libnetfilter_conntrack  1.0.6
ct_mark_filter.c
1 #include <assert.h>
2 #include <errno.h>
3 #include <stdio.h>
4 #include <stdlib.h>
5 #include <netinet/in.h>
6 
7 #include <libmnl/libmnl.h>
8 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
9 
10 #include "nssocket.h"
11 
12 static void tcp_echo_before_fin(const struct mnl_socket *nl,
13  const char *pre, const char *post)
14 {
15  uint8_t proto = IPPROTO_TCP;
16 
17  sync_fifo(pre);
18  timeout.tv_sec = INIT_TIMEOUT;
19  handle_qacb(nl, true, cb_tcp_new, &proto);
20  handle_qacb(nl, true, cb_tcp_syn_recv, &proto);
21  handle_qacb(nl, true, cb_tcp_established, &proto);
22  handle_qacb(nl, false, NULL, NULL);
23  sync_fifo(post);
24 }
25 
26 static void tcp_echo_after_fin(const struct mnl_socket *nl,
27  const char *pre, const char *post)
28 {
29  uint8_t proto = IPPROTO_TCP;
30 
31  sync_fifo(pre);
32  timeout.tv_sec = INIT_TIMEOUT;
33  handle_qacb(nl, true, cb_tcp_fin_wait, &proto);
34  handle_qacb(nl, true, cb_tcp_close_wait, &proto);
35  handle_qacb(nl, true, cb_tcp_close, &proto);
36  handle_qacb(nl, true, cb_tcp_destroy, &proto);
37  handle_qacb(nl, false, NULL, NULL);
38  sync_fifo(post);
39 }
40 
41 static void filter_mark_zero(const struct mnl_socket *nl,
42  const char *pre, const char *post)
43 {
44  struct nfct_filter *filter = nfct_filter_create();
45  struct nfct_filter_dump_mark mark = {val: 0, mask: 0};
46 
47  nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &mark);
48  assert(nfct_filter_attach(mnl_socket_get_fd(nl), filter) != -1);
49  nfct_filter_destroy(filter);
50  tcp_echo(nl, pre, post);
51  assert(nfct_filter_detach(mnl_socket_get_fd(nl)) != -1);
52 }
53 
54 static void filter_mark_1_1(const struct mnl_socket *nl,
55  const char *pre, const char *post)
56 {
57  struct nfct_filter *filter = nfct_filter_create();
58  struct nfct_filter_dump_mark mark = {val: 1, mask: 1};
59 
60  nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &mark);
61  assert(nfct_filter_attach(mnl_socket_get_fd(nl), filter) != -1);
62  nfct_filter_destroy(filter);
63  tcp_echo_after_fin(nl, pre, post);
64  assert(nfct_filter_detach(mnl_socket_get_fd(nl)) != -1);
65 }
66 
67 static void filter_mark_neg_1_1(const struct mnl_socket *nl,
68  const char *pre, const char *post)
69 {
70  struct nfct_filter *filter = nfct_filter_create();
71  struct nfct_filter_dump_mark mark = {val: 1, mask: 1};
72 
73  nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &mark);
74  assert(nfct_filter_set_logic(filter, NFCT_FILTER_MARK,
75  NFCT_FILTER_LOGIC_NEGATIVE) != -1);
76  assert(nfct_filter_attach(mnl_socket_get_fd(nl), filter) != -1);
77  nfct_filter_destroy(filter);
78  tcp_echo_before_fin(nl, pre, post);
79  assert(nfct_filter_detach(mnl_socket_get_fd(nl)) != -1);
80 }
81 
82 static void filter_mark_neg_0_fffffffd(const struct mnl_socket *nl,
83  const char *pre, const char *post)
84 {
85  struct nfct_filter *filter = nfct_filter_create();
86  struct nfct_filter_dump_mark mark = {val: 0, mask: 0xfffffffd};
87 
88  nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &mark);
89  assert(nfct_filter_set_logic(filter, NFCT_FILTER_MARK,
90  NFCT_FILTER_LOGIC_NEGATIVE) != -1);
91  assert(nfct_filter_attach(mnl_socket_get_fd(nl), filter) != -1);
92  nfct_filter_destroy(filter);
93  tcp_echo_after_fin(nl, pre, post);
94  assert(nfct_filter_detach(mnl_socket_get_fd(nl)) != -1);
95 }
96 
97 static void filter_mark_max(const struct mnl_socket *nl,
98  const char *pre, const char *post)
99 {
100  struct nfct_filter *filter = nfct_filter_create();
101  struct nfct_filter_dump_mark mark;
102  int i;
103 
104  for (i = 0; i < 126; i++) {
105  /* does not match to mark value 3 */
106  mark = (struct nfct_filter_dump_mark){val: 0, mask: 3};
107  nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &mark);
108  }
109 
110  /* __FILTER_MARK_MAX 127, should be added */
111  mark = (struct nfct_filter_dump_mark){val: 1, mask: 1};
112  nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &mark);
113 
114  /* over __FILTER_MARK_MAX, should be ignored */
115  mark = (struct nfct_filter_dump_mark){val: 0, mask: 0};
116  nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &mark);
117 
118  assert(nfct_filter_attach(mnl_socket_get_fd(nl), filter) != -1);
119  nfct_filter_destroy(filter);
120  tcp_echo_after_fin(nl, pre, post);
121  assert(nfct_filter_detach(mnl_socket_get_fd(nl)) != -1);
122 }
123 
124 int main(int argc, char *argv[])
125 {
126  struct mnl_socket *nl;
127  char *pre, *post;
128 
129  if (argc != 4) {
130  fprintf(stderr, "usage: %s <netns> <pre_fifo> <post_fifo>\n", argv[0]);
131  exit(EXIT_FAILURE);
132  }
133  pre = argv[2];
134  post = argv[3];
135 
136  nl = mnl_event_nssocket(argv[1]);
137  if (nl == NULL) {
138  perror("init_mnl_socket");
139  exit(EXIT_FAILURE);
140  }
141 
142  filter_mark_zero(nl, pre, post);
143  filter_mark_1_1(nl, pre, post);
144  filter_mark_neg_1_1(nl, pre, post);
145  filter_mark_neg_0_fffffffd(nl, pre, post);
146  filter_mark_max(nl, pre, post);
147 
148  return fini_nssocket();
149 }
void nfct_filter_destroy(struct nfct_filter *filter)
void nfct_filter_add_attr(struct nfct_filter *filter, const enum nfct_filter_attr attr, const void *value)
struct nfct_filter * nfct_filter_create(void)
int nfct_filter_set_logic(struct nfct_filter *filter, const enum nfct_filter_attr attr, const enum nfct_filter_logic logic)
int nfct_filter_attach(int fd, struct nfct_filter *filter)
int nfct_filter_detach(int fd)