[PATCH conntrack 1/4] conntrack: split up nfct_set_addr_from_opt()

[PATCH conntrack 1/4] conntrack: split up nfct_set_addr_from_opt()

[Asbjørn Sloth Tønnesen]

Prepare for CIDR support, by splitting nfct_set_addr_from_opt()
into nfct_parse_addr_from_opt() for parsing
and nfct_set_addr_opt() for storing.

Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
---
 src/conntrack.c | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index 34785f3..a656b84 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2083,18 +2083,10 @@ static void merge_bitmasks(struct nfct_bitmask **current,
 }
 
 static void
-nfct_set_addr_from_opt(int opt, struct nf_conntrack *ct, union ct_address *ad,
-		       int *family)
+nfct_set_addr_opt(int opt, struct nf_conntrack *ct, union ct_address *ad,
+                  int l3protonum)
 {
-	int l3protonum;
-
 	options |= opt2type[opt];
-	l3protonum = parse_addr(optarg, ad);
-	if (l3protonum == AF_UNSPEC) {
-		exit_error(PARAMETER_PROBLEM,
-			   "Invalid IP address `%s'", optarg);
-	}
-	set_family(family, l3protonum);
 	switch(l3protonum) {
 	case AF_INET:
 		nfct_set_attr_u32(ct,
@@ -2110,6 +2102,21 @@ nfct_set_addr_from_opt(int opt, struct nf_conntrack *ct, union ct_address *ad,
 	nfct_set_attr_u8(ct, opt2attr[opt], l3protonum);
 }
 
+static void
+nfct_parse_addr_from_opt(int opt, struct nf_conntrack *ct,
+                         union ct_address *ad, int *family)
+{
+	int l3protonum;
+
+	l3protonum = parse_addr(optarg, ad);
+	if (l3protonum == AF_UNSPEC) {
+		exit_error(PARAMETER_PROBLEM,
+			   "Invalid IP address `%s'", optarg);
+	}
+	set_family(family, l3protonum);
+	nfct_set_addr_opt(opt, ct, ad, l3protonum);
+}
+
 int main(int argc, char *argv[])
 {
 	int c, cmd;
@@ -2188,15 +2195,15 @@ int main(int argc, char *argv[])
 		case 'd':
 		case 'r':
 		case 'q':
-			nfct_set_addr_from_opt(c, tmpl.ct, &ad, &family);
+			nfct_parse_addr_from_opt(c, tmpl.ct, &ad, &family);
 			break;
 		case '[':
 		case ']':
-			nfct_set_addr_from_opt(c, tmpl.exptuple, &ad, &family);
+			nfct_parse_addr_from_opt(c, tmpl.exptuple, &ad, &family);
 			break;
 		case '{':
 		case '}':
-			nfct_set_addr_from_opt(c, tmpl.mask, &ad, &family);
+			nfct_parse_addr_from_opt(c, tmpl.mask, &ad, &family);
 			break;
 		case 'p':
 			options |= CT_OPT_PROTO;
-- 
2.6.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH conntrack 2/4 v2] conntrack: extend parse_addr() with CIDR support

[Asbjørn Sloth Tønnesen]

Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
---
Previously posted as part of "conntrack: add support for CIDR notation".

 src/conntrack.c | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index a656b84..dfc2de8 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1029,23 +1029,44 @@ parse_inetaddr(const char *cp, struct addr_parse *parse)
 }
 
 static int
-parse_addr(const char *cp, union ct_address *address)
+parse_addr(const char *cp, union ct_address *address, int *mask)
 {
 	struct addr_parse parse;
-	int ret;
+	int family;
+	char buf[INET6_ADDRSTRLEN];
+	char *slash, *end;
+
+	strncpy((char *) &buf, cp, INET6_ADDRSTRLEN);
+	buf[INET6_ADDRSTRLEN-1] = '\0';
+
+	if (mask != NULL) {
+		slash = strchr(buf, '/');
+		if (slash != NULL) {
+			*mask = strtol(slash+1, &end, 10);
+			if (*mask < 0 || end != slash+strlen(slash))
+				*mask = -2; /* invalid netmask */
+			slash[0] = '\0';
+		} else {
+			*mask = -1; /* no netmask */
+		}
+	}
 
-	ret = parse_inetaddr(cp, &parse);
+	family = parse_inetaddr(buf, &parse);
 
-	switch(ret) {
+	switch(family) {
 	case AF_INET:
 		address->v4 = parse.addr.s_addr;
+		if (mask != NULL && *mask > 32)
+			*mask = -2; /* invalid netmask */
 		break;
 	case AF_INET6:
 		memcpy(address->v6, &parse.addr6, sizeof(parse.addr6));
+		if (mask != NULL && *mask > 128)
+			*mask = -2; /* invalid netmask */
 		break;
 	}
 
-	return ret;
+	return family;
 }
 
 static void
@@ -1087,7 +1108,7 @@ nat_parse(char *arg, struct nf_conntrack *obj, int type)
 		}
 	}
 
-	if (parse_addr(arg, &parse) == AF_UNSPEC) {
+	if (parse_addr(arg, &parse, NULL) == AF_UNSPEC) {
 		if (strlen(arg) == 0) {
 			exit_error(PARAMETER_PROBLEM, "No IP specified");
 		} else {
@@ -2108,7 +2129,7 @@ nfct_parse_addr_from_opt(int opt, struct nf_conntrack *ct,
 {
 	int l3protonum;
 
-	l3protonum = parse_addr(optarg, ad);
+	l3protonum = parse_addr(optarg, ad, NULL);
 	if (l3protonum == AF_UNSPEC) {
 		exit_error(PARAMETER_PROBLEM,
 			   "Invalid IP address `%s'", optarg);
-- 
2.6.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH conntrack 2/4 v2] conntrack: extend parse_addr() with CIDR support

[Pablo Neira Ayuso]

Applied, thanks.

[PATCH conntrack 3/4 v2] conntrack: add support for CIDR notation

[Asbjørn Sloth Tønnesen]

Add support for using CIDR notation in --{orig,tuple}-{src,dst} arguments,
instead of free-form formatting netmask in --mask-{src,dst}.

Example:
  conntrack -L -s 2001:db8::/56

Instead of:
  conntrack -L -s 2001:db8:: --mask-src ffff:ffff:ffff:ff00::

Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
---
 conntrack.8     |  4 +++
 src/conntrack.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 85 insertions(+), 5 deletions(-)

diff --git a/conntrack.8 b/conntrack.8
index 5bba1b1..f2c1ca5 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -117,9 +117,11 @@ This option can only be used in conjunction with "\-E, \-\-event".
 .TP
 .BI "-s, --orig-src " IP_ADDRESS
 Match only entries whose source address in the original direction equals the one specified as argument.
+Implies "--mask-src" when CIDR notation is used.
 .TP
 .BI "-d, --orig-dst " IP_ADDRESS
 Match only entries whose destination address in the original direction equals the one specified as argument.
+Implies "--mask-dst" when CIDR notation is used.
 .TP
 .BI "-r, --reply-src " IP_ADDRESS
 Match only entries whose source address in the reply direction equals the one specified as argument.
@@ -186,9 +188,11 @@ See iptables CT target for more information.
 .TP
 .BI "--tuple-src " IP_ADDRESS
 Specify the tuple source address of an expectation.
+Implies "--mask-src" when CIDR notation is used.
 .TP
 .BI "--tuple-dst " IP_ADDRESS
 Specify the tuple destination address of an expectation.
+Implies "--mask-dst" when CIDR notation is used.
 .TP
 .BI "--mask-src " IP_ADDRESS
 Specify the source address mask.
diff --git a/src/conntrack.c b/src/conntrack.c
index dfc2de8..d8b60a4 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -434,6 +434,17 @@ static const int opt2type[] = {
 	[')']	= CT_OPT_REPL_ZONE,
 };
 
+static const int opt2maskopt[] = {
+	['s']	= '{',
+	['d']	= '}',
+	['r']	= 0, /* no netmask */
+	['q']	= 0, /* support yet */
+	['{']	= 0,
+	['}']	= 0,
+	['[']	= '{',
+	[']']	= '}',
+};
+
 static const int opt2family_attr[][2] = {
 	['s']	= { ATTR_ORIG_IPV4_SRC,	ATTR_ORIG_IPV6_SRC },
 	['d']	= { ATTR_ORIG_IPV4_DST,	ATTR_ORIG_IPV6_DST },
@@ -684,6 +695,21 @@ static int bit2cmd(int command)
 	return i;
 }
 
+static const char *
+get_long_opt(int opt)
+{
+	struct option o;
+	int i;
+
+	for (i = 0 ; ; i++) {
+		o = opts[i];
+		if (o.name == NULL) break;
+		if (o.val == opt)
+			return o.name;
+	}
+	return "unknown";
+}
+
 int generic_opt_check(int local_options, int num_opts,
 		      char *optset, const char *optflg[],
 		      unsigned int *coupled_flags, int coupled_flags_size,
@@ -2104,6 +2130,24 @@ static void merge_bitmasks(struct nfct_bitmask **current,
 }
 
 static void
+nfct_build_netmask(uint32_t *dst, int b, int n)
+{
+	int i;
+
+	for (i=0;i<n;i++) {
+		if (b >= 32) {
+			dst[i] = 0xffffffff;
+			b -= 32;
+		} else if (b > 0) {
+			dst[i] = (1<<b)-1;
+			b = 0;
+		} else {
+			dst[i] = 0;
+		}
+	}
+}
+
+static void
 nfct_set_addr_opt(int opt, struct nf_conntrack *ct, union ct_address *ad,
                   int l3protonum)
 {
@@ -2125,17 +2169,47 @@ nfct_set_addr_opt(int opt, struct nf_conntrack *ct, union ct_address *ad,
 
 static void
 nfct_parse_addr_from_opt(int opt, struct nf_conntrack *ct,
+                         struct nf_conntrack *ctmask,
                          union ct_address *ad, int *family)
 {
-	int l3protonum;
+	int l3protonum, mask, maskopt;
 
-	l3protonum = parse_addr(optarg, ad, NULL);
+	l3protonum = parse_addr(optarg, ad, &mask);
 	if (l3protonum == AF_UNSPEC) {
 		exit_error(PARAMETER_PROBLEM,
 			   "Invalid IP address `%s'", optarg);
 	}
 	set_family(family, l3protonum);
+	maskopt = opt2maskopt[opt];
+	if (!maskopt && mask != -1) {
+		exit_error(PARAMETER_PROBLEM,
+		           "CIDR notation unavailable"
+		           " for `--%s'", get_long_opt(opt));
+	} else if (mask == -2) {
+		exit_error(PARAMETER_PROBLEM,
+		           "Invalid netmask");
+	}
+
 	nfct_set_addr_opt(opt, ct, ad, l3protonum);
+
+	/* bail if we don't have a netmask to set*/
+	if (!maskopt || mask == -1 || ctmask == NULL)
+		return;
+
+	switch(l3protonum) {
+	case AF_INET:
+		if (mask == 32)
+			return;
+		nfct_build_netmask(&ad->v4, mask, 1);
+		break;
+	case AF_INET6:
+		if (mask == 128)
+			return;
+		nfct_build_netmask((uint32_t *) &ad->v6, mask, 4);
+		break;
+	}
+
+	nfct_set_addr_opt(maskopt, ctmask, ad, l3protonum);
 }
 
 int main(int argc, char *argv[])
@@ -2216,15 +2290,17 @@ int main(int argc, char *argv[])
 		case 'd':
 		case 'r':
 		case 'q':
-			nfct_parse_addr_from_opt(c, tmpl.ct, &ad, &family);
+			nfct_parse_addr_from_opt(c, tmpl.ct, tmpl.mask,
+			                         &ad, &family);
 			break;
 		case '[':
 		case ']':
-			nfct_parse_addr_from_opt(c, tmpl.exptuple, &ad, &family);
+			nfct_parse_addr_from_opt(c, tmpl.exptuple, tmpl.mask,
+			                         &ad, &family);
 			break;
 		case '{':
 		case '}':
-			nfct_parse_addr_from_opt(c, tmpl.mask, &ad, &family);
+			nfct_parse_addr_from_opt(c, tmpl.mask, NULL, &ad, &family);
 			break;
 		case 'p':
 			options |= CT_OPT_PROTO;
-- 
2.6.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH conntrack 3/4 v2] conntrack: add support for CIDR notation

[Pablo Neira Ayuso]

On Mon, Feb 01, 2016 at 01:30:06PM +0000, Asbjørn Sloth Tønnesen wrote:
> Add support for using CIDR notation in --{orig,tuple}-{src,dst} arguments,
> instead of free-form formatting netmask in --mask-{src,dst}.
> 
> Example:
>   conntrack -L -s 2001:db8::/56
> 
> Instead of:
>   conntrack -L -s 2001:db8:: --mask-src ffff:ffff:ffff:ff00::

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH conntrack 4/4] tests: conntrack: add tests for CIDR notation

[Asbjørn Sloth Tønnesen]

Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
---
 tests/conntrack/testsuite/01delete | 4 ++++
 tests/conntrack/testsuite/02filter | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/tests/conntrack/testsuite/01delete b/tests/conntrack/testsuite/01delete
index 566b89f..194d999 100644
--- a/tests/conntrack/testsuite/01delete
+++ b/tests/conntrack/testsuite/01delete
@@ -10,3 +10,7 @@
 -D -s 1.1.1.0 --mask-src 255.255.255.0 -d 2.2.2.0 --mask-dst 255.255.255.0 ; OK
 # fails due to 0 matches
 -D -s 1.1.1.0 --mask-src 255.255.255.0 -d 2.2.2.0 --mask-dst 255.255.255.0 ; BAD
+# re-create dummy
+-I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
+# try same command again but with CIDR
+-D -s 1.1.1.0/24 -d 2.2.2.0/24 ; OK
diff --git a/tests/conntrack/testsuite/02filter b/tests/conntrack/testsuite/02filter
index 5d2270b..58ed070 100644
--- a/tests/conntrack/testsuite/02filter
+++ b/tests/conntrack/testsuite/02filter
@@ -21,5 +21,7 @@ conntrack -L --mark 0 ; OK
 conntrack -L --mark 0/0xffffffff; OK
 # filter by netmask
 conntrack -L -s 1.1.1.0 --mask-src 255.255.255.0 -d 2.0.0.0 --mask-dst 255.0.0.0 ; OK
+conntrack -L -s 1.1.1.4/24 -d 2.3.4.5/8 ; OK
+conntrack -L -s 1.1.2.0/24 -d 2.3.4.5/8 ; BAD
 # delete dummy
 conntrack -D -d 2.2.2.2 ; OK
-- 
2.6.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH conntrack 4/4] tests: conntrack: add tests for CIDR notation

[Pablo Neira Ayuso]

On Mon, Feb 01, 2016 at 01:30:07PM +0000, Asbjørn Sloth Tønnesen wrote:
> Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
> ---
>  tests/conntrack/testsuite/01delete | 4 ++++
>  tests/conntrack/testsuite/02filter | 2 ++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/tests/conntrack/testsuite/01delete b/tests/conntrack/testsuite/01delete
> index 566b89f..194d999 100644
> --- a/tests/conntrack/testsuite/01delete
> +++ b/tests/conntrack/testsuite/01delete
> @@ -10,3 +10,7 @@
>  -D -s 1.1.1.0 --mask-src 255.255.255.0 -d 2.2.2.0 --mask-dst 255.255.255.0 ; OK
>  # fails due to 0 matches
>  -D -s 1.1.1.0 --mask-src 255.255.255.0 -d 2.2.2.0 --mask-dst 255.255.255.0 ; BAD
> +# re-create dummy
> +-I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
> +# try same command again but with CIDR
> +-D -s 1.1.1.0/24 -d 2.2.2.0/24 ; OK
> diff --git a/tests/conntrack/testsuite/02filter b/tests/conntrack/testsuite/02filter
> index 5d2270b..58ed070 100644
> --- a/tests/conntrack/testsuite/02filter
> +++ b/tests/conntrack/testsuite/02filter
> @@ -21,5 +21,7 @@ conntrack -L --mark 0 ; OK
>  conntrack -L --mark 0/0xffffffff; OK
>  # filter by netmask
>  conntrack -L -s 1.1.1.0 --mask-src 255.255.255.0 -d 2.0.0.0 --mask-dst 255.0.0.0 ; OK
> +conntrack -L -s 1.1.1.4/24 -d 2.3.4.5/8 ; OK
> +conntrack -L -s 1.1.2.0/24 -d 2.3.4.5/8 ; BAD

I have mangled the line above from BAD to OK. The listing above
actually works fine, even if it returns no entries. The tests are not
capable of catching this at the moment IIRC.

So applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH conntrack 1/4] conntrack: split up nfct_set_addr_from_opt()

[Pablo Neira Ayuso]

On Mon, Feb 01, 2016 at 01:30:04PM +0000, Asbjørn Sloth Tønnesen wrote:
> Prepare for CIDR support, by splitting nfct_set_addr_from_opt()
> into nfct_parse_addr_from_opt() for parsing
> and nfct_set_addr_opt() for storing.

Applied, thanks.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html