From patchwork Fri Jan 29 21:24:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Sennikovsky X-Patchwork-Id: 1433542 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=cloud.ionos.com header.i=@cloud.ionos.com header.a=rsa-sha256 header.s=google header.b=hJFTbcny; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4DS9Pp4gcqz9sVv for ; Sat, 30 Jan 2021 08:26:22 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233456AbhA2V0F (ORCPT ); Fri, 29 Jan 2021 16:26:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232808AbhA2VZ4 (ORCPT ); Fri, 29 Jan 2021 16:25:56 -0500 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9880CC061574 for ; Fri, 29 Jan 2021 13:25:16 -0800 (PST) Received: by mail-ed1-x530.google.com with SMTP id b21so12207871edy.6 for ; Fri, 29 Jan 2021 13:25:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.ionos.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RGh4mz8ZXFBKwd43+b+GHgUwisbvAkJPCYSh5f3W4SM=; b=hJFTbcny79Q9yYw4c1yH2NUc9+bNuJZwnDW9FJy/su8L+o1bNc9FUKYkr/iJAISOuh zouGLpR1whPyoOHamPBmO+bmeWn4eFMIYQ00fpNpSpCyHpGm2oUmWYYuCt2uXrpVomzk 8xQIq2yn2Ek0z0DAuMULH59RpR+RyEhnLSDK0wtC42bJzQWyYZNLpgbKqZDBGC+uXxrt btZSIHZWAcNZRstAr75MC9uoMluJrR2RSraLMdYalgeZBB7hpMWrByHGoHp1CayOOE+q 0hkWrAs5FgiSnHLrBzT6PeBBypf6iVVmWcJH0nIHuekD7ZX6V1kwpcZuBK3kQrml40HU g0sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RGh4mz8ZXFBKwd43+b+GHgUwisbvAkJPCYSh5f3W4SM=; b=KzbRvtdyfqtO/v+Iw4G02JGMhQYyLfB5E2EhUNRolVFyEb8zDoWfMhFb4veCnQTRRb cSMAGrXuMiNHPHAItCwU4yG9AIEzIQRXH4aa4YQXs/hQFLSh3IBLS2sCgvW8Mft60Qhx lGAn19oLMC+2u/m5Vi4S9oCqEPssvZE23k8SlyQmXHX3/EuBl9dJxl3RnTylJTtKj4Q2 avouFr4S07RlH90PsLLSTmb7Ah2Ke3G2lIatlTYnI15eW2rHXeX0LBKfOCu4dAmmn6eJ aFO4W8mXxFmyGdR9jHGeDuJVJwBOWto7h5L5KfyZ5VHMQcixCp0qNbu1S2tMpSUJhm8r kFkA== X-Gm-Message-State: AOAM532yoTJc2PtEf7E5lReZ2I7ik7nBcAtRGKmydeJ9WpOUH0qfsB8r /323y4EVK4eG3/wbgbShdmEEcWmPNKqfaA== X-Google-Smtp-Source: ABdhPJwU4XCuoK/YFU5rvZhCdNwFcTuazx8g34P6/pk8Uf7Y6OeqMf/dSqXpTBEyYRCGV239xZ3d6Q== X-Received: by 2002:aa7:de10:: with SMTP id h16mr7417125edv.385.1611955515219; Fri, 29 Jan 2021 13:25:15 -0800 (PST) Received: from msennikovskii4.fkb.profitbricks.net (ip5f5bd4ff.dynamic.kabel-deutschland.de. [95.91.212.255]) by smtp.gmail.com with ESMTPSA id q2sm5143218edv.93.2021.01.29.13.25.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 13:25:14 -0800 (PST) From: Mikhail Sennikovsky To: netfilter-devel@vger.kernel.org, pablo@netfilter.org Cc: Mikhail Sennikovsky Subject: [PATCH v3 1/8] conntrack: reset optind in do_parse Date: Fri, 29 Jan 2021 22:24:45 +0100 Message-Id: <20210129212452.45352-2-mikhail.sennikovskii@cloud.ionos.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> References: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org As a multicommand support preparation reset optind for the case do_parse is called multiple times Signed-off-by: Mikhail Sennikovsky --- src/conntrack.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/conntrack.c b/src/conntrack.c index 987d936..c582d86 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -2798,6 +2798,8 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) /* disable explicit missing arguments error output from getopt_long */ opterr = 0; + /* reset optind, for the case do_parse is called multiple times */ + optind = 0; while ((c = getopt_long(argc, argv, getopt_str, opts, NULL)) != -1) { switch(c) { From patchwork Fri Jan 29 21:24:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Sennikovsky X-Patchwork-Id: 1433543 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=cloud.ionos.com header.i=@cloud.ionos.com header.a=rsa-sha256 header.s=google header.b=exGa7Q11; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4DS9Pq1xSJz9sW8 for ; Sat, 30 Jan 2021 08:26:23 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233459AbhA2V0J (ORCPT ); Fri, 29 Jan 2021 16:26:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233272AbhA2VZ6 (ORCPT ); Fri, 29 Jan 2021 16:25:58 -0500 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0D8CC06174A for ; Fri, 29 Jan 2021 13:25:17 -0800 (PST) Received: by mail-ej1-x631.google.com with SMTP id g12so14987942ejf.8 for ; Fri, 29 Jan 2021 13:25:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.ionos.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=YubcwJXXkiJc7BfPcfZ5LcRhlXUjrrhcjqHpifWX72U=; b=exGa7Q11k3VhikksMo5eK7Dlv7cwdtMga4CGgRWN5ReDmIVHTCY3iJ8dyoY/wGRoga BPh+RZwt3BF2i5364M7/ebtq6tYxK00ftfutVqJAq3Z5j1zPctV/OYsrs0VTAO9hZk2c Bf3MHSVFNQRv0lcYpbDJYiHc/IIydo4D6Z5bVy8BEzAjfNdD5sov3I877DKO97YpnMb7 ySw2GAu3T856F6cFtoaZ9n1qct+c/2/Wg5EA+I6P5Gk1INWMdFRYbriUaT3gc8yuEbtp sKPRDXxG5C8TsmjtLzBQnS1a+IubFIQ2Fp/gnWa63fcM2g9QCuCnPkgs02myv7T+RLFo fF+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YubcwJXXkiJc7BfPcfZ5LcRhlXUjrrhcjqHpifWX72U=; b=RBL6MJSijuAfi4ALGdVLsSDLtjxzYwHOTOdaYKd2oA0V0FeacV+py37WnHz8yDUlYX YaP9xSRcZg0TjVGpI7Dgu51B+gIDgw+KQrv8M5jLthFUQaDgNE+aDPn7QICq5nDmY1C+ 6K50fFchrA2FtwVAexGs2VDNbaNvtbzTKrxWvoukO66G0ztg7n9Hd8B0ZtITADFW4Ppi Vva2Fv7ApjR7sBfAgcY28dbq5oMi68KrK1ZlZETQ1EF1sToYkbHJ2L4dkhBqc35L6vF5 y52h1xv1MyFkNWAGnbg61Ma49EGzARCl6Qa62GuYLIBVWy8ZuIctjmiFDViRyopQdHiA /Dng== X-Gm-Message-State: AOAM533joLastib6v5mAFQsMyeMURtm0p3xoP9Uuo6vjUQRqdVirudQQ 3d3yGbXh7T8ui9eWbiestbimaIH1L+3OVg== X-Google-Smtp-Source: ABdhPJyt/1F+vaxj2hYHmhCub8fgSEfDUSmf44N3NLRUk6NE84hjOxllkTJtHlPNEjUUd8fbL+LXHA== X-Received: by 2002:a17:906:3c41:: with SMTP id i1mr6557051ejg.443.1611955516099; Fri, 29 Jan 2021 13:25:16 -0800 (PST) Received: from msennikovskii4.fkb.profitbricks.net (ip5f5bd4ff.dynamic.kabel-deutschland.de. [95.91.212.255]) by smtp.gmail.com with ESMTPSA id q2sm5143218edv.93.2021.01.29.13.25.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 13:25:15 -0800 (PST) From: Mikhail Sennikovsky To: netfilter-devel@vger.kernel.org, pablo@netfilter.org Cc: Mikhail Sennikovsky Subject: [PATCH v3 2/8] conntrack: move global options to struct ct_cmd Date: Fri, 29 Jan 2021 22:24:46 +0100 Message-Id: <20210129212452.45352-3-mikhail.sennikovskii@cloud.ionos.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> References: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org As a multicommand support preparation options must be done per-command es well. Signed-off-by: Mikhail Sennikovsky --- src/conntrack.c | 205 ++++++++++++++++++++++++++---------------------- 1 file changed, 113 insertions(+), 92 deletions(-) diff --git a/src/conntrack.c b/src/conntrack.c index c582d86..a090542 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -600,7 +600,6 @@ static unsigned int addr_valid_flags[ADDR_VALID_FLAGS_MAX] = { static LIST_HEAD(proto_list); -static unsigned int options; static struct nfct_labelmap *labelmap; static int filter_family; @@ -1460,6 +1459,19 @@ static void usage(const char *prog) static unsigned int output_mask; +struct ct_cmd { + struct list_head list_entry; + unsigned int command; + unsigned int cmd; + int options; + unsigned int type; + unsigned int event_mask; + int family; + int protonum; + size_t socketbuffersize; + struct ct_tmpl tmpl; +}; + static int filter_label(const struct nf_conntrack *ct, const struct ct_tmpl *tmpl) { @@ -1480,24 +1492,27 @@ filter_label(const struct nf_conntrack *ct, const struct ct_tmpl *tmpl) } static int -filter_mark(const struct nf_conntrack *ct, const struct ct_tmpl *tmpl) +filter_mark(const struct ct_cmd *cmd, + const struct nf_conntrack *ct, const struct ct_tmpl *tmpl) { - if ((options & CT_OPT_MARK) && + if ((cmd->options & CT_OPT_MARK) && !mark_cmp(&tmpl->mark, ct)) return 1; return 0; } static int -filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct) +filter_nat(const struct ct_cmd *cmd, + const struct nf_conntrack *obj, + const struct nf_conntrack *ct) { - int check_srcnat = options & CT_OPT_SRC_NAT ? 1 : 0; - int check_dstnat = options & CT_OPT_DST_NAT ? 1 : 0; + int check_srcnat = cmd->options & CT_OPT_SRC_NAT ? 1 : 0; + int check_dstnat = cmd->options & CT_OPT_DST_NAT ? 1 : 0; int has_srcnat = 0, has_dstnat = 0; uint32_t ip; uint16_t port; - if (options & CT_OPT_ANY_NAT) + if (cmd->options & CT_OPT_ANY_NAT) check_srcnat = check_dstnat = 1; if (check_srcnat) { @@ -1560,13 +1575,14 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct) nfct_getobjopt(ct, NFCT_GOPT_IS_DPAT))) has_dstnat = 1; } - if (options & CT_OPT_ANY_NAT) + if (cmd->options & CT_OPT_ANY_NAT) return !(has_srcnat || has_dstnat); - else if ((options & CT_OPT_SRC_NAT) && (options & CT_OPT_DST_NAT)) + else if ((cmd->options & CT_OPT_SRC_NAT) + && (cmd->options & CT_OPT_DST_NAT)) return !(has_srcnat && has_dstnat); - else if (options & CT_OPT_SRC_NAT) + else if (cmd->options & CT_OPT_SRC_NAT) return !has_srcnat; - else if (options & CT_OPT_DST_NAT) + else if (cmd->options & CT_OPT_DST_NAT) return !has_dstnat; return 0; @@ -1614,14 +1630,14 @@ nfct_filter_network_direction(const struct nf_conntrack *ct, enum ct_direction d } static int -filter_network(const struct nf_conntrack *ct) +filter_network(const struct ct_cmd *cmd, const struct nf_conntrack *ct) { - if (options & CT_OPT_MASK_SRC) { + if (cmd->options & CT_OPT_MASK_SRC) { if (nfct_filter_network_direction(ct, DIR_SRC)) return 1; } - if (options & CT_OPT_MASK_DST) { + if (cmd->options & CT_OPT_MASK_DST) { if (nfct_filter_network_direction(ct, DIR_DST)) return 1; } @@ -1629,16 +1645,18 @@ filter_network(const struct nf_conntrack *ct) } static int -nfct_filter(struct nf_conntrack *obj, struct nf_conntrack *ct, +nfct_filter(const struct ct_cmd *cmd, + const struct nf_conntrack *obj, + struct nf_conntrack *ct, const struct ct_tmpl *tmpl) { - if (filter_nat(obj, ct) || - filter_mark(ct, tmpl) || + if (filter_nat(cmd, obj, ct) || + filter_mark(cmd, ct, tmpl) || filter_label(ct, tmpl) || - filter_network(ct)) + filter_network(cmd, ct)) return 1; - if (options & CT_COMPARISON && + if (cmd->options & CT_COMPARISON && !nfct_cmp(obj, ct, NFCT_CMP_ALL | NFCT_CMP_MASK)) return 1; @@ -1843,7 +1861,8 @@ static int event_cb(const struct nlmsghdr *nlh, void *data) { struct nfgenmsg *nfh = mnl_nlmsg_get_payload(nlh); unsigned int op_type = NFCT_O_DEFAULT; - struct nf_conntrack *obj = data; + struct ct_cmd *cmd = data; + struct nf_conntrack *obj = cmd->tmpl.ct; enum nf_conntrack_msg_type type; unsigned int op_flags = 0; struct nf_conntrack *ct; @@ -1874,7 +1893,7 @@ static int event_cb(const struct nlmsghdr *nlh, void *data) if ((filter_family != AF_UNSPEC && filter_family != nfh->nfgen_family) || - nfct_filter(obj, ct, cur_tmpl)) + nfct_filter(cmd, obj, ct, cur_tmpl)) goto out; if (output_mask & _O_SAVE) { @@ -1930,11 +1949,12 @@ static int dump_cb(enum nf_conntrack_msg_type type, void *data) { char buf[1024]; - struct nf_conntrack *obj = data; + struct ct_cmd *cmd = data; + struct nf_conntrack *obj = cmd->tmpl.ct; unsigned int op_type = NFCT_O_DEFAULT; unsigned int op_flags = 0; - if (nfct_filter(obj, ct, cur_tmpl)) + if (nfct_filter(cmd, obj, ct, cur_tmpl)) return NFCT_CB_CONTINUE; if (output_mask & _O_SAVE) { @@ -1972,11 +1992,12 @@ static int delete_cb(enum nf_conntrack_msg_type type, { int res; char buf[1024]; - struct nf_conntrack *obj = data; + struct ct_cmd *cmd = data; + struct nf_conntrack *obj = cmd->tmpl.ct; unsigned int op_type = NFCT_O_DEFAULT; unsigned int op_flags = 0; - if (nfct_filter(obj, ct, cur_tmpl)) + if (nfct_filter(cmd, obj, ct, cur_tmpl)) return NFCT_CB_CONTINUE; res = nfct_query(ith, NFCT_Q_DESTROY, ct); @@ -2033,20 +2054,23 @@ done: return NFCT_CB_CONTINUE; } -static void copy_mark(struct nf_conntrack *tmp, +static void copy_mark(const struct ct_cmd *cmd, + struct nf_conntrack *tmp, const struct nf_conntrack *ct, const struct u32_mask *m) { - if (options & CT_OPT_MARK) { + if (cmd->options & CT_OPT_MARK) { uint32_t mark = nfct_get_attr_u32(ct, ATTR_MARK); mark = (mark & ~m->mask) ^ m->value; nfct_set_attr_u32(tmp, ATTR_MARK, mark); } } -static void copy_status(struct nf_conntrack *tmp, const struct nf_conntrack *ct) +static void copy_status(const struct ct_cmd *cmd, + struct nf_conntrack *tmp, + const struct nf_conntrack *ct) { - if (options & CT_OPT_STATUS) { + if (cmd->options & CT_OPT_STATUS) { /* copy existing flags, we only allow setting them. */ uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS); status |= nfct_get_attr_u32(tmp, ATTR_STATUS); @@ -2062,19 +2086,21 @@ static struct nfct_bitmask *xnfct_bitmask_clone(const struct nfct_bitmask *a) return b; } -static void copy_label(struct nf_conntrack *tmp, const struct nf_conntrack *ct, - const struct ct_tmpl *tmpl) +static void copy_label(const struct ct_cmd *cmd, + struct nf_conntrack *tmp, + const struct nf_conntrack *ct, + const struct ct_tmpl *tmpl) { struct nfct_bitmask *ctb, *newmask; unsigned int i; - if ((options & (CT_OPT_ADD_LABEL|CT_OPT_DEL_LABEL)) == 0) + if ((cmd->options & (CT_OPT_ADD_LABEL|CT_OPT_DEL_LABEL)) == 0) return; nfct_copy_attr(tmp, ct, ATTR_CONNLABELS); ctb = (void *) nfct_get_attr(tmp, ATTR_CONNLABELS); - if (options & CT_OPT_ADD_LABEL) { + if (cmd->options & CT_OPT_ADD_LABEL) { if (ctb == NULL) { nfct_set_attr(tmp, ATTR_CONNLABELS, xnfct_bitmask_clone(tmpl->label_modify)); @@ -2126,20 +2152,21 @@ static int update_cb(enum nf_conntrack_msg_type type, void *data) { int res; - struct nf_conntrack *obj = data, *tmp; + struct ct_cmd *cmd = data; + struct nf_conntrack *obj = cmd->tmpl.ct, *tmp; - if (filter_nat(obj, ct) || + if (filter_nat(cmd, obj, ct) || filter_label(ct, cur_tmpl) || - filter_network(ct)) + filter_network(cmd, ct)) return NFCT_CB_CONTINUE; if (nfct_attr_is_set(obj, ATTR_ID) && nfct_attr_is_set(ct, ATTR_ID) && nfct_get_attr_u32(obj, ATTR_ID) != nfct_get_attr_u32(ct, ATTR_ID)) return NFCT_CB_CONTINUE; - if (options & CT_OPT_TUPLE_ORIG && !nfct_cmp(obj, ct, NFCT_CMP_ORIG)) + if (cmd->options & CT_OPT_TUPLE_ORIG && !nfct_cmp(obj, ct, NFCT_CMP_ORIG)) return NFCT_CB_CONTINUE; - if (options & CT_OPT_TUPLE_REPL && !nfct_cmp(obj, ct, NFCT_CMP_REPL)) + if (cmd->options & CT_OPT_TUPLE_REPL && !nfct_cmp(obj, ct, NFCT_CMP_REPL)) return NFCT_CB_CONTINUE; tmp = nfct_new(); @@ -2148,9 +2175,9 @@ static int update_cb(enum nf_conntrack_msg_type type, nfct_copy(tmp, ct, NFCT_CP_ORIG); nfct_copy(tmp, obj, NFCT_CP_META); - copy_mark(tmp, ct, &cur_tmpl->mark); - copy_status(tmp, ct); - copy_label(tmp, ct, cur_tmpl); + copy_mark(cmd, tmp, ct, &cur_tmpl->mark); + copy_status(cmd, tmp, ct); + copy_label(cmd, tmp, ct, cur_tmpl); /* do not send NFCT_Q_UPDATE if ct appears unchanged */ if (nfct_cmp(tmp, ct, NFCT_CMP_ALL | NFCT_CMP_MASK)) { @@ -2613,23 +2640,23 @@ nfct_network_attr_prepare(const int family, enum ct_direction dir, } static void -nfct_filter_init(const int family, const struct ct_tmpl *tmpl) +nfct_filter_init(struct ct_cmd *cmd) { - filter_family = family; - if (options & CT_OPT_MASK_SRC) { - assert(family != AF_UNSPEC); - if (!(options & CT_OPT_ORIG_SRC)) + filter_family = cmd->family; + if (cmd->options & CT_OPT_MASK_SRC) { + assert(cmd->family != AF_UNSPEC); + if (!(cmd->options & CT_OPT_ORIG_SRC)) exit_error(PARAMETER_PROBLEM, "Can't use --mask-src without --src"); - nfct_network_attr_prepare(family, DIR_SRC, tmpl); + nfct_network_attr_prepare(cmd->family, DIR_SRC, &cmd->tmpl); } - if (options & CT_OPT_MASK_DST) { - assert(family != AF_UNSPEC); - if (!(options & CT_OPT_ORIG_DST)) + if (cmd->options & CT_OPT_MASK_DST) { + assert(cmd->family != AF_UNSPEC); + if (!(cmd->options & CT_OPT_ORIG_DST)) exit_error(PARAMETER_PROBLEM, "Can't use --mask-dst without --dst"); - nfct_network_attr_prepare(family, DIR_DST, tmpl); + nfct_network_attr_prepare(cmd->family, DIR_DST, &cmd->tmpl); } } @@ -2696,16 +2723,19 @@ nfct_set_addr_only(const int opt, struct nf_conntrack *ct, union ct_address *ad, } static void -nfct_set_addr_opt(const int opt, struct nf_conntrack *ct, union ct_address *ad, - const int l3protonum) +nfct_set_addr_opt(unsigned int *options, + const int opt, + struct nf_conntrack *ct, + union ct_address *ad, + const int l3protonum) { - options |= opt2type[opt]; + *options |= opt2type[opt]; nfct_set_addr_only(opt, ct, ad, l3protonum); nfct_set_attr_u8(ct, opt2attr[opt], l3protonum); } static void -nfct_parse_addr_from_opt(const int opt, const char *arg, +nfct_parse_addr_from_opt(unsigned int *options, const int opt, const char *arg, struct nf_conntrack *ct, struct nf_conntrack *ctmask, union ct_address *ad, int *family) @@ -2728,7 +2758,7 @@ nfct_parse_addr_from_opt(const int opt, const char *arg, "Invalid netmask"); } - nfct_set_addr_opt(opt, ct, ad, l3protonum); + nfct_set_addr_opt(options, opt, ct, ad, l3protonum); /* bail if we don't have a netmask to set*/ if (mask == -1 || !maskopt || ctmask == NULL) @@ -2747,7 +2777,7 @@ nfct_parse_addr_from_opt(const int opt, const char *arg, break; } - nfct_set_addr_opt(maskopt, ctmask, ad, l3protonum); + nfct_set_addr_opt(options, maskopt, ctmask, ad, l3protonum); } static void @@ -2768,23 +2798,13 @@ nfct_set_nat_details(const int opt, struct nf_conntrack *ct, } -struct ct_cmd { - unsigned int command; - unsigned int cmd; - unsigned int type; - unsigned int event_mask; - int family; - int protonum; - size_t socketbuffersize; - struct ct_tmpl tmpl; -}; - static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) { unsigned int type = 0, event_mask = 0, l4flags = 0, status = 0; int protonum = 0, family = AF_UNSPEC; size_t socketbuffersize = 0; unsigned int command = 0; + unsigned int options = 0; struct ct_tmpl *tmpl; int res = 0, partial; union ct_address ad; @@ -2851,17 +2871,17 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) case 'd': case 'r': case 'q': - nfct_parse_addr_from_opt(c, optarg, tmpl->ct, + nfct_parse_addr_from_opt(&options, c, optarg, tmpl->ct, tmpl->mask, &ad, &family); break; case '[': case ']': - nfct_parse_addr_from_opt(c, optarg, tmpl->exptuple, + nfct_parse_addr_from_opt(&options, c, optarg, tmpl->exptuple, tmpl->mask, &ad, &family); break; case '{': case '}': - nfct_parse_addr_from_opt(c, optarg, tmpl->mask, + nfct_parse_addr_from_opt(&options, c, optarg, tmpl->mask, NULL, &ad, &family); break; case 'p': @@ -2919,7 +2939,7 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) split_address_and_port(optional_arg, &nat_address, &port_str); - nfct_parse_addr_from_opt(c, nat_address, + nfct_parse_addr_from_opt(&options, c, nat_address, tmpl->ct, NULL, &ad, &family); if (c == 'j') { @@ -3078,6 +3098,7 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) ct_cmd->command = command; ct_cmd->cmd = cmd; + ct_cmd->options = options; ct_cmd->family = family; ct_cmd->type = type; ct_cmd->protonum = protonum; @@ -3118,14 +3139,14 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) if (!cth) exit_error(OTHER_PROBLEM, "Can't open handler"); - if (options & CT_COMPARISON && - options & CT_OPT_ZERO) + if (cmd->options & CT_COMPARISON && + cmd->options & CT_OPT_ZERO) exit_error(PARAMETER_PROBLEM, "Can't use -z with " "filtering parameters"); - nfct_filter_init(cmd->family, &cmd->tmpl); + nfct_filter_init(cmd); - nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd->tmpl.ct); + nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd); filter_dump = nfct_filter_dump_create(); if (filter_dump == NULL) @@ -3140,7 +3161,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) NFCT_FILTER_DUMP_L3NUM, cmd->family); - if (options & CT_OPT_ZERO) + if (cmd->options & CT_OPT_ZERO) res = nfct_query(cth, NFCT_Q_DUMP_FILTER_RESET, filter_dump); else @@ -3172,15 +3193,15 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) break; case CT_CREATE: - if ((options & CT_OPT_ORIG) && !(options & CT_OPT_REPL)) + if ((cmd->options & CT_OPT_ORIG) && !(cmd->options & CT_OPT_REPL)) nfct_setobjopt(cmd->tmpl.ct, NFCT_SOPT_SETUP_REPLY); - else if (!(options & CT_OPT_ORIG) && (options & CT_OPT_REPL)) + else if (!(cmd->options & CT_OPT_ORIG) && (cmd->options & CT_OPT_REPL)) nfct_setobjopt(cmd->tmpl.ct, NFCT_SOPT_SETUP_ORIGINAL); - if (options & CT_OPT_MARK) + if (cmd->options & CT_OPT_MARK) nfct_set_attr_u32(cmd->tmpl.ct, ATTR_MARK, cmd->tmpl.mark.value); - if (options & CT_OPT_ADD_LABEL) + if (cmd->options & CT_OPT_ADD_LABEL) nfct_set_attr(cmd->tmpl.ct, ATTR_CONNLABELS, xnfct_bitmask_clone(cmd->tmpl.label_modify)); @@ -3214,9 +3235,9 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) if (!cth || !ith) exit_error(OTHER_PROBLEM, "Can't open handler"); - nfct_filter_init(cmd->family, &cmd->tmpl); + nfct_filter_init(cmd); - nfct_callback_register(cth, NFCT_T_ALL, update_cb, cmd->tmpl.ct); + nfct_callback_register(cth, NFCT_T_ALL, update_cb, cmd); res = nfct_query(cth, NFCT_Q_DUMP, &cmd->family); nfct_close(ith); @@ -3229,9 +3250,9 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) if (!cth || !ith) exit_error(OTHER_PROBLEM, "Can't open handler"); - nfct_filter_init(cmd->family, &cmd->tmpl); + nfct_filter_init(cmd); - nfct_callback_register(cth, NFCT_T_ALL, delete_cb, cmd->tmpl.ct); + nfct_callback_register(cth, NFCT_T_ALL, delete_cb, cmd); filter_dump = nfct_filter_dump_create(); if (filter_dump == NULL) @@ -3270,7 +3291,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) if (!cth) exit_error(OTHER_PROBLEM, "Can't open handler"); - nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd->tmpl.ct); + nfct_callback_register(cth, NFCT_T_ALL, dump_cb, cmd); res = nfct_query(cth, NFCT_Q_GET, cmd->tmpl.ct); nfct_close(cth); break; @@ -3308,7 +3329,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) break; case CT_EVENT: - if (options & CT_OPT_EVENT_MASK) { + if (cmd->options & CT_OPT_EVENT_MASK) { unsigned int nl_events = 0; if (cmd->event_mask & CT_EVENT_F_NEW) @@ -3328,7 +3349,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) if (res < 0) exit_error(OTHER_PROBLEM, "Can't open netlink socket"); - if (options & CT_OPT_BUFFERSIZE) { + if (cmd->options & CT_OPT_BUFFERSIZE) { size_t socketbuffersize = cmd->socketbuffersize; socklen_t socklen = sizeof(socketbuffersize); @@ -3350,7 +3371,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) socketbuffersize); } - nfct_filter_init(cmd->family, &cmd->tmpl); + nfct_filter_init(cmd); signal(SIGINT, event_sighandler); signal(SIGTERM, event_sighandler); @@ -3375,13 +3396,13 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) strerror(errno)); break; } - res = mnl_cb_run(buf, res, 0, 0, event_cb, cmd->tmpl.ct); + res = mnl_cb_run(buf, res, 0, 0, event_cb, cmd); } mnl_socket_close(sock.mnl); break; case EXP_EVENT: - if (options & CT_OPT_EVENT_MASK) { + if (cmd->options & CT_OPT_EVENT_MASK) { unsigned int nl_events = 0; if (cmd->event_mask & CT_EVENT_F_NEW) @@ -3496,7 +3517,7 @@ try_proc: break; case CT_HELP: usage(progname); - if (options & CT_OPT_PROTO) + if (cmd->options & CT_OPT_PROTO) extension_help(h, cmd->protonum); break; default: From patchwork Fri Jan 29 21:24:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Sennikovsky X-Patchwork-Id: 1433545 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=cloud.ionos.com header.i=@cloud.ionos.com header.a=rsa-sha256 header.s=google header.b=XJjRpEy1; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4DS9Pr18Byz9sVv for ; Sat, 30 Jan 2021 08:26:24 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233454AbhA2V0R (ORCPT ); Fri, 29 Jan 2021 16:26:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45540 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233452AbhA2VZ6 (ORCPT ); Fri, 29 Jan 2021 16:25:58 -0500 Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6EC01C061756 for ; Fri, 29 Jan 2021 13:25:18 -0800 (PST) Received: by mail-ej1-x62e.google.com with SMTP id kg20so15018580ejc.4 for ; Fri, 29 Jan 2021 13:25:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.ionos.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WdX61FgOUJrG/Flj3VHA/kEi/PjPOXhB4irw9aagjSc=; b=XJjRpEy1Ed5V+ck4B6wlmLVn1ix4RfwGTGpOu5MaaS9TfTpHOtvnI9MfR3ywg6DZOd ccN38XAfp56XxU5VhANaDvZ5FNakv81Ti9utmBJV7G17qxOp7H4H2IoczwB6l91Jpt2e PKXocqWTi0gKEpQZcgoadPg8y9Xo54CK+Ux+X/J3vN11nC3Gf+6eb/sabdaCJ8V2we7E c8Ff/TYqRH+10drrxBbt2i83/JRwQd9v8cQXVmmMCKGINTsrgHRdh27KcDgLy8DdhAA9 wQPSb+XszkEfNfrlYu018CEPTcOrQzMrV7bnt/Krl96ZOfG+7TbtwT0PhhfaLoMc4rcP UJEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WdX61FgOUJrG/Flj3VHA/kEi/PjPOXhB4irw9aagjSc=; b=Me9haaqxEO7+mWrYd5myQ2YlNHRLWrMy1aBoeeHYNa6BOWUYnJsyxPSP+e0+Nt8SpT WqiFqFakfwy9FwzVeK+5vdk0cpN/bph9P6hcnKQrEy++zfqaye5TEX15uts8mc8tuO5O X3E9YfXJCfAfHDNjhweS1fmB7rq/qtqtWJBou2ZFB+zwBaZjkVHO1xzWX/PyKRmisKF6 zzI8WjNewz2tNw6swuvIwKWNW9vvUR9Llmqs50FjNr9DVOZ+6FnJ07a5+JN39eertaz4 w4PEEGgHSphIgRpEbl9HvHUKSGkXCTwc648BBOUVgEToexJWH8jOQn+29IyH+hqKoMxE c0mg== X-Gm-Message-State: AOAM532i3g1S0PCb6U49ffaA/UEkU3JMDQRqYNQg5GrHlDYXpwcFKgM+ pw1moZEVQ1udCoaVcKADrRkaOZvnjbNUFQ== X-Google-Smtp-Source: ABdhPJzmCk+2aTJGr/uF2UTvdplfx3x0Oi5+FAGqAK8ZyinRuOAJEl0RYfFOSFaquY27lGkF6ldydg== X-Received: by 2002:a17:906:c0cd:: with SMTP id bn13mr6270483ejb.368.1611955516882; Fri, 29 Jan 2021 13:25:16 -0800 (PST) Received: from msennikovskii4.fkb.profitbricks.net (ip5f5bd4ff.dynamic.kabel-deutschland.de. [95.91.212.255]) by smtp.gmail.com with ESMTPSA id q2sm5143218edv.93.2021.01.29.13.25.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 13:25:16 -0800 (PST) From: Mikhail Sennikovsky To: netfilter-devel@vger.kernel.org, pablo@netfilter.org Cc: Mikhail Sennikovsky Subject: [PATCH v3 3/8] conntrack: per-command entries counters Date: Fri, 29 Jan 2021 22:24:47 +0100 Message-Id: <20210129212452.45352-4-mikhail.sennikovskii@cloud.ionos.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> References: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org As a multicommand support preparation entry counters need to be made per-command as well, e.g. for the case -D and -I can be executed in a single batch, and we want to have separate counters for them. Signed-off-by: Mikhail Sennikovsky --- src/conntrack.c | 117 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 81 insertions(+), 36 deletions(-) diff --git a/src/conntrack.c b/src/conntrack.c index a090542..4783825 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -1663,8 +1663,48 @@ nfct_filter(const struct ct_cmd *cmd, return 0; } -static int counter; static int dump_xml_header_done = 1; +static unsigned int cmd_executed = 0; +static const unsigned int cmd_no_entries_ok = 0 + | CT_LIST + | EXP_LIST + ; +static unsigned int cmd_counters[NUMBER_OF_CMD]; + +static int +print_cmd_counters(void) +{ + int i, ret = EXIT_FAILURE; + + if (!cmd_executed) + return EXIT_SUCCESS; + + for (i = 0; + i < (int)(sizeof(cmd_counters) / sizeof(cmd_counters[0])); + ++i) { + if (cmd_executed & 1 << i) { + if (exit_msg[i][0]) { + fprintf(stderr, "%s v%s (conntrack-tools): ", + PROGNAME, VERSION); + fprintf(stderr, exit_msg[i], cmd_counters[i]); + } + /* + * If there is at least one command which is supposed + * to return success, EXIT_SUCCESS is returned. + * I.e. for the --load-file case this would ensure that + * e.g. -D followed by a series of -I's + * would return success in case there are no entries + * to be deleted with the -D command preceding the -I's + */ + if (!exit_msg[i][0] + || cmd_counters[i] != 0 + || cmd_no_entries_ok & 1 << i) + ret &= EXIT_SUCCESS; + } + } + return ret; +} + static void __attribute__((noreturn)) event_sighandler(int s) @@ -1674,8 +1714,7 @@ event_sighandler(int s) fflush(stdout); } - fprintf(stderr, "%s v%s (conntrack-tools): ", PROGNAME, VERSION); - fprintf(stderr, "%d flow events have been shown.\n", counter); + print_cmd_counters(); mnl_socket_close(sock.mnl); exit(0); } @@ -1688,8 +1727,7 @@ exp_event_sighandler(int s) fflush(stdout); } - fprintf(stderr, "%s v%s (conntrack-tools): ", PROGNAME, VERSION); - fprintf(stderr, "%d expectation events have been shown.\n", counter); + print_cmd_counters(); nfct_close(cth); exit(0); } @@ -1938,7 +1976,7 @@ done: } fflush(stdout); - counter++; + cmd_counters[cmd->cmd]++; out: nfct_destroy(ct); return MNL_CB_OK; @@ -1981,7 +2019,7 @@ static int dump_cb(enum nf_conntrack_msg_type type, done: printf("%s\n", buf); - counter++; + cmd_counters[cmd->cmd]++; return NFCT_CB_CONTINUE; } @@ -2022,7 +2060,7 @@ static int delete_cb(enum nf_conntrack_msg_type type, done: printf("%s\n", buf); - counter++; + cmd_counters[cmd->cmd]++; return NFCT_CB_CONTINUE; } @@ -2207,7 +2245,7 @@ static int update_cb(enum nf_conntrack_msg_type type, nfct_destroy(tmp); nfct_callback_unregister(ith); - counter++; + cmd_counters[cmd->cmd]++; return NFCT_CB_CONTINUE; } @@ -2217,6 +2255,7 @@ static int dump_exp_cb(enum nf_conntrack_msg_type type, void *data) { char buf[1024]; + struct ct_cmd *cmd = data; unsigned int op_type = NFCT_O_DEFAULT; unsigned int op_flags = 0; @@ -2239,7 +2278,7 @@ static int dump_exp_cb(enum nf_conntrack_msg_type type, nfexp_snprintf(buf,sizeof(buf), exp, NFCT_T_UNKNOWN, op_type, op_flags); printf("%s\n", buf); - counter++; + cmd_counters[cmd->cmd]++; return NFCT_CB_CONTINUE; } @@ -2248,6 +2287,7 @@ static int event_exp_cb(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) { char buf[1024]; + struct ct_cmd *cmd = data; unsigned int op_type = NFCT_O_DEFAULT; unsigned int op_flags = 0; @@ -2271,7 +2311,7 @@ static int event_exp_cb(enum nf_conntrack_msg_type type, nfexp_snprintf(buf,sizeof(buf), exp, type, op_type, op_flags); printf("%s\n", buf); fflush(stdout); - counter++; + cmd_counters[cmd->cmd]++; return NFCT_CB_CONTINUE; } @@ -2280,7 +2320,9 @@ static int count_exp_cb(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) { - counter++; + struct ct_cmd *cmd = data; + + cmd_counters[cmd->cmd]++; return NFCT_CB_CONTINUE; } @@ -2396,7 +2438,9 @@ static void nfct_mnl_socket_close(void) } static int -nfct_mnl_dump(uint16_t subsys, uint16_t type, mnl_cb_t cb, uint8_t family) +nfct_mnl_dump(uint16_t subsys, uint16_t type, + mnl_cb_t cb, void *data, + uint8_t family) { char buf[MNL_SOCKET_BUFFER_SIZE]; struct nlmsghdr *nlh; @@ -2411,7 +2455,7 @@ nfct_mnl_dump(uint16_t subsys, uint16_t type, mnl_cb_t cb, uint8_t family) res = mnl_socket_recvfrom(sock.mnl, buf, sizeof(buf)); while (res > 0) { res = mnl_cb_run(buf, res, nlh->nlmsg_seq, sock.portid, - cb, NULL); + cb, data); if (res <= MNL_CB_STOP) break; @@ -2581,6 +2625,7 @@ static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data) { struct nf_conntrack *ct; char buf[4096]; + struct ct_cmd *cmd = data; ct = nfct_new(); if (ct == NULL) @@ -2593,7 +2638,7 @@ static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data) nfct_destroy(ct); - counter++; + cmd_counters[cmd->cmd]++; return MNL_CB_OK; } @@ -3051,6 +3096,10 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) } } + if (!command) + /* invalid args */ + exit_error(PARAMETER_PROBLEM, "invalid cmd line syntax"); + /* default family only for the following commands */ if (family == AF_UNSPEC) { switch (command) { @@ -3106,11 +3155,14 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) ct_cmd->socketbuffersize = socketbuffersize; } -static int do_command_ct(const char *progname, struct ct_cmd *cmd) +static void do_command_ct(const char *progname, struct ct_cmd *cmd) { struct nfct_filter_dump *filter_dump; int res = 0; + assert(cmd->cmd < sizeof(cmd_counters) / sizeof(cmd_counters[0])); + cmd_executed |= cmd->command; + switch(cmd->command) { case CT_LIST: if (cmd->type == CT_TABLE_DYING) { @@ -3119,7 +3171,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_DYING, - mnl_nfct_dump_cb, cmd->family); + mnl_nfct_dump_cb, cmd, cmd->family); nfct_mnl_socket_close(); break; @@ -3129,7 +3181,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_UNCONFIRMED, - mnl_nfct_dump_cb, cmd->family); + mnl_nfct_dump_cb, cmd, cmd->family); nfct_mnl_socket_close(); break; @@ -3182,7 +3234,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) if (!cth) exit_error(OTHER_PROBLEM, "Can't open handler"); - nfexp_callback_register(cth, NFCT_T_ALL, dump_exp_cb, NULL); + nfexp_callback_register(cth, NFCT_T_ALL, dump_exp_cb, cmd); res = nfexp_query(cth, NFCT_Q_DUMP, &cmd->family); nfct_close(cth); @@ -3211,7 +3263,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) res = nfct_query(cth, NFCT_Q_CREATE, cmd->tmpl.ct); if (res != -1) - counter++; + cmd_counters[cmd->cmd]++; nfct_close(cth); break; @@ -3303,7 +3355,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) if (!cth) exit_error(OTHER_PROBLEM, "Can't open handler"); - nfexp_callback_register(cth, NFCT_T_ALL, dump_exp_cb, NULL); + nfexp_callback_register(cth, NFCT_T_ALL, dump_exp_cb, cmd); res = nfexp_query(cth, NFCT_Q_GET, cmd->tmpl.exp); nfct_close(cth); break; @@ -3424,7 +3476,7 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd) exit_error(OTHER_PROBLEM, "Can't open handler"); signal(SIGINT, exp_event_sighandler); signal(SIGTERM, exp_event_sighandler); - nfexp_callback_register(cth, NFCT_T_ALL, event_exp_cb, NULL); + nfexp_callback_register(cth, NFCT_T_ALL, event_exp_cb, cmd); res = nfexp_catch(cth); nfct_close(cth); break; @@ -3468,10 +3520,10 @@ try_proc_count: if (!cth) exit_error(OTHER_PROBLEM, "Can't open handler"); - nfexp_callback_register(cth, NFCT_T_ALL, count_exp_cb, NULL); + nfexp_callback_register(cth, NFCT_T_ALL, count_exp_cb, cmd); res = nfexp_query(cth, NFCT_Q_DUMP, &cmd->family); nfct_close(cth); - printf("%d\n", counter); + printf("%d\n", cmd_counters[cmd->cmd]); break; case CT_STATS: /* If we fail with netlink, fall back to /proc to ensure @@ -3482,7 +3534,7 @@ try_proc_count: res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS_CPU, - nfct_stats_cb, AF_UNSPEC); + nfct_stats_cb, NULL, AF_UNSPEC); nfct_mnl_socket_close(); @@ -3501,7 +3553,7 @@ try_proc_count: res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK_EXP, IPCTNL_MSG_EXP_GET_STATS_CPU, - nfexp_stats_cb, AF_UNSPEC); + nfexp_stats_cb, NULL, AF_UNSPEC); nfct_mnl_socket_close(); @@ -3533,15 +3585,6 @@ try_proc: free_options(); if (labelmap) nfct_labelmap_destroy(labelmap); - - if (cmd->command && exit_msg[cmd->cmd][0]) { - fprintf(stderr, "%s v%s (conntrack-tools): ",PROGNAME,VERSION); - fprintf(stderr, exit_msg[cmd->cmd], counter); - if (counter == 0 && !(cmd->command & (CT_LIST | EXP_LIST))) - return EXIT_FAILURE; - } - - return EXIT_SUCCESS; } int main(int argc, char *argv[]) @@ -3560,5 +3603,7 @@ int main(int argc, char *argv[]) do_parse(cmd, argc, argv); - return do_command_ct(argv[0], cmd); + do_command_ct(argv[0], cmd); + + return print_cmd_counters(); } From patchwork Fri Jan 29 21:24:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Sennikovsky X-Patchwork-Id: 1433544 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=cloud.ionos.com header.i=@cloud.ionos.com header.a=rsa-sha256 header.s=google header.b=CnAJcp4d; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4DS9Pq5dKRz9s1l for ; Sat, 30 Jan 2021 08:26:23 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233272AbhA2V0Q (ORCPT ); Fri, 29 Jan 2021 16:26:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45544 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233454AbhA2VZ7 (ORCPT ); Fri, 29 Jan 2021 16:25:59 -0500 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3690AC0613D6 for ; Fri, 29 Jan 2021 13:25:19 -0800 (PST) Received: by mail-ed1-x532.google.com with SMTP id z22so12212745edb.9 for ; Fri, 29 Jan 2021 13:25:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.ionos.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=n8vJceBMMYCQ8JIumv0N1HCIgk6n9/a9VY0by/5BQqo=; b=CnAJcp4dm8WFBkJP5G/+XdbBhXbVZrGqSAZEpK3UqJiBRGB+jan4es5Qsld3LZSmJD 2TRGKhpno8hHHcKXwirs2BLdsUAxzNqKAIZ8RqxAj+CkhfBiBLB3yBLPZChfV4hpRcsQ DjRk+DDdCGny1qFvsT1SfJ6+HDNlrFaHKRAM6FswaGESrJjniEzUV5RAowh50+EOwZj7 3JjKqOMSeOJFGTe2TAl4JmaCcZt77/cRWs9Aq49H5S5Kr6RP9lw+3YJojg05bHGbeon2 KzQMPoXNSm6RlSBGeUpmFtQIJsqdM8uKdLtX0lmUFayq7QYGXeO0T7WH8WPuA/GyTYUj zJng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=n8vJceBMMYCQ8JIumv0N1HCIgk6n9/a9VY0by/5BQqo=; b=fupxX+yEMXXExIr5BTh5VDupLWGVOlVXXuavKW616zp4h5KSZSbDTtupuYl6Uch4Sj tEvL/MWtNm4lMGOzi5IpgmMrX3D7/FZQEUdsK8v5PCFYQbuy5AIDjUwKn/3tCyd91kxf Mq1RHIPG7hDc5HY8T/xz4QcfXVCeb/nR79Z4JIcQlsRFX7mu5DjFmzFweAjPxVodCd3a U0Z3yTQB1Cu6So1tj1GvnVW3xi2t6QIEZZrqohoThQJlYtQqZseRd5CkTnlq8JKgzM7W Y8gq3FMVglvPharsGChY5ONR3PoyRZmdAMqGbfhJYdYcdhgKPBYpsaKLzDElKkQpP/0t tcIA== X-Gm-Message-State: AOAM5318WRYmgzWF2JfPRljlZ+O8k1/tk0UXIN46BfGnsWCqPzOyoPHG y3acJfm+Hr1REDUU5jYVWDeXU4WQB/fZxg== X-Google-Smtp-Source: ABdhPJxIxk8MBPfA0JDLK5XM1QyAtvyqyVAp/VuUHAeN4lHNxvxdzuCgBVEn1jJG4fiqvPbKS0z4zg== X-Received: by 2002:a05:6402:2288:: with SMTP id cw8mr7333813edb.161.1611955517782; Fri, 29 Jan 2021 13:25:17 -0800 (PST) Received: from msennikovskii4.fkb.profitbricks.net (ip5f5bd4ff.dynamic.kabel-deutschland.de. [95.91.212.255]) by smtp.gmail.com with ESMTPSA id q2sm5143218edv.93.2021.01.29.13.25.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 13:25:17 -0800 (PST) From: Mikhail Sennikovsky To: netfilter-devel@vger.kernel.org, pablo@netfilter.org Cc: Mikhail Sennikovsky Subject: [PATCH v3 4/8] conntrack: introduce ct_cmd_list Date: Fri, 29 Jan 2021 22:24:48 +0100 Message-Id: <20210129212452.45352-5-mikhail.sennikovskii@cloud.ionos.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> References: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org As a multicommand support preparation, add support for the ct_cmd_list, which represents a list of ct_cmd elements. Currently only a single entry generated from the command line arguments is created. Signed-off-by: Mikhail Sennikovsky --- src/conntrack.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 66 insertions(+), 3 deletions(-) diff --git a/src/conntrack.c b/src/conntrack.c index 4783825..1719ca9 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -598,6 +598,19 @@ static unsigned int addr_valid_flags[ADDR_VALID_FLAGS_MAX] = { CT_OPT_REPL_SRC | CT_OPT_REPL_DST, }; +#define CT_COMMANDS_LOAD_FILE_ALLOWED ( 0 \ + | CT_CREATE \ + | CT_UPDATE_BIT \ + | CT_DELETE \ + | CT_FLUSH \ + | EXP_CREATE \ + | EXP_DELETE \ + | EXP_FLUSH \ + ) + +static unsigned int cmd_allowed = ~0; + + static LIST_HEAD(proto_list); static struct nfct_labelmap *labelmap; @@ -1250,6 +1263,9 @@ add_command(unsigned int *cmd, const int newcmd) { if (*cmd) exit_error(PARAMETER_PROBLEM, "Invalid commands combination"); + if (!(cmd_allowed & newcmd)) + exit_error(PARAMETER_PROBLEM, + "Command can not be used in the current mode"); *cmd |= newcmd; } @@ -1472,6 +1488,10 @@ struct ct_cmd { struct ct_tmpl tmpl; }; +struct ct_cmd_list { + struct list_head list; +}; + static int filter_label(const struct nf_conntrack *ct, const struct ct_tmpl *tmpl) { @@ -3155,6 +3175,19 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) ct_cmd->socketbuffersize = socketbuffersize; } +static struct ct_cmd *ct_cmd_create(int argc, char *argv[]) +{ + struct ct_cmd *ct_cmd; + + ct_cmd = calloc(1, sizeof(*ct_cmd)); + if (!ct_cmd) + exit_error(OTHER_PROBLEM, "cmd alloc failed!!"); + + do_parse(ct_cmd, argc, argv); + + return ct_cmd; +} + static void do_command_ct(const char *progname, struct ct_cmd *cmd) { struct nfct_filter_dump *filter_dump; @@ -3587,9 +3620,37 @@ try_proc: nfct_labelmap_destroy(labelmap); } +static void ct_cmd_list_init(struct ct_cmd_list *list) +{ + memset(list, 0, sizeof(*list)); + INIT_LIST_HEAD(&list->list); +} + +static void ct_cmd_list_add(struct ct_cmd_list *list, struct ct_cmd *cmd) +{ + list_add_tail(&cmd->list_entry, &list->list); +} + +static void ct_cmd_list_apply(struct ct_cmd_list *list, const char *progname) +{ + struct ct_cmd *cmd, *tmp; + + list_for_each_entry_safe(cmd, tmp, &list->list, list_entry) { + list_del(&cmd->list_entry); + do_command_ct(progname, cmd); + free(cmd); + } +} + +static void ct_cmd_list_parse_argv(struct ct_cmd_list *list, + int argc, char *argv[]) +{ + ct_cmd_list_add(list, ct_cmd_create(argc, argv)); +} + int main(int argc, char *argv[]) { - struct ct_cmd _cmd = {}, *cmd = &_cmd; + struct ct_cmd_list list; register_tcp(); register_udp(); @@ -3601,9 +3662,11 @@ int main(int argc, char *argv[]) register_gre(); register_unknown(); - do_parse(cmd, argc, argv); + ct_cmd_list_init(&list); + + ct_cmd_list_parse_argv(&list, argc, argv); - do_command_ct(argv[0], cmd); + ct_cmd_list_apply(&list, argv[0]); return print_cmd_counters(); } From patchwork Fri Jan 29 21:24:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Sennikovsky X-Patchwork-Id: 1433546 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=cloud.ionos.com header.i=@cloud.ionos.com header.a=rsa-sha256 header.s=google header.b=E1zF+eS5; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4DS9QC6l9Sz9s1l for ; Sat, 30 Jan 2021 08:26:43 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233466AbhA2V0l (ORCPT ); Fri, 29 Jan 2021 16:26:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45680 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233369AbhA2V0h (ORCPT ); Fri, 29 Jan 2021 16:26:37 -0500 Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5FD81C0613ED for ; Fri, 29 Jan 2021 13:25:20 -0800 (PST) Received: by mail-ej1-x635.google.com with SMTP id w1so14956480ejf.11 for ; Fri, 29 Jan 2021 13:25:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.ionos.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Pev26Wl8npqOnE2zS5Mqns+dc9VfXdgx8YoOnh20kfQ=; b=E1zF+eS5ZENzAN8uUepEkG1zq/Ru8cFcLiI1pPrZDMAaMYKsy8PKy47+4rUMaODvH2 +NRNIMB+gWhZIRbF38GdV47Qk6Vv7jCMLpyvupzUB8gCGtF7UokFUT3uCxg5833KF0Rz +GlStEzBDH0UbJ/Opot/bJDgIQJIDFQUWqAni7jJT7D9dkXo1bUQy/XMuKsblCy/hdPM hmBcyOY/Ufi2tdtQFtcMjdBX8Lgdo9A45vYfGtai9qcGgI4Yc3bv0k8A5XcsJh4tvNYr CKXLzp3EM/8R2fOvvjh7NanOl8B1rgVZaewBOa+HPYiFHtfjeEaEuGgA7a6JIjRuRxWG DoSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Pev26Wl8npqOnE2zS5Mqns+dc9VfXdgx8YoOnh20kfQ=; b=G12dbX4VjFunkEpCdu8laQTYguk2CDymo59lKbxjZ4Jp4MlI320Nuk/uTqrtQOc6j2 UUk/qw+CYi9tnh1z//jXh6Ve3hPgohItL39vfsYWJmItuZZKzM3A8gT+fxPcMjesJMBo AHcff1giFTqRZkPZ+oSsdKrx45dNufLwM5XJkkvt/Sp/EcMU8wVQ8smR+OBP8RPweb+q Ray7TufFjo4pG7t4dwRPVMZY9BScH4XrvnW4R+QEUBjNGT52FUql2vJUb6x9Ls3iBK5G hNAAABiDYgvP+DonxU/ZXQPpT9mL00DIsdc9BLBRm/+UaID7XCmG/A1ad2bvB2lsFpx8 DGLg== X-Gm-Message-State: AOAM530ht6r7xgcttT60d6B24L9ACD9mNpPbnrLQpALHEg1k5Wx40sRy MturDCPUe88kaLbvZV7HeNNhwzkpoi8L2w== X-Google-Smtp-Source: ABdhPJw2BU37JAWS82NjEWpfqedC7t3rYeCegmIQ2agxfz0a04wcEKZp4Qd+PusqPlu1Bno0GdgfRw== X-Received: by 2002:a17:906:52c1:: with SMTP id w1mr6675019ejn.214.1611955518690; Fri, 29 Jan 2021 13:25:18 -0800 (PST) Received: from msennikovskii4.fkb.profitbricks.net (ip5f5bd4ff.dynamic.kabel-deutschland.de. [95.91.212.255]) by smtp.gmail.com with ESMTPSA id q2sm5143218edv.93.2021.01.29.13.25.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 13:25:18 -0800 (PST) From: Mikhail Sennikovsky To: netfilter-devel@vger.kernel.org, pablo@netfilter.org Cc: Mikhail Sennikovsky Subject: [PATCH v3 5/8] conntrack: accept commands from file Date: Fri, 29 Jan 2021 22:24:49 +0100 Message-Id: <20210129212452.45352-6-mikhail.sennikovskii@cloud.ionos.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> References: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This commit implements the --load-file option which allows processing conntrack commands stored in file. Most often this would be used as a counter-part for the -o save option, which outputs conntrack entries in the format of the conntrack tool options. This could be useful when one needs to add/update/delete a large set of ct entries with a single conntrack tool invocation. Expected syntax is "conntrack --load-file file". If "-" is given as a file name, stdin is used. No other commands or options are allowed to be specified in conjunction with the --load-file command. It is however possible to specify multiple --load-file file pairs. Example: Copy all entries from ct zone 11 to ct zone 12: conntrack -L -w 11 -o save | sed "s/-w 11/-w 12/g" | \ conntrack --load-file - Signed-off-by: Mikhail Sennikovsky --- src/conntrack.c | 163 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 162 insertions(+), 1 deletion(-) diff --git a/src/conntrack.c b/src/conntrack.c index 1719ca9..97357b0 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -3648,6 +3648,167 @@ static void ct_cmd_list_parse_argv(struct ct_cmd_list *list, ct_cmd_list_add(list, ct_cmd_create(argc, argv)); } +#define MAX_ARGC 255 +struct argv_store { + int argc; + char *argv[MAX_ARGC]; + int argvattr[MAX_ARGC]; +}; + +/* function adding one argument to store, updating argc + * returns if argument added, does not return otherwise */ +static void add_argv(struct argv_store *store, const char *what, int quoted) +{ + if (store->argc + 1 >= MAX_ARGC) + exit_error(PARAMETER_PROBLEM, + "Parser cannot handle more arguments\n"); + if (!what) + exit_error(PARAMETER_PROBLEM, + "Trying to store NULL argument\n"); + + store->argv[store->argc] = strdup(what); + store->argvattr[store->argc] = quoted; + store->argv[++store->argc] = NULL; +} + +static void free_argv(struct argv_store *store) +{ + while (store->argc) { + store->argc--; + free(store->argv[store->argc]); + store->argvattr[store->argc] = 0; + } +} + +struct ct_param_buf { + char buffer[1024]; + int len; +}; + +static void add_param(struct ct_param_buf *param, const char *curchar) +{ + param->buffer[param->len++] = *curchar; + if (param->len >= (int)sizeof(param->buffer)) + exit_error(PARAMETER_PROBLEM, "Parameter too long!"); +} + +static void add_param_to_argv(struct argv_store *store, char *parsestart) +{ + int quote_open = 0, escaped = 0, quoted = 0; + struct ct_param_buf param = {}; + char *curchar; + + /* After fighting with strtok enough, here's now + * a 'real' parser. According to Rusty I'm now no + * longer a real hacker, but I can live with that */ + + for (curchar = parsestart; *curchar; curchar++) { + if (quote_open) { + if (escaped) { + add_param(¶m, curchar); + escaped = 0; + continue; + } else if (*curchar == '\\') { + escaped = 1; + continue; + } else if (*curchar == '"') { + quote_open = 0; + } else { + add_param(¶m, curchar); + continue; + } + } else { + if (*curchar == '"') { + quote_open = 1; + quoted = 1; + continue; + } + } + + switch (*curchar) { + case '"': + break; + case ' ': + case '\t': + case '\n': + if (!param.len) { + /* two spaces? */ + continue; + } + break; + default: + /* regular character, copy to buffer */ + add_param(¶m, curchar); + continue; + } + + param.buffer[param.len] = '\0'; + add_argv(store, param.buffer, quoted); + param.len = 0; + quoted = 0; + } + if (param.len) { + param.buffer[param.len] = '\0'; + add_argv(store, param.buffer, 0); + } +} + +static void ct_cmd_list_parse_line(struct ct_cmd_list *list, + const char *progname, char *buffer) +{ + struct argv_store store = {}; + + /* skip prepended tabs and spaces */ + for (; *buffer == ' ' || *buffer == '\t'; buffer++); + + if (buffer[0] == '\n' + || buffer[0] == '#') + return; + + add_argv(&store, progname, false); + + add_param_to_argv(&store, buffer); + + ct_cmd_list_parse_argv(list, store.argc, store.argv); + + free_argv(&store); +} + +static void ct_cmd_list_parse_file(struct ct_cmd_list *list, + const char *progname, + const char *file_name) +{ + char buffer[10240] = {}; + FILE *file; + + if (!strcmp(file_name, "-")) + file_name = "/dev/stdin"; + + file = fopen(file_name, "r"); + if (!file) + exit_error(PARAMETER_PROBLEM, NULL, + "Failed to open file %s for reading", file_name); + + while (fgets(buffer, sizeof(buffer), file)) + ct_cmd_list_parse_line(list, progname, buffer); +} + +static void ct_cmd_list_parse(struct ct_cmd_list *list, int argc, char *argv[]) +{ + if (argc > 2 + && (!strcmp(argv[1], "-R") + || !strcmp(argv[1], "--load-file"))) { + int i; + + cmd_allowed = CT_COMMANDS_LOAD_FILE_ALLOWED; + + for (i = 2; i < argc; ++i) + ct_cmd_list_parse_file(list, argv[0], argv[i]); + return; + } + ct_cmd_list_parse_argv(list, argc, argv); +} + int main(int argc, char *argv[]) { struct ct_cmd_list list; @@ -3664,7 +3825,7 @@ int main(int argc, char *argv[]) ct_cmd_list_init(&list); - ct_cmd_list_parse_argv(&list, argc, argv); + ct_cmd_list_parse(&list, argc, argv); ct_cmd_list_apply(&list, argv[0]); From patchwork Fri Jan 29 21:24:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Sennikovsky X-Patchwork-Id: 1433547 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=cloud.ionos.com header.i=@cloud.ionos.com header.a=rsa-sha256 header.s=google header.b=h0h0O+UL; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4DS9QF2kp2z9s1l for ; Sat, 30 Jan 2021 08:26:45 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233467AbhA2V0n (ORCPT ); Fri, 29 Jan 2021 16:26:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45682 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233380AbhA2V0h (ORCPT ); Fri, 29 Jan 2021 16:26:37 -0500 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF0A4C061786 for ; Fri, 29 Jan 2021 13:25:20 -0800 (PST) Received: by mail-ed1-x530.google.com with SMTP id c6so12249998ede.0 for ; Fri, 29 Jan 2021 13:25:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.ionos.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=JrJr3kAp1AOA2MAWe4av0IDZUY9ujH+yzKZciZ9I8K8=; b=h0h0O+ULUWibdZrldDpnXWbqlKKvHayO543aIFQb8WXe6N2648tRl/gKf9VCurgOlk 90EuxGEeh2ivOqV95xiFzZtPZ4Fy9J7otluQClDzytZZD5cl0NVUBR44ucbdKojrshVO 5upu/YHJR5XBwvG4AS7aQPJdS1/UzWI/I9dRqhbW2Wx6q+WgiCJCKEwaXDfoRw4Xruoo 9EGDcnv2qyW0Sp18RJbsy7maHTwa1xqsIicfh0z6IlWuI9yosF8+gJY8+oybQwSTnUWs ZlXzYV5qGmJcePuZJiHOuSDdXX2cf60/OOLOZ2r3WD5JCMGPSkas1ggtjE+5EjXg2iEp 4feA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=JrJr3kAp1AOA2MAWe4av0IDZUY9ujH+yzKZciZ9I8K8=; b=FonHOf5G+A0MicVVuMa1N+BaG4RL4+hmlmzTFONlStR2WY0qm0hd847dKTVktb3R5o fcnS78/fb5ITRswL5OaeyVtEcaXIOVGe9wR+SvRkN6Ylvt7S3ghgTvimELROk39ksOBy db8Fk+fnRaN8rB2rKvIYMQBQRrxrpTUT+FiZuzG9AMm0E+RO/Cni1rfFqd+k42/PV3A8 7bn7Hii6WAgM8bN142vaTTLQQfytTOmoIEvGfe9ZK/3ycmW+ejTKseXznhKdW23T3q8w A+Dw8L1DuReAJ503k76S0ofKT5pT/KStQkMHXzmwMktJChjxPwWU5cJMK33F8OuUMk0f IwgQ== X-Gm-Message-State: AOAM531EsAdZMPoc6MPfMbArd5r5G1UpOFZXHckSB6YPUTj7Fkid1Y8s E0tqzc73FXvWKKFiogatW1lACubl3aUZEw== X-Google-Smtp-Source: ABdhPJz2XflXIgEVLi7H3CpYrv6h/fxBdDwdbLdlusaWrIJ6foWBGPKutyHhjjrB7BuwDPw2HRJJ/w== X-Received: by 2002:a05:6402:160f:: with SMTP id f15mr7434488edv.348.1611955519368; Fri, 29 Jan 2021 13:25:19 -0800 (PST) Received: from msennikovskii4.fkb.profitbricks.net (ip5f5bd4ff.dynamic.kabel-deutschland.de. [95.91.212.255]) by smtp.gmail.com with ESMTPSA id q2sm5143218edv.93.2021.01.29.13.25.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 13:25:18 -0800 (PST) From: Mikhail Sennikovsky To: netfilter-devel@vger.kernel.org, pablo@netfilter.org Cc: Mikhail Sennikovsky Subject: [PATCH v3 6/8] conntrack.8: man update for --load-file support Date: Fri, 29 Jan 2021 22:24:50 +0100 Message-Id: <20210129212452.45352-7-mikhail.sennikovskii@cloud.ionos.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> References: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Mikhail Sennikovsky --- conntrack.8 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/conntrack.8 b/conntrack.8 index 898daae..a14cca6 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -23,6 +23,8 @@ conntrack \- command line interface for netfilter connection tracking .BR "conntrack -C [table]" .br .BR "conntrack -S " +.br +.BR "conntrack -R file" .SH DESCRIPTION The \fBconntrack\fP utilty provides a full featured userspace interface to the Netfilter connection tracking system that is intended to replace the old @@ -102,6 +104,9 @@ Show the table counter. .TP .BI "-S, --stats " Show the in-kernel connection tracking system statistics. +.TP +.BI "-R, --load-file " +Load entries from a given file. To read from stdin, "\-" should be specified. .SS PARAMETERS .TP @@ -394,6 +399,9 @@ Delete all flow whose source address is 1.2.3.4 .TP .B conntrack \-U \-s 1.2.3.4 \-m 1 Set connmark to 1 of all the flows whose source address is 1.2.3.4 +.TP +.B conntrack -L -w 11 -o save | sed "s/-w 11/-w 12/g" | conntrack --load-file - +Copy all entries from ct zone 11 to ct zone 12 .SH BUGS Please, report them to netfilter-devel@vger.kernel.org or file a bug in From patchwork Fri Jan 29 21:24:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Sennikovsky X-Patchwork-Id: 1433548 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=cloud.ionos.com header.i=@cloud.ionos.com header.a=rsa-sha256 header.s=google header.b=OY+e4bGF; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4DS9QH6QGqz9s1l for ; Sat, 30 Jan 2021 08:26:47 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233468AbhA2V0q (ORCPT ); Fri, 29 Jan 2021 16:26:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45692 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233463AbhA2V0j (ORCPT ); Fri, 29 Jan 2021 16:26:39 -0500 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18E4FC061788 for ; Fri, 29 Jan 2021 13:25:22 -0800 (PST) Received: by mail-ej1-x62b.google.com with SMTP id l9so15029687ejx.3 for ; Fri, 29 Jan 2021 13:25:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.ionos.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Zb9R1+Y42x5d8PEpk+2UZ9me3FesaiP5esGofrPJMdY=; b=OY+e4bGFC3QBKGxgFygYv0ruWsf/XlIV1Ni+GhdEqGJPqwB7UfN2FzaIToGrc4uBOR GNFTuGAc9jdaQTSUsp9gKhd6HqxmaqFhCUgFGdq2qnT31W0h2J9WN+dqAzsP2MSiNocJ DtasUPpLICi53KC/jSyPool77O4DmyZG8oo57n9Pp8JdUykJHlMNjkvwBMMGCWp140ZN qKVwh3TABWCyWly1F0HDR0SRINglrnrdkrSBXR40GAitoS+7MmGKvS28Iu8YYqQ17R2b S9hDSN+nOtXF+h7hhSn5n3rehttF7IHnCZxfX2zmQhOZJwHjwJPs11hMACz2vEoXvOqp KkiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Zb9R1+Y42x5d8PEpk+2UZ9me3FesaiP5esGofrPJMdY=; b=diiZrTKu1EyRWFR1LQ3bcDmFHMMF15zwzXt50tuZ43+fAfgCuQQ1CAinx/J/lINKH4 eZ45DDo/SUl7J4pVzKYRKRrswrx1oOrZLFYNovoZnRZEPyPnqixNI2OseCCXNIU7IS2R agzn2Qjb5w8td7EfFejZtQlukEr7kP+PCtaXFy6hfoRTtnXxV8Hvqa8LdFFqM8wgwTIl zV51J8mIBfzlnzAbDJt2O+ID7npbU9OI9DEbiRvGFOhoWHbE/e+9wR5hKh8g6A9vjkuS VdpVguYKFfHa7oj6yVJQzfF4LvaBeyQtofPqcXZHUVcUa6s9mg4l55hDNeG+YPLBUC5P DM/Q== X-Gm-Message-State: AOAM530WPa+46y0nen8FR8tRjTJdusZg1lU8v6Zq1Yfx0bRHNh+l77Rd 1NprGA15R/wXzKId7dJfJ4odRms12sFt8w== X-Google-Smtp-Source: ABdhPJw4Jk2NCaORwi7ay02AoeQULkPo1bxLyU92bIhq+KACqxD0nPsml6E9ThbCtJ0HB4EGFjSiBg== X-Received: by 2002:a17:906:8611:: with SMTP id o17mr6421003ejx.145.1611955520310; Fri, 29 Jan 2021 13:25:20 -0800 (PST) Received: from msennikovskii4.fkb.profitbricks.net (ip5f5bd4ff.dynamic.kabel-deutschland.de. [95.91.212.255]) by smtp.gmail.com with ESMTPSA id q2sm5143218edv.93.2021.01.29.13.25.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 13:25:19 -0800 (PST) From: Mikhail Sennikovsky To: netfilter-devel@vger.kernel.org, pablo@netfilter.org Cc: Mikhail Sennikovsky Subject: [PATCH v3 7/8] tests: saving and loading ct entries, save format Date: Fri, 29 Jan 2021 22:24:51 +0100 Message-Id: <20210129212452.45352-8-mikhail.sennikovskii@cloud.ionos.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> References: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Mikhail Sennikovsky --- tests/conntrack/test-conntrack.c | 84 ++++++++++++++++++++++++----- tests/conntrack/testsuite/08stdin | 80 +++++++++++++++++++++++++++ tests/conntrack/testsuite/09dumpopt | 77 ++++++++++++++++++++++++++ 3 files changed, 229 insertions(+), 12 deletions(-) create mode 100644 tests/conntrack/testsuite/08stdin create mode 100644 tests/conntrack/testsuite/09dumpopt diff --git a/tests/conntrack/test-conntrack.c b/tests/conntrack/test-conntrack.c index 76ab051..372e025 100644 --- a/tests/conntrack/test-conntrack.c +++ b/tests/conntrack/test-conntrack.c @@ -28,6 +28,23 @@ int main() struct dirent *dent; char file[1024]; int i,n; + char cmd_buf[1024 * 8]; + int i_cmd_buf = 0; + char cmd, cur_cmd = 0; + char *cmd_opt; + +#define cmd_strappend(_s) do { \ + char * pos = stpncpy(cmd_buf + i_cmd_buf, _s, sizeof(cmd_buf) - i_cmd_buf); \ + i_cmd_buf = pos - cmd_buf; \ + if (i_cmd_buf == sizeof(cmd_buf)) { \ + printf("buffer full!\n"); \ + exit(EXIT_FAILURE); \ + } \ +} while (0) + +#define cmd_reset() do { \ + i_cmd_buf = 0; \ +} while (0) n = scandir("testsuite", &dents, NULL, alphasort); @@ -48,9 +65,7 @@ int main() } while (fgets(buf, sizeof(buf), fp)) { - char tmp[1024] = CT_PROG, *res; - tmp[strlen(CT_PROG)] = ' '; - + char *res; line++; if (buf[0] == '#' || buf[0] == ' ') @@ -63,27 +78,72 @@ int main() exit(EXIT_FAILURE); } *res = '\0'; - res+=2; + res++; + for (; *res == ' ' || *res == '\t'; res++); + cmd = res[0]; + cmd_opt = &res[1]; + for (; *cmd_opt == ' ' || *cmd_opt == '\t'; cmd_opt++); + res = strchr(cmd_opt, '\n'); + if (res) + *res = '\0'; + + if (cur_cmd && cmd != cur_cmd) { + /* complete current multi-line command */ + switch (cur_cmd) { + case '\n': + cmd_strappend("\" | "); + break; + default: + printf("Internal Error: unexpected multiline command %c", + cur_cmd); + exit(EXIT_FAILURE); + break; + } + + cur_cmd = 0; + } + + switch (cmd) { + case '\n': + if (!cur_cmd) { + cmd_strappend("echo \""); + cur_cmd = cmd; + } else + cmd_strappend("\n"); + cmd_strappend(buf); + continue; + default: + cmd_strappend(CT_PROG); + cmd_strappend(" "); + cmd_strappend(buf); + if (cmd == '|') { + cmd_strappend(" | "); + if (cmd_opt[0]) { + cmd_strappend("sed \""); + cmd_strappend(cmd_opt); + cmd_strappend("\" | "); + } + continue; + } + cmd_reset(); + break; + } - strcpy(tmp + strlen(CT_PROG) + 1, buf); - printf("(%d) Executing: %s\n", line, tmp); + printf("(%d) Executing: %s\n", line, cmd_buf); fflush(stdout); - ret = system(tmp); + ret = system(cmd_buf); if (WIFEXITED(ret) && WEXITSTATUS(ret) == EXIT_SUCCESS) { - if (res[0] == 'O' && - res[1] == 'K') + if (cmd == 'O') ok++; else { bad++; printf("^----- BAD\n"); } } else { - if (res[0] == 'B' && - res[1] == 'A' && - res[2] == 'D') + if (cmd == 'B') ok++; else { bad++; diff --git a/tests/conntrack/testsuite/08stdin b/tests/conntrack/testsuite/08stdin new file mode 100644 index 0000000..38f3b8b --- /dev/null +++ b/tests/conntrack/testsuite/08stdin @@ -0,0 +1,80 @@ +# create +# create a conntrack +-I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; +# create from reply +-I -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; +# create a v6 conntrack +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; +# creae icmp ping request entry +-I -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; +-R - ; OK +# create again +-I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-I -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-I -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD +# make sure create again with stdio mode fails as well +-I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; +-R - ; BAD +-I -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; +-R - ; BAD +# empty lines are ignored +; +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; +-R - ; BAD +# spaces or tabs are ignored as well + ; + ; +-I -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; +-R - ; BAD +# delete +-D -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 ; +# empty lines should be just ignored +; +; +# delete reverse +-D -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; +# empty lines with spaces or tabs should be ignored as well + ; + ; + ; + ; + ; + ; +# delete v6 conntrack +-D -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; +# delete icmp ping request entry +-D -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; +; +; +-R - ; OK +# create again - should succeed now +-I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK +-I -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; OK +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK +-I -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK +# delete again (for cleanup) +-D -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 ; +-D -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; +-D -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; +-D -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; +; +-R - ; OK +# delete no entries - should return err +-D -w 123 ; BAD +# delete no entries via stdin - should return err as well +-D -w 123 ; +-R - ; BAD +# delete no entries in parallel with adding entries via stdin - should succeed +# -D and -I should work in parallel +-D -w 123 ; +-I -w 123 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; +-R - ; OK +# now deleting entries should return success +-D -w 123 ; +-R - ; OK +# should fail again +-D -w 123 ; +-R - ; BAD +# validate it via standard command line way +-D -w 123 ; BAD \ No newline at end of file diff --git a/tests/conntrack/testsuite/09dumpopt b/tests/conntrack/testsuite/09dumpopt new file mode 100644 index 0000000..0d5d9d4 --- /dev/null +++ b/tests/conntrack/testsuite/09dumpopt @@ -0,0 +1,77 @@ +# test opts output for -L +# create +# create a conntrack +-I -w 10 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; +# create from reply +-I -w 10 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; +# create a v6 conntrack +-I -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; +# creae icmp ping request entry +-I -w 10 -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; +-R - ; OK +# copy ipv4 bits to zone 11 +-L -w 10 -o save -f ipv4 ; |s/-w 10/-w 11/g +-R - ; OK +# copy ipv6 bits to zone 11 +-L -w 10 -o save -f ipv6 ; |s/-w 10/-w 11/g +-R - ; OK +# create again in zone 11 +-I -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-I -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-I -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-I -w 11 -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD +# delete new entries +-D -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 ; OK +# delete reverse +-D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK +# delete v6 conntrack +-D -w 11-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK +# delete icmp ping request entry +-D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK +# delete old entries +-D -w 10 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 ; OK +# delete reverse +-D -w 10 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK +# delete v6 conntrack +-D -w 10-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK +# delete icmp ping request entry +-D -w 10 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK +# +# now test opts output for -D +# create entries again +# create a conntrack +-I -w 10 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; +# create from reply +-I -w 10 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; +# create a v6 conntrack +-I -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; +# creae icmp ping request entry +-I -w 10 -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; +-R - ; OK +# move ipv4 bits to zone 11 +-D -w 10 -o save -f ipv4 ; |s/-w 10/-w 11/g; s/-D /-I /g +-R - ; OK +# move ipv6 bits to zone 11 +-D -w 10 -o save -f ipv6 ; |s/-w 10/-w 11/g; s/-D /-I /g +-R - ; OK +# create again in zone 11 +-I -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-I -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-I -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-I -w 11 -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD +# delete new entries +-D -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 ; OK +# delete reverse +-D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK +# delete v6 conntrack +-D -w 11-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK +# delete icmp ping request entry +-D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK +# delete old entries +-D -w 10 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 ; BAD +# delete reverse +-D -w 10 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; BAD +# delete v6 conntrack +-D -w 10-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; BAD +# delete icmp ping request entry +-D -w 10 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD \ No newline at end of file From patchwork Fri Jan 29 21:24:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Sennikovsky X-Patchwork-Id: 1433549 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=cloud.ionos.com header.i=@cloud.ionos.com header.a=rsa-sha256 header.s=google header.b=OqFc8z8p; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4DS9QL1sbZz9s1l for ; Sat, 30 Jan 2021 08:26:50 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233462AbhA2V0r (ORCPT ); Fri, 29 Jan 2021 16:26:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45694 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233464AbhA2V0j (ORCPT ); Fri, 29 Jan 2021 16:26:39 -0500 Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFFE8C06178A for ; Fri, 29 Jan 2021 13:25:22 -0800 (PST) Received: by mail-ed1-x52a.google.com with SMTP id n6so12175129edt.10 for ; Fri, 29 Jan 2021 13:25:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.ionos.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3X2wXxBUihvqIB1oIHiX25oeZflLxd7tMXgNghpOdEA=; b=OqFc8z8pTIL/1IpVVDRFI6+/EcbwQQTtdhy35hSIyWCIuRzbqvQp1kc8wPwiJkpcsz GB5/d8N5k86IxIAGC9nnCehGy1nLio4+MHL+Zr+H2Ncg2U0dOkZBg7TZvUxjREHKZAWz CACPhAitLUuvmfka4iNJeAeawklWOz9AZvCaevpsYya6sutX5EYtUmpL7I5KhIiH75LS N9agPCfy9C3FxwqQEx4rRP+LiPK2wvF0feTgWDU5cxYVGLCrgSUjuOtEgoKHTdJV7r5B teq0JaRbAFU7BOagOhQuOvaHZgrfsiaftgq5V1Py27Cp+JMr1vGYIGOOJSwCsktDferO MxTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3X2wXxBUihvqIB1oIHiX25oeZflLxd7tMXgNghpOdEA=; b=hyZKWFtrfo+qhSNz3ojPk2vkpsWF08cxfng4HdD+i/VQJlF0UcnNg6Ma0mtEwIR9wo Mcl8fxoUMjKA/Qb1ROxslAjRbV3SittmvwfYGbEHQQ/iSGi5z78TLHKZmAUrPLoFFHot 7/l9etDpY8O0VGx9F0YK9bSgeHAMxqIwfGos9ZHirU88IgpFujoicgYHOnY7ure2CnTz 7c+HJmqcM5XSsQan/FjBWWQEYmkL6+WNlfHvcVBAwht8UyX+eQ1oJ6raGx1fpKjpelAa zUiOZHnXMnEZn2kTWVUTgYqSApDkeSQccjvFX2u9EcRCfuMya/Lt0bgTz4mBE2ShZ2D7 le0A== X-Gm-Message-State: AOAM533JLRlI88MgHuQzizaPNkrymKTqiIwxrCtAYRJNLnvCdX+kdPjg Fd12afMkDI3jYfrd4W2U/JDbOmArInnQMA== X-Google-Smtp-Source: ABdhPJy0hm7hYqyicRV0Yg49xIymWapxlNsW5imDGfBGrahgzffMxWw0UUSmjwe3U5DFEVFlIlEXbQ== X-Received: by 2002:a50:cf02:: with SMTP id c2mr7364814edk.333.1611955521078; Fri, 29 Jan 2021 13:25:21 -0800 (PST) Received: from msennikovskii4.fkb.profitbricks.net (ip5f5bd4ff.dynamic.kabel-deutschland.de. [95.91.212.255]) by smtp.gmail.com with ESMTPSA id q2sm5143218edv.93.2021.01.29.13.25.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 13:25:20 -0800 (PST) From: Mikhail Sennikovsky To: netfilter-devel@vger.kernel.org, pablo@netfilter.org Cc: Mikhail Sennikovsky Subject: [PATCH v3 8/8] tests: conntrack -L/-D ip family filtering Date: Fri, 29 Jan 2021 22:24:52 +0100 Message-Id: <20210129212452.45352-9-mikhail.sennikovskii@cloud.ionos.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> References: <20210129212452.45352-1-mikhail.sennikovskii@cloud.ionos.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Tests to cover conntrack -L and conntrack -D with and w/o family (-f) specfied. conntrack -L and contnrack -D shold list/delete both IPv4 and IPv6 entries if no family is specified, and should ony display the corresponding entries if the family is given. Signed-off-by: Mikhail Sennikovsky --- tests/conntrack/testsuite/09dumpopt | 72 ++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/tests/conntrack/testsuite/09dumpopt b/tests/conntrack/testsuite/09dumpopt index 0d5d9d4..447590b 100644 --- a/tests/conntrack/testsuite/09dumpopt +++ b/tests/conntrack/testsuite/09dumpopt @@ -74,4 +74,74 @@ # delete v6 conntrack -D -w 10-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; BAD # delete icmp ping request entry --D -w 10 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD \ No newline at end of file +-D -w 10 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD +# +# Additional tests to check that family attribute is treated properly +# for -L and -D commands +# namely: +# - if family (-f) is given - only entries of the given family are dumped/deleted +# - if no family is given - entries of both ipv4 and ipv6 families are dumped/deleted +# First create some ipv4 and ipv6 entries +-I -w 10 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK +-I -w 10 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; OK +-I -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK +-I -w 10 -t 29 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK +# dump all entries to zone 11 +-L -w 10 -o save; |s/-w 10/-w 11/g +-R - ; OK +# ensure that both ipv4 and ipv6 entries get copied (delete for each of them should succeed) +-D -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY ; OK +-D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY ; OK +-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; OK +-D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK +# dump only ipv4 entries to zone 11 +-L -w 10 -o save -f ipv4; |s/-w 10/-w 11/g +-R - ; OK +# ensure that only ipv4 entries get copied (delete only for ipv4 entries should succeed) +-D -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; OK +-D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY; OK +-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; BAD +-D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK +# dump only ipv6 entries to zone 11 +-L -w 10 -o save -f ipv6; |s/-w 10/-w 11/g +-R - ; OK +# ensure that only ipv6 entries get copied (delete only for ipv6 entries should succeed) +-D -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; BAD +-D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY; BAD +-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; OK +-D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD +# now test deleting w/ and /o family specified +# for simplicity do it by re-creating entries in zone 11 +# by copying ezisting entries from zone 10 into it +# re-create entries in ct zone 11 +-L -w 10 -o save; |s/-w 10/-w 11/g +-R - ; OK +# delete all entries in zone 11 +-D -w 11 ; OK +# both ipv4 and ipv6 should be deleted +-D -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; BAD +-D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY; BAD +-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; BAD +-D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD +# re-create entries in ct zone 11 +-L -w 10 -o save; |s/-w 10/-w 11/g +-R - ; OK +# delete only ipv4 entries in zone 11 +-D -w 11 -f ipv4 ; OK +# ipv6 should remain +-D -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; BAD +-D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY; BAD +-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; OK +-D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD + # re-create entries in ct zone 11 +-L -w 10 -o save; |s/-w 10/-w 11/g +-R - ; OK +# delete only ipv6 entries in zone 11 +-D -w 11 -f ipv6 ; OK +# ipv4 should remain +-D -w 11 -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; OK +-D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY; OK +-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY; BAD +-D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK +# clean up after yourself +-D -w 10 ; OK