From: Amin Azez <azez@ufomechanic.net>
To: netfilter-devel@lists.netfilter.org
Subject: [PATCH] add direction match to conntrack match
Date: Fri, 01 Jun 2007 17:25:42 +0100 [thread overview]
Message-ID: <46604886.4080400@ufomechanic.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 382 bytes --]
This adds the virtual states ORIGINAL and REPLY to the conntrack match,
making it possible to tell if the packet being compared is part of the
original flow or the reply flow.
e.g.
iptables -t mangle -A PREROUTING -m conntrack --ctstate REPLY
The patch is against kernel 2.6.17 and iptables 1.3.6, but it is simple
enough.
Signed-off by: Sam Liddicott <azez@ufomechanic.net>
[-- Attachment #2: ctstate-dir.patch --]
[-- Type: text/x-patch, Size: 2344 bytes --]
--- ./include/linux/netfilter_ipv4/ipt_conntrack.h.old 2007-06-01 16:17:36.000000000 +0100
+++ ./include/linux/netfilter_ipv4/ipt_conntrack.h 2007-06-01 16:18:08.000000000 +0100
@@ -28,6 +28,8 @@
#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+#define IPT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4))
+#define IPT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5))
/* flags, invflags: */
#define IPT_CONNTRACK_STATE 0x01
--- ./extensions/libipt_conntrack.man.old 2007-06-01 16:12:43.000000000 +0100
+++ ./extensions/libipt_conntrack.man 2007-06-01 16:14:00.000000000 +0100
@@ -25,6 +25,12 @@
.B DNAT
A virtual state, matching if the original destination differs from the
reply source.
+.B ORIGINAL
+A virtual state, matching if the packet being compared is part of the
+original flow that created the conntrack.
+.B REPLY
+A virtual state, matching if the packet being compared is part of the
+reply flow.
.TP
.BI "--ctproto " "proto"
Protocol to match (by number or name)
--- ./extensions/libipt_conntrack.c.old 2007-06-01 16:14:12.000000000 +0100
+++ ./extensions/libipt_conntrack.c 2007-06-01 16:16:39.000000000 +0100
@@ -24,7 +24,7 @@
{
printf(
"conntrack match v%s options:\n"
-" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]\n"
+" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT|ORIGINAL|REPLY][,...]\n"
" State(s) to match\n"
" [!] --ctproto proto Protocol to match; by number or name, eg. `tcp'\n"
" --ctorigsrc [!] address[/mask]\n"
@@ -73,6 +73,10 @@
sinfo->statemask |= IPT_CONNTRACK_STATE_SNAT;
else if (strncasecmp(state, "DNAT", strlen) == 0)
sinfo->statemask |= IPT_CONNTRACK_STATE_DNAT;
+ else if (strncasecmp(state, "ORIGINAL", strlen) == 0)
+ sinfo->statemask |= IPT_CONNTRACK_STATE_ORIGINAL;
+ else if (strncasecmp(state, "REPLY", strlen) == 0)
+ sinfo->statemask |= IPT_CONNTRACK_STATE_REPLY;
else
return 0;
return 1;
@@ -376,6 +380,14 @@
printf("%sDNAT", sep);
sep = ",";
}
+ if (statemask & IPT_CONNTRACK_STATE_ORIGINAL) {
+ printf("%sORIGINAL", sep);
+ sep = ",";
+ }
+ if (statemask & IPT_CONNTRACK_STATE_REPLY) {
+ printf("%sREPLY", sep);
+ sep = ",";
+ }
printf(" ");
}
[-- Attachment #3: ctstate-kernel.patch --]
[-- Type: text/x-patch, Size: 1756 bytes --]
Index: linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
===================================================================
--- linux-2.6.17.1.orig/include/linux/netfilter/xt_conntrack.h
+++ linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
@@ -14,6 +14,9 @@
#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+/* match on direction of packet */
+#define XT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4))
+#define XT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5))
/* flags, invflags: */
#define XT_CONNTRACK_STATE 0x01
Index: linux-2.6.17.1/net/netfilter/xt_conntrack.c
===================================================================
--- linux-2.6.17.1.orig/net/netfilter/xt_conntrack.c
+++ linux-2.6.17.1/net/netfilter/xt_conntrack.c
@@ -63,6 +63,11 @@ match(const struct sk_buff *skb,
if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip !=
ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip)
statebit |= XT_CONNTRACK_STATE_DNAT;
+
+ if(CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
+ statebit |= XT_CONNTRACK_STATE_ORIGINAL;
+ else
+ statebit |= XT_CONNTRACK_STATE_REPLY;
}
if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))
@@ -150,6 +155,11 @@ match(const struct sk_buff *skb,
if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip !=
ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip)
statebit |= XT_CONNTRACK_STATE_DNAT;
+
+ if(CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
+ statebit |= XT_CONNTRACK_STATE_ORIGINAL;
+ else
+ statebit |= XT_CONNTRACK_STATE_REPLY;
}
if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))
next reply other threads:[~2007-06-01 16:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-01 16:25 Amin Azez [this message]
2007-06-01 16:30 ` [PATCH] add direction match to conntrack match Patrick McHardy
2007-06-01 19:28 ` Amin Azez
2007-06-02 11:34 ` Henrik Nordstrom
2007-06-03 17:10 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46604886.4080400@ufomechanic.net \
--to=azez@ufomechanic.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.