[PATCH] add direction match to conntrack match

[PATCH] add direction match to conntrack match

[Amin Azez]

[-- Attachment #1: Type: text/plain, Size: 382 bytes --]

This adds the virtual states ORIGINAL and REPLY to the conntrack match,
making it possible to tell if the packet being compared is part of the
original flow or the reply flow.

e.g.

iptables -t mangle -A PREROUTING -m conntrack --ctstate REPLY

The patch is against kernel 2.6.17 and iptables 1.3.6, but it is simple
enough.

Signed-off by: Sam Liddicott <azez@ufomechanic.net>




[-- Attachment #2: ctstate-dir.patch --]
[-- Type: text/x-patch, Size: 2344 bytes --]

--- ./include/linux/netfilter_ipv4/ipt_conntrack.h.old	2007-06-01 16:17:36.000000000 +0100
+++ ./include/linux/netfilter_ipv4/ipt_conntrack.h	2007-06-01 16:18:08.000000000 +0100
@@ -28,6 +28,8 @@
 #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
 #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
 #define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+#define IPT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4))
+#define IPT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5))
 
 /* flags, invflags: */
 #define IPT_CONNTRACK_STATE	0x01
--- ./extensions/libipt_conntrack.man.old	2007-06-01 16:12:43.000000000 +0100
+++ ./extensions/libipt_conntrack.man	2007-06-01 16:14:00.000000000 +0100
@@ -25,6 +25,12 @@
 .B DNAT
 A virtual state, matching if the original destination differs from the
 reply source.
+.B ORIGINAL
+A virtual state, matching if the packet being compared is part of the
+original flow that created the conntrack.
+.B REPLY
+A virtual state, matching if the packet being compared is part of the
+reply flow.
 .TP
 .BI "--ctproto " "proto"
 Protocol to match (by number or name)
--- ./extensions/libipt_conntrack.c.old	2007-06-01 16:14:12.000000000 +0100
+++ ./extensions/libipt_conntrack.c	2007-06-01 16:16:39.000000000 +0100
@@ -24,7 +24,7 @@
 {
 	printf(
 "conntrack match v%s options:\n"
-" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]\n"
+" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT|ORIGINAL|REPLY][,...]\n"
 "				State(s) to match\n"
 " [!] --ctproto	proto		Protocol to match; by number or name, eg. `tcp'\n"
 "     --ctorigsrc  [!] address[/mask]\n"
@@ -73,6 +73,10 @@
 		sinfo->statemask |= IPT_CONNTRACK_STATE_SNAT;
 	else if (strncasecmp(state, "DNAT", strlen) == 0)
 		sinfo->statemask |= IPT_CONNTRACK_STATE_DNAT;
+	else if (strncasecmp(state, "ORIGINAL", strlen) == 0)
+		sinfo->statemask |= IPT_CONNTRACK_STATE_ORIGINAL;
+	else if (strncasecmp(state, "REPLY", strlen) == 0)
+		sinfo->statemask |= IPT_CONNTRACK_STATE_REPLY;
 	else
 		return 0;
 	return 1;
@@ -376,6 +380,14 @@
 		printf("%sDNAT", sep);
 		sep = ",";
 	}
+	if (statemask & IPT_CONNTRACK_STATE_ORIGINAL) {
+		printf("%sORIGINAL", sep);
+		sep = ",";
+	}
+	if (statemask & IPT_CONNTRACK_STATE_REPLY) {
+		printf("%sREPLY", sep);
+		sep = ",";
+	}
 	printf(" ");
 }
 

[-- Attachment #3: ctstate-kernel.patch --]
[-- Type: text/x-patch, Size: 1756 bytes --]

Index: linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
===================================================================
--- linux-2.6.17.1.orig/include/linux/netfilter/xt_conntrack.h
+++ linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
@@ -14,6 +14,9 @@
 #define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
 #define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
 #define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+/* match on direction of packet */
+#define XT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4))
+#define XT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5))
 
 /* flags, invflags: */
 #define XT_CONNTRACK_STATE	0x01
Index: linux-2.6.17.1/net/netfilter/xt_conntrack.c
===================================================================
--- linux-2.6.17.1.orig/net/netfilter/xt_conntrack.c
+++ linux-2.6.17.1/net/netfilter/xt_conntrack.c
@@ -63,6 +63,11 @@ match(const struct sk_buff *skb,
 			if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip !=
 			    ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip)
 				statebit |= XT_CONNTRACK_STATE_DNAT;
+
+			if(CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
+				statebit |= XT_CONNTRACK_STATE_ORIGINAL;
+			else
+				statebit |= XT_CONNTRACK_STATE_REPLY;
 		}
 
 		if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))
@@ -150,6 +155,11 @@ match(const struct sk_buff *skb,
 			if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip !=
 			    ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip)
 				statebit |= XT_CONNTRACK_STATE_DNAT;
+
+			if(CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
+				statebit |= XT_CONNTRACK_STATE_ORIGINAL;
+			else
+				statebit |= XT_CONNTRACK_STATE_REPLY;
 		}
 
 		if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))

Re: [PATCH] add direction match to conntrack match

[Patrick McHardy]

Amin Azez wrote:
> This adds the virtual states ORIGINAL and REPLY to the conntrack match,
> making it possible to tell if the packet being compared is part of the
> original flow or the reply flow.
> 
> e.g.
> 
> iptables -t mangle -A PREROUTING -m conntrack --ctstate REPLY
> 
> The patch is against kernel 2.6.17 and iptables 1.3.6, but it is simple
> enough.


I've been using a similar patch at a previous job, I think its quite
useful, so if you send me a patch for current -git I'll queue it
for 2.6.23.

> 
> Index: linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
> ===================================================================
> --- linux-2.6.17.1.orig/include/linux/netfilter/xt_conntrack.h
> +++ linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
> @@ -14,6 +14,9 @@
>  #define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
>  #define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
>  #define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
> +/* match on direction of packet */
> +#define XT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4))
> +#define XT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5))


But I think use should use a regular flag for this. The
XT_CONNTRACK_STATE_SNAT are already a not so great idea
since the same information is in the status bits, which
can also be matched.

Re: [PATCH] add direction match to conntrack match

[Amin Azez]

Patrick McHardy wrote:
> Amin Azez wrote:
>   
>> This adds the virtual states ORIGINAL and REPLY to the conntrack match,
>> making it possible to tell if the packet being compared is part of the
>> original flow or the reply flow.
>>
>> e.g.
>>
>> iptables -t mangle -A PREROUTING -m conntrack --ctstate REPLY
>>
>> The patch is against kernel 2.6.17 and iptables 1.3.6, but it is simple
>> enough.
>>     
>
>
> I've been using a similar patch at a previous job, I think its quite
> useful, so if you send me a patch for current -git I'll queue it
> for 2.6.23.
>
>   
>> Index: linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
>> ===================================================================
>> --- linux-2.6.17.1.orig/include/linux/netfilter/xt_conntrack.h
>> +++ linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
>> @@ -14,6 +14,9 @@
>>  #define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
>>  #define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
>>  #define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
>> +/* match on direction of packet */
>> +#define XT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4))
>> +#define XT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5))
>>     
>
>
> But I think use should use a regular flag for this. The
> XT_CONNTRACK_STATE_SNAT are already a not so great idea
> since the same information is in the status bits, which
> can also be matched.
>   
The regular flags are declared as u_int8_t, and all 8 bits are already used.

This was the neatest way I could come up with without destroying 
user-space compatability.

Git will have to wait a week I'm afraid, but you'll get it ASAP.

Sam

Re: [PATCH] add direction match to conntrack match

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 478 bytes --]

fre 2007-06-01 klockan 20:28 +0100 skrev Amin Azez:

> This was the neatest way I could come up with without destroying 
> user-space compatability.

Another alternative is to create a new revision of the conntrack match
extending the flags fields to at least a 32-bit and I'd also propose
moving the NAT bits into the flags field. Requires a little more work,
but allows for a cleaner result..

See for example the MARK target for how to do this.

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: [PATCH] add direction match to conntrack match

[Patrick McHardy]

Amin Azez wrote:
> Patrick McHardy wrote:
> 
>> But I think use should use a regular flag for this. The
>> XT_CONNTRACK_STATE_SNAT are already a not so great idea
>> since the same information is in the status bits, which
>> can also be matched.
>>   
> 
> The regular flags are declared as u_int8_t, and all 8 bits are already
> used.
> 
> This was the neatest way I could come up with without destroying
> user-space compatability.


You're right of course. Extending the flags like Henrik suggested would
probably make sense, sooner or later we're going to have more conntrack
related things someone wants to match on. Port numbers come to mind ..