 
>> libctnetlink can find it
>> 7) run:
>>   automake-1.4
>>   autoconf
>> 8) inside the libctnetlink dir
>> ./configure
>> make
>> make install
>> 9) inside the libnfnetlink dir
>> ./configure
>> make
>> make install
> 
> 
> Thanks, people surely would appreciate this to save time.
> 
>> Attached is my candidate patch for ctnltest.c which can be compiled with:
> 
> 
> fix ctnl_del_conntrack, CTA_UNSPEC isn't ok as 3rd param.
> 
> -- 
> Pablo
> 
> 

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

Fix for this was to insert:
source "net/netfilter/Kconfig"

just before:
source "net/ipv4/Kconfig"

in linux-2.6.11.6/net/Kconfig


Sorry to spam you all so much, I'll try and reduce my posting rate.

Sam


Amin Azez wrote:
> The procedure I outline below is not complete;
> 
> I found that I can't set CONFIG_NETFILTER_NETLINK in the config file using
> make xconfig (which I use to sanity check .config done by hand)
> 
> beause of this, IP_NF_CONNTRACK_NETLINK cannot be set, and so 
> ip_conntrack_netlink.c is never compiled.
> 
> CONFIG_NETFILTER_NETLINK is available from 
> linux-2.6.11.6/net/netfilter/Kconfig (as opposed to ipv4/netfilter/Kconfig)
> 
> For some reason it has spaces instead of tabs in it (most Kconfig have 
> tabs) but even if I fix this I still can't get NETFILTER_NETLINK to show 
> in the gui kernel config tools, which indicates something is wrong.
> 
> Amin

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

Now ip_conntrack_netlink.ko is being build, but modprobe fails, dmesg shows:

ip_conntrack_netlink: Unknown symbol __nfa_fill
ip_conntrack_netlink: Unknown symbol nfnetlink_subsys_register
ip_conntrack_netlink: Unknown symbol nfnetlink_subsys_alloc
ip_conntrack_netlink: Unknown symbol nfnetlink_send
ip_conntrack_netlink: Unknown symbol nfnetlink_subsys_unregister
ip_conntrack_netlink: Unknown symbol nfnetlink_check_attributes


Some of these at least (but not nfa_fill) are defined in:
net/netfilter/nfnetlink.c which, is not built to a .o file either

No doubt similar magic used to link in net/netfilter/Kconfig is to be 
used to link in net/netfilter/Makefile, let me discover the spell
[slight pause while Amin "discovers" the spell]

OK, I inserted:

just before:

(I'm not doing 1-liner patches when there is a good chance someone will 
want to move the position of the line, cos I just guessed where to put it)

now, try:
# modprobe nfnetlink
FATAL: Error inserting nfnetlink 
(/lib/modules/2.6.11.6/kernel/net/netfilter/nfnetlink.ko): Operation not 
permitted
# dmesg -c
Netfilter messages via NETLINK v0.12.
cannot initialize nfnetlink!

bah, that would be nfnetlink.c:
         nfnl = netlink_kernel_create(NETLINK_NETFILTER, nfnetlink_rcv);
         if (!nfnl) {
                 printk(KERN_ERR "cannot initialize nfnetlink!\n");
                 return -1;
         }

OK, I'll keep looking, but I thought it important to log the omissions 
in net/Kconfig and net/Makefile which fail to bring in 
net/netfilter/Kconfig and net/netfilter/Makefile

Amin

Amin Azez wrote:
> Fix for this was to insert:
> source "net/netfilter/Kconfig"
> 
> just before:
> source "net/ipv4/Kconfig"
> 
> in linux-2.6.11.6/net/Kconfig
> 
> 
> Sorry to spam you all so much, I'll try and reduce my posting rate.
> 
> Sam
> 
> 
> Amin Azez wrote:
> 
>> The procedure I outline below is not complete;
>>
>> I found that I can't set CONFIG_NETFILTER_NETLINK in the config file 
>> using
>> make xconfig (which I use to sanity check .config done by hand)
>>
>> beause of this, IP_NF_CONNTRACK_NETLINK cannot be set, and so 
>> ip_conntrack_netlink.c is never compiled.
>>
>> CONFIG_NETFILTER_NETLINK is available from 
>> linux-2.6.11.6/net/netfilter/Kconfig (as opposed to 
>> ipv4/netfilter/Kconfig)
>>
>> For some reason it has spaces instead of tabs in it (most Kconfig have 
>> tabs) but even if I fix this I still can't get NETFILTER_NETLINK to 
>> show in the gui kernel config tools, which indicates something is wrong.
>>
>> Amin
> 
> 
> 
> 

Re: [PATCH] ct-event API port to 2.6.11

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 903 bytes --]

On Wed, Apr 06, 2005 at 08:11:43PM +0200, Pablo Neira wrote:
> Amin Azez wrote:
> >It appears that pom-ng nfnetlink-ctnetlink-0.13 (ported by Pablo?) requires 
> >ct-event (although this is not listed in the pom-ng dependancies).
> >Pablo, can you confirm this?
> 
> I've just merged Harald's and my port. You can get it from:
> 
> http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/

do you mind creating a patch against svn so we can put it into
nfnetlink-ctnetlink/linux-2.6.11 ?

thanks!

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] ct-event API port to 2.6.11

[Pablo Neira]

Harald Welte wrote:
> do you mind creating a patch against svn so we can put it into
> nfnetlink-ctnetlink/linux-2.6.11 ?

Attached two patches against pom-ng:

o ctevent-api: conntrack event API
o nfnetlink-ctnetlink: nfnetlink + conntrack netlink interface

--
Pablo

Re: [PATCH] ct-event API port to 2.6.11

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 345 bytes --]

Pablo Neira wrote:
> Harald Welte wrote:
> 
>> do you mind creating a patch against svn so we can put it into
>> nfnetlink-ctnetlink/linux-2.6.11 ?
> 
> 
> Attached two patches against pom-ng:
> 
> o ctevent-api: conntrack event API
> o nfnetlink-ctnetlink: nfnetlink + conntrack netlink interface

oops, sorry, forgot the patches...

--
Pablo


[-- Attachment #2: ctevent.patch.gz --]
[-- Type: application/gzip, Size: 5373 bytes --]

[-- Attachment #3: nf-ct-netlink.patch.gz --]
[-- Type: application/gzip, Size: 15929 bytes --]

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

Pablo Neira wrote:
> Pablo Neira wrote:
> 
>> Harald Welte wrote:
>>
>>> do you mind creating a patch against svn so we can put it into
>>> nfnetlink-ctnetlink/linux-2.6.11 ?
>>
>>
>>
>> Attached two patches against pom-ng:
>>
>> o ctevent-api: conntrack event API
>> o nfnetlink-ctnetlink: nfnetlink + conntrack netlink interface
> 
> oops, sorry, forgot the patches...

Can I just check that nfnetlink-ctnetlink-0.13 and 
nfnetlink-ctnetlink-0.50 in pom-ng-20050404 have been replaced by
pom-ng/nfnetlink and pom-ng/ctnetlink in pom-ng-20050417

Pablo, do they also fully supercede your patches 1-5 at 
http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/ 
and that there is nothing new in those?

If so, do you want me to create a pom-ng for the netlink packet counting 
stuff I sent last week, our will you spit that out at an appropriate 
point combined with your pattern defined dumping?

Sam

Re: [PATCH] ct-event API port to 2.6.11

[Amin Azez]

Harald Welte wrote:
> On Wed, Apr 06, 2005 at 08:11:43PM +0200, Pablo Neira wrote:
> 
>>Amin Azez wrote:
>>
>>>It appears that pom-ng nfnetlink-ctnetlink-0.13 (ported by Pablo?) requires 
>>>ct-event (although this is not listed in the pom-ng dependancies).
>>>Pablo, can you confirm this?
>>
>>I've just merged Harald's and my port. You can get it from:
>>
>>http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/
> 
> 
> do you mind creating a patch against svn so we can put it into
> nfnetlink-ctnetlink/linux-2.6.11 ?
> 
> thanks!

If anyone got a partial reply to this, I apologise. Thunderbird seems to 
abort the NNTP part of the send and then closes the "progress window" 
while it carries on with the SMTP part of the send. All the mad 
"pressing escape" just prevents the sent message from being stored in my 
sent-items folder so I have to start again. AGGH

Anyway, I notice Haralds patch on flow-based-accounting and svn and 
stuff, which answers my question.

Amin

Re: [PATCH] ct-event API port to 2.6.11

[Wang Jian]

Hi Amin Azez,

Pablo gave a patch the other day that patches pom-ng to get ctevent-api/.
I use this patch along with new nfnetlink/ and ctnetlink/, and it works
fine. Of course, you need to rename or symbol link ctevent-api/ to
conntrack-event-api/, because Harald Welte chooses it as name.

Execpt the ctevent-api, I think other parts have been put into new
nfnetlink/ and ctnetlink/.

Harald Welte also merged ctnetlink-conntrack_acct.patch, which seems to
do per stream packets/bytes counting stuff. (I just take a look at it,
so I may be wrong).


On Mon, 18 Apr 2005 11:48:05 +0100, Amin Azez <azez@ufomechanic.net> wrote:

> Pablo Neira wrote:
> > Pablo Neira wrote:
> > 
> >> Harald Welte wrote:
> >>
> >>> do you mind creating a patch against svn so we can put it into
> >>> nfnetlink-ctnetlink/linux-2.6.11 ?
> >>
> >>
> >>
> >> Attached two patches against pom-ng:
> >>
> >> o ctevent-api: conntrack event API
> >> o nfnetlink-ctnetlink: nfnetlink + conntrack netlink interface
> > 
> > oops, sorry, forgot the patches...
> 
> Can I just check that nfnetlink-ctnetlink-0.13 and 
> nfnetlink-ctnetlink-0.50 in pom-ng-20050404 have been replaced by
> pom-ng/nfnetlink and pom-ng/ctnetlink in pom-ng-20050417
> 
> Pablo, do they also fully supercede your patches 1-5 at 
> http://people.netfilter.org/~pablo/patches/nfnetlink-conntrack-0.50-2.6.11/ 
> and that there is nothing new in those?
> 
> If so, do you want me to create a pom-ng for the netlink packet counting 
> stuff I sent last week, our will you spit that out at an appropriate 
> point combined with your pattern defined dumping?
> 
> Sam



-- 
  lark