Signed-off-by: Holger Eitzenberger <holger@xxxxxxxxxxxxxxxx> Index: ulogd-netfilter/input/flow/ulogd_inpflow_NFCT.c =================================================================== --- ulogd-netfilter.orig/input/flow/ulogd_inpflow_NFCT.c +++ ulogd-netfilter/input/flow/ulogd_inpflow_NFCT.c @@ -41,6 +41,9 @@ | NF_NETLINK_CONNTRACK_UPDATE \ | NF_NETLINK_CONNTRACK_DESTROY) +#define ORIG NFCT_DIR_ORIGINAL +#define REPL NFCT_DIR_REPLY + /* configuration defaults */ #define TCACHE_SIZE 8192 #define SCACHE_SIZE 512 @@ -425,14 +428,17 @@ nfct_msg_type(const struct nlmsghdr *nlh } -/* seq: sequence number used for the request */ +/* + * nfct_get_conntrack_seq() + * + * Do GET_CONNTRACK, return seq# used. + */ static int -nfct_get_conntrack_x(struct nfct_handle *cth, struct nfct_tuple *t, - int dir, uint32_t *seq) +nfct_get_conntrack_seq(struct nfct_handle *cth, struct nfct_tuple *t, + uint32_t *seq) { static char buf[NFNL_BUFFSIZE]; struct nfnlhdr *req = (void *)buf; - int cta_dir; memset(buf, 0, sizeof(buf)); @@ -444,9 +450,7 @@ nfct_get_conntrack_x(struct nfct_handle if (seq != NULL) *seq = req->nlh.nlmsg_seq; - cta_dir = (dir == NFCT_DIR_ORIGINAL) ? CTA_TUPLE_ORIG : CTA_TUPLE_REPLY; - - nfct_build_tuple(req, sizeof(buf), t, cta_dir); + nfct_build_tuple(req, sizeof(buf), t, CTA_TUPLE_ORIG); return nfnl_send(nfct_nfnlh(cth), &req->nlh); } @@ -656,8 +660,8 @@ tcache_cleanup(struct ulogd_pluginstance continue; /* check if its still there */ - ret = nfct_get_conntrack_x(priv->cth, &ct->tuple, - NFCT_DIR_ORIGINAL, &ct->last_seq); + ret = nfct_get_conntrack_seq(priv->cth, &ct->tuple, + &ct->last_seq); if (ret < 0) { if (errno == EWOULDBLOCK) break; @@ -789,46 +793,48 @@ scache_cleanup(struct ulogd_pluginstance static int propagate_ct_flow(struct ulogd_pluginstance *upi, struct nfct_conntrack *nfct, unsigned int flags, - int dir, struct conntrack *ct) + struct conntrack *ct) { struct ulogd_key *ret = upi->output.keys; - ret[O_IP_SADDR].u.value.ui32 = htonl(nfct->tuple[0].src.v4); + ret[O_IP_SADDR].u.value.ui32 = htonl(nfct->tuple[ORIG].src.v4); ret[O_IP_SADDR].flags |= ULOGD_RETF_VALID; - ret[O_IP_DADDR].u.value.ui32 = htonl(nfct->tuple[1].src.v4); + ret[O_IP_DADDR].u.value.ui32 = htonl(nfct->tuple[REPL].src.v4); ret[O_IP_DADDR].flags |= ULOGD_RETF_VALID; - ret[O_IP_PROTO].u.value.ui8 = nfct->tuple[dir].protonum; + ret[O_IP_PROTO].u.value.ui8 = nfct->tuple[ORIG].protonum; ret[O_IP_PROTO].flags |= ULOGD_RETF_VALID; - switch (nfct->tuple[dir].protonum) { + switch (nfct->tuple[ORIG].protonum) { case IPPROTO_TCP: case IPPROTO_UDP: case IPPROTO_SCTP: /* FIXME: DCCP */ - ret[O_L4_SPORT].u.value.ui16 = htons(nfct->tuple[0].l4src.tcp.port); + ret[O_L4_SPORT].u.value.ui16 + = htons(nfct->tuple[ORIG].l4src.tcp.port); ret[O_L4_SPORT].flags |= ULOGD_RETF_VALID; - ret[O_L4_DPORT].u.value.ui16 = htons(nfct->tuple[1].l4src.tcp.port); + ret[O_L4_DPORT].u.value.ui16 + = htons(nfct->tuple[REPL].l4src.tcp.port); ret[O_L4_DPORT].flags |= ULOGD_RETF_VALID; break; case IPPROTO_ICMP: - ret[O_ICMP_CODE].u.value.ui8 = nfct->tuple[dir].l4src.icmp.code; + ret[O_ICMP_CODE].u.value.ui8 = nfct->tuple[ORIG].l4src.icmp.code; ret[O_ICMP_CODE].flags |= ULOGD_RETF_VALID; - ret[O_ICMP_TYPE].u.value.ui8 = nfct->tuple[dir].l4src.icmp.type; + ret[O_ICMP_TYPE].u.value.ui8 = nfct->tuple[ORIG].l4src.icmp.type; ret[O_ICMP_TYPE].flags |= ULOGD_RETF_VALID; break; } if (flags & NFCT_COUNTERS_ORIG) { - ret[O_RAW_IN_PKTLEN].u.value.ui32 = nfct->counters[0].bytes; + ret[O_RAW_IN_PKTLEN].u.value.ui32 = nfct->counters[ORIG].bytes; ret[O_RAW_IN_PKTLEN].flags |= ULOGD_RETF_VALID; - ret[O_RAW_IN_PKTCOUNT].u.value.ui32 = nfct->counters[0].packets; + ret[O_RAW_IN_PKTCOUNT].u.value.ui32 = nfct->counters[REPL].packets; ret[O_RAW_IN_PKTCOUNT].flags |= ULOGD_RETF_VALID; - ret[O_RAW_OUT_PKTLEN].u.value.ui32 = nfct->counters[1].bytes; + ret[O_RAW_OUT_PKTLEN].u.value.ui32 = nfct->counters[REPL].bytes; ret[O_RAW_OUT_PKTLEN].flags |= ULOGD_RETF_VALID; - ret[O_RAW_OUT_PKTCOUNT].u.value.ui32 = nfct->counters[1].packets; + ret[O_RAW_OUT_PKTCOUNT].u.value.ui32 = nfct->counters[REPL].packets; ret[O_RAW_OUT_PKTCOUNT].flags |= ULOGD_RETF_VALID; } @@ -870,13 +876,13 @@ propagate_ct(struct ulogd_pluginstance * struct nfct_pluginstance *priv = (void *)upi->private; do { - if (nfct->tuple[NFCT_DIR_ORIGINAL].src.v4 == INADDR_LOOPBACK - || nfct->tuple[NFCT_DIR_ORIGINAL].dst.v4 == INADDR_LOOPBACK) + if (nfct->tuple[ORIG].src.v4 == INADDR_LOOPBACK + || nfct->tuple[ORIG].dst.v4 == INADDR_LOOPBACK) break; ct->time[STOP].tv_sec = t_now_local; - propagate_ct_flow(upi, nfct, flags, NFCT_DIR_ORIGINAL, ct); + propagate_ct_flow(upi, nfct, flags, ct); } while (0); cache_del(priv->tcache, ct); @@ -900,8 +906,8 @@ do_nfct_msg(struct nlmsghdr *nlh, void * bzero(&nfct, sizeof(nfct)); - nfct.tuple[NFCT_DIR_ORIGINAL].l3protonum = - nfct.tuple[NFCT_DIR_REPLY].l3protonum = nfh->nfgen_family; + nfct.tuple[ORIG].l3protonum = + nfct.tuple[REPL].l3protonum = nfh->nfgen_family; if (nfct_netlink_to_conntrack(nlh, &nfct, &flags) < 0) return -1; @@ -910,7 +916,7 @@ do_nfct_msg(struct nlmsghdr *nlh, void * switch (type) { case NFCT_MSG_NEW: - if ((ct = ct_alloc(&nfct.tuple[NFCT_DIR_ORIGINAL])) == NULL) + if ((ct = ct_alloc(&nfct.tuple[ORIG])) == NULL) return -1; if (cache_add(priv->tcache, ct) < 0) @@ -918,8 +924,7 @@ do_nfct_msg(struct nlmsghdr *nlh, void * break; case NFCT_MSG_UPDATE: - ct = tcache_find(pi, &nfct.tuple[NFCT_DIR_ORIGINAL]); - if (ct == NULL) { + if ((ct = tcache_find(pi, &nfct.tuple[ORIG])) == NULL) { /* do not add CT to cache, as there would be no start information */ break; @@ -939,15 +944,14 @@ do_nfct_msg(struct nlmsghdr *nlh, void * /* handle TCP connections differently in order not to bloat CT hash with many TIME_WAIT connections */ - if (nfct.tuple[NFCT_DIR_ORIGINAL].protonum == IPPROTO_TCP) { + if (nfct.tuple[ORIG].protonum == IPPROTO_TCP) { if (nfct.protoinfo.tcp.state == TCP_CONNTRACK_TIME_WAIT) return propagate_ct(pi, &nfct, ct, flags); } break; case NFCT_MSG_DESTROY: - ct = tcache_find(pi, &nfct.tuple[NFCT_DIR_ORIGINAL]); - if (ct != NULL) + if ((ct = tcache_find(pi, &nfct.tuple[ORIG])) != NULL) return propagate_ct(pi, &nfct, ct, flags); break; -- - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html