[PATCH conntrack 1/6] conntrack: pass command object to callbacks

[PATCH conntrack 1/6] conntrack: pass command object to callbacks

[Pablo Neira Ayuso]

Pass the command object to prepare for batch support.

Move ct_cmd structure definition right at the top of file otherwise
compilation breaks.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c | 50 ++++++++++++++++++++++++++-----------------------
 1 file changed, 27 insertions(+), 23 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index 987d936e7ee2..333da0f83453 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -101,6 +101,17 @@ struct ct_tmpl {
 
 static struct ct_tmpl *cur_tmpl;
 
+struct ct_cmd {
+	unsigned int	command;
+	unsigned int	cmd;
+	unsigned int	type;
+	unsigned int	event_mask;
+	int		family;
+	int		protonum;
+	size_t		socketbuffersize;
+	struct ct_tmpl	tmpl;
+};
+
 static int alloc_tmpl_objects(struct ct_tmpl *tmpl)
 {
 	tmpl->ct = nfct_new();
@@ -1843,7 +1854,8 @@ static int event_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct nfgenmsg *nfh = mnl_nlmsg_get_payload(nlh);
 	unsigned int op_type = NFCT_O_DEFAULT;
-	struct nf_conntrack *obj = data;
+	struct ct_cmd *cmd = data;
+	struct nf_conntrack *obj = cmd->tmpl.ct;
 	enum nf_conntrack_msg_type type;
 	unsigned int op_flags = 0;
 	struct nf_conntrack *ct;
@@ -1929,10 +1941,11 @@ static int dump_cb(enum nf_conntrack_msg_type type,
 		   struct nf_conntrack *ct,
 		   void *data)
 {
-	char buf[1024];
-	struct nf_conntrack *obj = data;
+	struct ct_cmd *cmd = data;
+	struct nf_conntrack *obj = cmd->tmpl.ct;
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
+	char buf[1024];
 
 	if (nfct_filter(obj, ct, cur_tmpl))
 		return NFCT_CB_CONTINUE;
@@ -1970,11 +1983,12 @@ static int delete_cb(enum nf_conntrack_msg_type type,
 		     struct nf_conntrack *ct,
 		     void *data)
 {
-	int res;
-	char buf[1024];
-	struct nf_conntrack *obj = data;
+	struct ct_cmd *cmd = data;
+	struct nf_conntrack *obj = cmd->tmpl.ct;
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
+	char buf[1024];
+	int res;
 
 	if (nfct_filter(obj, ct, cur_tmpl))
 		return NFCT_CB_CONTINUE;
@@ -2125,8 +2139,9 @@ static int update_cb(enum nf_conntrack_msg_type type,
 		     struct nf_conntrack *ct,
 		     void *data)
 {
+	struct ct_cmd *cmd = data;
+	struct nf_conntrack *obj = cmd->tmpl.ct, *tmp;
 	int res;
-	struct nf_conntrack *obj = data, *tmp;
 
 	if (filter_nat(obj, ct) ||
 	    filter_label(ct, cur_tmpl) ||
@@ -2768,17 +2783,6 @@ nfct_set_nat_details(const int opt, struct nf_conntrack *ct,
 
 }
 
-struct ct_cmd {
-	unsigned int	command;
-	unsigned int	cmd;
-	unsigned int	type;
-	unsigned int	event_mask;
-	int		family;
-	int		protonum;
-	size_t		socketbuffersize;
-	struct ct_tmpl	tmpl;
-};
-
 static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 {
 	unsigned int type = 0, event_mask = 0, l4flags = 0, status = 0;
@@ -3123,7 +3127,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 
 		nfct_filter_init(cmd->family, &cmd->tmpl);
 
-		nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd->tmpl.ct);
+		nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd);
 
 		filter_dump = nfct_filter_dump_create();
 		if (filter_dump == NULL)
@@ -3214,7 +3218,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 
 		nfct_filter_init(cmd->family, &cmd->tmpl);
 
-		nfct_callback_register(cth, NFCT_T_ALL, update_cb, cmd->tmpl.ct);
+		nfct_callback_register(cth, NFCT_T_ALL, update_cb, cmd);
 
 		res = nfct_query(cth, NFCT_Q_DUMP, &cmd->family);
 		nfct_close(ith);
@@ -3229,7 +3233,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 
 		nfct_filter_init(cmd->family, &cmd->tmpl);
 
-		nfct_callback_register(cth, NFCT_T_ALL, delete_cb, cmd->tmpl.ct);
+		nfct_callback_register(cth, NFCT_T_ALL, delete_cb, cmd);
 
 		filter_dump = nfct_filter_dump_create();
 		if (filter_dump == NULL)
@@ -3268,7 +3272,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 		if (!cth)
 			exit_error(OTHER_PROBLEM, "Can't open handler");
 
-		nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd->tmpl.ct);
+		nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd);
 		res = nfct_query(cth, NFCT_Q_GET, cmd->tmpl.ct);
 		nfct_close(cth);
 		break;
@@ -3373,7 +3377,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 					   strerror(errno));
 				break;
 			}
-			res = mnl_cb_run(buf, res, 0, 0, event_cb, cmd->tmpl.ct);
+			res = mnl_cb_run(buf, res, 0, 0, event_cb, cmd);
 		}
 		mnl_socket_close(sock.mnl);
 		break;
-- 
2.20.1

[PATCH conntrack 2/6] conntrack: pass ct_cmd to nfct_filter_init()

[Pablo Neira Ayuso]

Pass command object to initialize the userspace filter.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index 333da0f83453..31630eb1f926 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2627,9 +2627,11 @@ nfct_network_attr_prepare(const int family, enum ct_direction dir,
 	nfct_attr_unset(tmpl->ct, attr);
 }
 
-static void
-nfct_filter_init(const int family, const struct ct_tmpl *tmpl)
+static void nfct_filter_init(const struct ct_cmd *cmd)
 {
+	const struct ct_tmpl *tmpl = &cmd->tmpl;
+	int family = cmd->family;
+
 	filter_family = family;
 	if (options & CT_OPT_MASK_SRC) {
 		assert(family != AF_UNSPEC);
@@ -3125,7 +3127,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 			exit_error(PARAMETER_PROBLEM, "Can't use -z with "
 						      "filtering parameters");
 
-		nfct_filter_init(cmd->family, &cmd->tmpl);
+		nfct_filter_init(cmd);
 
 		nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd);
 
@@ -3216,7 +3218,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 		if (!cth || !ith)
 			exit_error(OTHER_PROBLEM, "Can't open handler");
 
-		nfct_filter_init(cmd->family, &cmd->tmpl);
+		nfct_filter_init(cmd);
 
 		nfct_callback_register(cth, NFCT_T_ALL, update_cb, cmd);
 
@@ -3231,7 +3233,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 		if (!cth || !ith)
 			exit_error(OTHER_PROBLEM, "Can't open handler");
 
-		nfct_filter_init(cmd->family, &cmd->tmpl);
+		nfct_filter_init(cmd);
 
 		nfct_callback_register(cth, NFCT_T_ALL, delete_cb, cmd);
 
@@ -3352,7 +3354,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 					socketbuffersize);
 		}
 
-		nfct_filter_init(cmd->family, &cmd->tmpl);
+		nfct_filter_init(cmd);
 
 		signal(SIGINT, event_sighandler);
 		signal(SIGTERM, event_sighandler);
-- 
2.20.1

[PATCH conntrack 3/6] conntrack: pass cmd to nfct_filter()

[Pablo Neira Ayuso]

Pass the command object to the userspace filter routine.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index 31630eb1f926..79053b7482c6 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1640,9 +1640,11 @@ filter_network(const struct nf_conntrack *ct)
 }
 
 static int
-nfct_filter(struct nf_conntrack *obj, struct nf_conntrack *ct,
+nfct_filter(struct ct_cmd *cmd, struct nf_conntrack *ct,
 	    const struct ct_tmpl *tmpl)
 {
+	struct nf_conntrack *obj = cmd->tmpl.ct;
+
 	if (filter_nat(obj, ct) ||
 	    filter_mark(ct, tmpl) ||
 	    filter_label(ct, tmpl) ||
@@ -1854,9 +1856,8 @@ static int event_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct nfgenmsg *nfh = mnl_nlmsg_get_payload(nlh);
 	unsigned int op_type = NFCT_O_DEFAULT;
-	struct ct_cmd *cmd = data;
-	struct nf_conntrack *obj = cmd->tmpl.ct;
 	enum nf_conntrack_msg_type type;
+	struct ct_cmd *cmd = data;
 	unsigned int op_flags = 0;
 	struct nf_conntrack *ct;
 	char buf[1024];
@@ -1886,7 +1887,7 @@ static int event_cb(const struct nlmsghdr *nlh, void *data)
 
 	if ((filter_family != AF_UNSPEC &&
 	     filter_family != nfh->nfgen_family) ||
-	    nfct_filter(obj, ct, cur_tmpl))
+	    nfct_filter(cmd, ct, cur_tmpl))
 		goto out;
 
 	if (output_mask & _O_SAVE) {
@@ -1941,13 +1942,12 @@ static int dump_cb(enum nf_conntrack_msg_type type,
 		   struct nf_conntrack *ct,
 		   void *data)
 {
-	struct ct_cmd *cmd = data;
-	struct nf_conntrack *obj = cmd->tmpl.ct;
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
+	struct ct_cmd *cmd = data;
 	char buf[1024];
 
-	if (nfct_filter(obj, ct, cur_tmpl))
+	if (nfct_filter(cmd, ct, cur_tmpl))
 		return NFCT_CB_CONTINUE;
 
 	if (output_mask & _O_SAVE) {
@@ -1983,14 +1983,13 @@ static int delete_cb(enum nf_conntrack_msg_type type,
 		     struct nf_conntrack *ct,
 		     void *data)
 {
-	struct ct_cmd *cmd = data;
-	struct nf_conntrack *obj = cmd->tmpl.ct;
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
+	struct ct_cmd *cmd = data;
 	char buf[1024];
 	int res;
 
-	if (nfct_filter(obj, ct, cur_tmpl))
+	if (nfct_filter(cmd, ct, cur_tmpl))
 		return NFCT_CB_CONTINUE;
 
 	res = nfct_query(ith, NFCT_Q_DESTROY, ct);
-- 
2.20.1

[PATCH conntrack 4/6] conntrack: pass cmd to filter nat, mark and network functions

[Pablo Neira Ayuso]

Pass the command object to the nat, mark and IP address userspace
filters.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index 79053b7482c6..152063e9329e 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1490,20 +1490,21 @@ filter_label(const struct nf_conntrack *ct, const struct ct_tmpl *tmpl)
 	return 0;
 }
 
-static int
-filter_mark(const struct nf_conntrack *ct, const struct ct_tmpl *tmpl)
+static int filter_mark(const struct ct_cmd *cmd, const struct nf_conntrack *ct)
 {
+	const struct ct_tmpl *tmpl = &cmd->tmpl;
+
 	if ((options & CT_OPT_MARK) &&
 	     !mark_cmp(&tmpl->mark, ct))
 		return 1;
 	return 0;
 }
 
-static int 
-filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
+static int filter_nat(const struct ct_cmd *cmd, const struct nf_conntrack *ct)
 {
 	int check_srcnat = options & CT_OPT_SRC_NAT ? 1 : 0;
 	int check_dstnat = options & CT_OPT_DST_NAT ? 1 : 0;
+	struct nf_conntrack *obj = cmd->tmpl.ct;
 	int has_srcnat = 0, has_dstnat = 0;
 	uint32_t ip;
 	uint16_t port;
@@ -1625,7 +1626,7 @@ nfct_filter_network_direction(const struct nf_conntrack *ct, enum ct_direction d
 }
 
 static int
-filter_network(const struct nf_conntrack *ct)
+filter_network(const struct ct_cmd *cmd, const struct nf_conntrack *ct)
 {
 	if (options & CT_OPT_MASK_SRC) {
 		if (nfct_filter_network_direction(ct, DIR_SRC))
@@ -1645,10 +1646,10 @@ nfct_filter(struct ct_cmd *cmd, struct nf_conntrack *ct,
 {
 	struct nf_conntrack *obj = cmd->tmpl.ct;
 
-	if (filter_nat(obj, ct) ||
-	    filter_mark(ct, tmpl) ||
+	if (filter_nat(cmd, ct) ||
+	    filter_mark(cmd, ct) ||
 	    filter_label(ct, tmpl) ||
-	    filter_network(ct))
+	    filter_network(cmd, ct))
 		return 1;
 
 	if (options & CT_COMPARISON &&
@@ -2142,9 +2143,9 @@ static int update_cb(enum nf_conntrack_msg_type type,
 	struct nf_conntrack *obj = cmd->tmpl.ct, *tmp;
 	int res;
 
-	if (filter_nat(obj, ct) ||
+	if (filter_nat(cmd, ct) ||
 	    filter_label(ct, cur_tmpl) ||
-	    filter_network(ct))
+	    filter_network(cmd, ct))
 		return NFCT_CB_CONTINUE;
 
 	if (nfct_attr_is_set(obj, ATTR_ID) && nfct_attr_is_set(ct, ATTR_ID) &&
-- 
2.20.1

[PATCH conntrack 5/6] conntrack: move options flag to ct_cmd object

[Pablo Neira Ayuso]

Prepare for the batch support.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c | 107 ++++++++++++++++++++++++++----------------------
 1 file changed, 59 insertions(+), 48 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index 152063e9329e..b9b0e31c8269 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -106,6 +106,7 @@ struct ct_cmd {
 	unsigned int	cmd;
 	unsigned int	type;
 	unsigned int	event_mask;
+	int		options;
 	int		family;
 	int		protonum;
 	size_t		socketbuffersize;
@@ -611,7 +612,6 @@ static unsigned int addr_valid_flags[ADDR_VALID_FLAGS_MAX] = {
 
 static LIST_HEAD(proto_list);
 
-static unsigned int options;
 static struct nfct_labelmap *labelmap;
 static int filter_family;
 
@@ -1494,7 +1494,7 @@ static int filter_mark(const struct ct_cmd *cmd, const struct nf_conntrack *ct)
 {
 	const struct ct_tmpl *tmpl = &cmd->tmpl;
 
-	if ((options & CT_OPT_MARK) &&
+	if ((cmd->options & CT_OPT_MARK) &&
 	     !mark_cmp(&tmpl->mark, ct))
 		return 1;
 	return 0;
@@ -1502,14 +1502,14 @@ static int filter_mark(const struct ct_cmd *cmd, const struct nf_conntrack *ct)
 
 static int filter_nat(const struct ct_cmd *cmd, const struct nf_conntrack *ct)
 {
-	int check_srcnat = options & CT_OPT_SRC_NAT ? 1 : 0;
-	int check_dstnat = options & CT_OPT_DST_NAT ? 1 : 0;
+	int check_srcnat = cmd->options & CT_OPT_SRC_NAT ? 1 : 0;
+	int check_dstnat = cmd->options & CT_OPT_DST_NAT ? 1 : 0;
 	struct nf_conntrack *obj = cmd->tmpl.ct;
 	int has_srcnat = 0, has_dstnat = 0;
 	uint32_t ip;
 	uint16_t port;
 
-	if (options & CT_OPT_ANY_NAT)
+	if (cmd->options & CT_OPT_ANY_NAT)
 		check_srcnat = check_dstnat = 1;
 
 	if (check_srcnat) {
@@ -1572,13 +1572,14 @@ static int filter_nat(const struct ct_cmd *cmd, const struct nf_conntrack *ct)
 		     nfct_getobjopt(ct, NFCT_GOPT_IS_DPAT)))
 			has_dstnat = 1;
 	}
-	if (options & CT_OPT_ANY_NAT)
+	if (cmd->options & CT_OPT_ANY_NAT)
 		return !(has_srcnat || has_dstnat);
-	else if ((options & CT_OPT_SRC_NAT) && (options & CT_OPT_DST_NAT))
+	else if ((cmd->options & CT_OPT_SRC_NAT) &&
+		 (cmd->options & CT_OPT_DST_NAT))
 		return !(has_srcnat && has_dstnat);
-	else if (options & CT_OPT_SRC_NAT)
+	else if (cmd->options & CT_OPT_SRC_NAT)
 		return !has_srcnat;
-	else if (options & CT_OPT_DST_NAT)
+	else if (cmd->options & CT_OPT_DST_NAT)
 		return !has_dstnat;
 
 	return 0;
@@ -1628,12 +1629,12 @@ nfct_filter_network_direction(const struct nf_conntrack *ct, enum ct_direction d
 static int
 filter_network(const struct ct_cmd *cmd, const struct nf_conntrack *ct)
 {
-	if (options & CT_OPT_MASK_SRC) {
+	if (cmd->options & CT_OPT_MASK_SRC) {
 		if (nfct_filter_network_direction(ct, DIR_SRC))
 			return 1;
 	}
 
-	if (options & CT_OPT_MASK_DST) {
+	if (cmd->options & CT_OPT_MASK_DST) {
 		if (nfct_filter_network_direction(ct, DIR_DST))
 			return 1;
 	}
@@ -1652,7 +1653,7 @@ nfct_filter(struct ct_cmd *cmd, struct nf_conntrack *ct,
 	    filter_network(cmd, ct))
 		return 1;
 
-	if (options & CT_COMPARISON &&
+	if (cmd->options & CT_COMPARISON &&
 	    !nfct_cmp(obj, ct, NFCT_CMP_ALL | NFCT_CMP_MASK))
 		return 1;
 
@@ -2047,20 +2048,21 @@ done:
 	return NFCT_CB_CONTINUE;
 }
 
-static void copy_mark(struct nf_conntrack *tmp,
+static void copy_mark(const struct ct_cmd *cmd, struct nf_conntrack *tmp,
 		      const struct nf_conntrack *ct,
 		      const struct u32_mask *m)
 {
-	if (options & CT_OPT_MARK) {
+	if (cmd->options & CT_OPT_MARK) {
 		uint32_t mark = nfct_get_attr_u32(ct, ATTR_MARK);
 		mark = (mark & ~m->mask) ^ m->value;
 		nfct_set_attr_u32(tmp, ATTR_MARK, mark);
 	}
 }
 
-static void copy_status(struct nf_conntrack *tmp, const struct nf_conntrack *ct)
+static void copy_status(const struct ct_cmd *cmd, struct nf_conntrack *tmp,
+			const struct nf_conntrack *ct)
 {
-	if (options & CT_OPT_STATUS) {
+	if (cmd->options & CT_OPT_STATUS) {
 		/* copy existing flags, we only allow setting them. */
 		uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS);
 		status |= nfct_get_attr_u32(tmp, ATTR_STATUS);
@@ -2076,19 +2078,20 @@ static struct nfct_bitmask *xnfct_bitmask_clone(const struct nfct_bitmask *a)
 	return b;
 }
 
-static void copy_label(struct nf_conntrack *tmp, const struct nf_conntrack *ct,
+static void copy_label(const struct ct_cmd *cmd, struct nf_conntrack *tmp,
+		       const struct nf_conntrack *ct,
 		       const struct ct_tmpl *tmpl)
 {
 	struct nfct_bitmask *ctb, *newmask;
 	unsigned int i;
 
-	if ((options & (CT_OPT_ADD_LABEL|CT_OPT_DEL_LABEL)) == 0)
+	if ((cmd->options & (CT_OPT_ADD_LABEL|CT_OPT_DEL_LABEL)) == 0)
 		return;
 
 	nfct_copy_attr(tmp, ct, ATTR_CONNLABELS);
 	ctb = (void *) nfct_get_attr(tmp, ATTR_CONNLABELS);
 
-	if (options & CT_OPT_ADD_LABEL) {
+	if (cmd->options & CT_OPT_ADD_LABEL) {
 		if (ctb == NULL) {
 			nfct_set_attr(tmp, ATTR_CONNLABELS,
 					xnfct_bitmask_clone(tmpl->label_modify));
@@ -2152,9 +2155,11 @@ static int update_cb(enum nf_conntrack_msg_type type,
 	    nfct_get_attr_u32(obj, ATTR_ID) != nfct_get_attr_u32(ct, ATTR_ID))
 	    	return NFCT_CB_CONTINUE;
 
-	if (options & CT_OPT_TUPLE_ORIG && !nfct_cmp(obj, ct, NFCT_CMP_ORIG))
+	if (cmd->options & CT_OPT_TUPLE_ORIG &&
+	    !nfct_cmp(obj, ct, NFCT_CMP_ORIG))
 		return NFCT_CB_CONTINUE;
-	if (options & CT_OPT_TUPLE_REPL && !nfct_cmp(obj, ct, NFCT_CMP_REPL))
+	if (cmd->options & CT_OPT_TUPLE_REPL &&
+	    !nfct_cmp(obj, ct, NFCT_CMP_REPL))
 		return NFCT_CB_CONTINUE;
 
 	tmp = nfct_new();
@@ -2163,9 +2168,9 @@ static int update_cb(enum nf_conntrack_msg_type type,
 
 	nfct_copy(tmp, ct, NFCT_CP_ORIG);
 	nfct_copy(tmp, obj, NFCT_CP_META);
-	copy_mark(tmp, ct, &cur_tmpl->mark);
-	copy_status(tmp, ct);
-	copy_label(tmp, ct, cur_tmpl);
+	copy_mark(cmd, tmp, ct, &cur_tmpl->mark);
+	copy_status(cmd, tmp, ct);
+	copy_label(cmd, tmp, ct, cur_tmpl);
 
 	/* do not send NFCT_Q_UPDATE if ct appears unchanged */
 	if (nfct_cmp(tmp, ct, NFCT_CMP_ALL | NFCT_CMP_MASK)) {
@@ -2633,17 +2638,17 @@ static void nfct_filter_init(const struct ct_cmd *cmd)
 	int family = cmd->family;
 
 	filter_family = family;
-	if (options & CT_OPT_MASK_SRC) {
+	if (cmd->options & CT_OPT_MASK_SRC) {
 		assert(family != AF_UNSPEC);
-		if (!(options & CT_OPT_ORIG_SRC))
+		if (!(cmd->options & CT_OPT_ORIG_SRC))
 			exit_error(PARAMETER_PROBLEM,
 			           "Can't use --mask-src without --src");
 		nfct_network_attr_prepare(family, DIR_SRC, tmpl);
 	}
 
-	if (options & CT_OPT_MASK_DST) {
+	if (cmd->options & CT_OPT_MASK_DST) {
 		assert(family != AF_UNSPEC);
-		if (!(options & CT_OPT_ORIG_DST))
+		if (!(cmd->options & CT_OPT_ORIG_DST))
 			exit_error(PARAMETER_PROBLEM,
 			           "Can't use --mask-dst without --dst");
 		nfct_network_attr_prepare(family, DIR_DST, tmpl);
@@ -2714,9 +2719,9 @@ nfct_set_addr_only(const int opt, struct nf_conntrack *ct, union ct_address *ad,
 
 static void
 nfct_set_addr_opt(const int opt, struct nf_conntrack *ct, union ct_address *ad,
-		  const int l3protonum)
+		  const int l3protonum, unsigned int *options)
 {
-	options |= opt2type[opt];
+	*options |= opt2type[opt];
 	nfct_set_addr_only(opt, ct, ad, l3protonum);
 	nfct_set_attr_u8(ct, opt2attr[opt], l3protonum);
 }
@@ -2725,7 +2730,8 @@ static void
 nfct_parse_addr_from_opt(const int opt, const char *arg,
 			 struct nf_conntrack *ct,
 			 struct nf_conntrack *ctmask,
-			 union ct_address *ad, int *family)
+			 union ct_address *ad, int *family,
+			 unsigned int *options)
 {
 	int mask, maskopt;
 
@@ -2745,7 +2751,7 @@ nfct_parse_addr_from_opt(const int opt, const char *arg,
 		           "Invalid netmask");
 	}
 
-	nfct_set_addr_opt(opt, ct, ad, l3protonum);
+	nfct_set_addr_opt(opt, ct, ad, l3protonum, options);
 
 	/* bail if we don't have a netmask to set*/
 	if (mask == -1 || !maskopt || ctmask == NULL)
@@ -2764,7 +2770,7 @@ nfct_parse_addr_from_opt(const int opt, const char *arg,
 		break;
 	}
 
-	nfct_set_addr_opt(maskopt, ctmask, ad, l3protonum);
+	nfct_set_addr_opt(maskopt, ctmask, ad, l3protonum, options);
 }
 
 static void
@@ -2791,6 +2797,7 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 	int protonum = 0, family = AF_UNSPEC;
 	size_t socketbuffersize = 0;
 	unsigned int command = 0;
+	unsigned int options = 0;
 	struct ct_tmpl *tmpl;
 	int res = 0, partial;
 	union ct_address ad;
@@ -2856,17 +2863,19 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 		case 'r':
 		case 'q':
 			nfct_parse_addr_from_opt(c, optarg, tmpl->ct,
-						 tmpl->mask, &ad, &family);
+						 tmpl->mask, &ad, &family,
+						 &options);
 			break;
 		case '[':
 		case ']':
 			nfct_parse_addr_from_opt(c, optarg, tmpl->exptuple,
-						 tmpl->mask, &ad, &family);
+						 tmpl->mask, &ad, &family,
+						 &options);
 			break;
 		case '{':
 		case '}':
 			nfct_parse_addr_from_opt(c, optarg, tmpl->mask,
-						 NULL, &ad, &family);
+						 NULL, &ad, &family, &options);
 			break;
 		case 'p':
 			options |= CT_OPT_PROTO;
@@ -2925,7 +2934,8 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 						       &port_str);
 				nfct_parse_addr_from_opt(c, nat_address,
 							 tmpl->ct, NULL,
-							 &ad, &family);
+							 &ad, &family,
+							 &options);
 				if (c == 'j') {
 					/* Set details on both src and dst
 					 * with any-nat
@@ -3082,6 +3092,7 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 
 	ct_cmd->command = command;
 	ct_cmd->cmd = cmd;
+	ct_cmd->options = options;
 	ct_cmd->family = family;
 	ct_cmd->type = type;
 	ct_cmd->protonum = protonum;
@@ -3122,8 +3133,8 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 		if (!cth)
 			exit_error(OTHER_PROBLEM, "Can't open handler");
 
-		if (options & CT_COMPARISON && 
-		    options & CT_OPT_ZERO)
+		if (cmd->options & CT_COMPARISON &&
+		    cmd->options & CT_OPT_ZERO)
 			exit_error(PARAMETER_PROBLEM, "Can't use -z with "
 						      "filtering parameters");
 
@@ -3144,7 +3155,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 					     NFCT_FILTER_DUMP_L3NUM,
 					     cmd->family);
 
-		if (options & CT_OPT_ZERO)
+		if (cmd->options & CT_OPT_ZERO)
 			res = nfct_query(cth, NFCT_Q_DUMP_FILTER_RESET,
 					filter_dump);
 		else
@@ -3176,15 +3187,15 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 		break;
 
 	case CT_CREATE:
-		if ((options & CT_OPT_ORIG) && !(options & CT_OPT_REPL))
+		if ((cmd->options & CT_OPT_ORIG) && !(cmd->options & CT_OPT_REPL))
 			nfct_setobjopt(cmd->tmpl.ct, NFCT_SOPT_SETUP_REPLY);
-		else if (!(options & CT_OPT_ORIG) && (options & CT_OPT_REPL))
+		else if (!(cmd->options & CT_OPT_ORIG) && (cmd->options & CT_OPT_REPL))
 			nfct_setobjopt(cmd->tmpl.ct, NFCT_SOPT_SETUP_ORIGINAL);
 
-		if (options & CT_OPT_MARK)
+		if (cmd->options & CT_OPT_MARK)
 			nfct_set_attr_u32(cmd->tmpl.ct, ATTR_MARK, cmd->tmpl.mark.value);
 
-		if (options & CT_OPT_ADD_LABEL)
+		if (cmd->options & CT_OPT_ADD_LABEL)
 			nfct_set_attr(cmd->tmpl.ct, ATTR_CONNLABELS,
 					xnfct_bitmask_clone(cmd->tmpl.label_modify));
 
@@ -3312,7 +3323,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 		break;
 
 	case CT_EVENT:
-		if (options & CT_OPT_EVENT_MASK) {
+		if (cmd->options & CT_OPT_EVENT_MASK) {
 			unsigned int nl_events = 0;
 
 			if (cmd->event_mask & CT_EVENT_F_NEW)
@@ -3332,7 +3343,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 		if (res < 0)
 			exit_error(OTHER_PROBLEM, "Can't open netlink socket");
 
-		if (options & CT_OPT_BUFFERSIZE) {
+		if (cmd->options & CT_OPT_BUFFERSIZE) {
 			size_t socketbuffersize = cmd->socketbuffersize;
 
 			socklen_t socklen = sizeof(socketbuffersize);
@@ -3385,7 +3396,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 		break;
 
 	case EXP_EVENT:
-		if (options & CT_OPT_EVENT_MASK) {
+		if (cmd->options & CT_OPT_EVENT_MASK) {
 			unsigned int nl_events = 0;
 
 			if (cmd->event_mask & CT_EVENT_F_NEW)
@@ -3500,7 +3511,7 @@ try_proc:
 		break;
 	case CT_HELP:
 		usage(progname);
-		if (options & CT_OPT_PROTO)
+		if (cmd->options & CT_OPT_PROTO)
 			extension_help(h, cmd->protonum);
 		break;
 	default:
-- 
2.20.1

[PATCH conntrack 6/6] conntrack: add function to print command stats

[Pablo Neira Ayuso]

Wrap code to display command stats in a function.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index b9b0e31c8269..4bc340f69cfc 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2791,6 +2791,18 @@ nfct_set_nat_details(const int opt, struct nf_conntrack *ct,
 
 }
 
+static int print_stats(const struct ct_cmd *cmd)
+{
+	if (cmd->command && exit_msg[cmd->cmd][0]) {
+		fprintf(stderr, "%s v%s (conntrack-tools): ",PROGNAME,VERSION);
+		fprintf(stderr, exit_msg[cmd->cmd], counter);
+		if (counter == 0 && !(cmd->command & (CT_LIST | EXP_LIST)))
+			return -1;
+	}
+
+	return 0;
+}
+
 static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 {
 	unsigned int type = 0, event_mask = 0, l4flags = 0, status = 0;
@@ -3528,13 +3540,6 @@ try_proc:
 	if (labelmap)
 		nfct_labelmap_destroy(labelmap);
 
-	if (cmd->command && exit_msg[cmd->cmd][0]) {
-		fprintf(stderr, "%s v%s (conntrack-tools): ",PROGNAME,VERSION);
-		fprintf(stderr, exit_msg[cmd->cmd], counter);
-		if (counter == 0 && !(cmd->command & (CT_LIST | EXP_LIST)))
-			return EXIT_FAILURE;
-	}
-
 	return EXIT_SUCCESS;
 }
 
@@ -3553,6 +3558,10 @@ int main(int argc, char *argv[])
 	register_unknown();
 
 	do_parse(cmd, argc, argv);
+	do_command_ct(argv[0], cmd);
 
-	return do_command_ct(argv[0], cmd);
+	if (print_stats(cmd) < 0)
+		return EXIT_FAILURE;
+
+	return EXIT_SUCCESS;
 }
-- 
2.20.1