[PATCH V2 iptables] extensions: libxt_connlabel: use libnetfilter_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pablo suggested to make it depend on lnf-conntrack, and get rid of
the example config file as well.

The problem is that the file must be in a fixed path,
/etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file"
when translating names to their bit values (and vice versa).

Originally "make install" did put an example file into /etc/xtables/,
but distributors complained about iptables ignoring the sysconfdir.

So rather remove the example file, the man-page explains the format,
and connlabels are inherently system-specific anyway.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 Changes since V1:
  - show list of blacklisted modules at end of configure run
  - make -m connlabel depend on (UNRELEASED!) libnetfilter_conntrack 1.0.4
  - mention version dependency in extensions man page

 Makefile.am                    |    4 -
 configure.ac                   |   12 ++++
 etc/xtables/connlabel.conf     |    8 --
 extensions/GNUmakefile.in      |    5 +-
 extensions/libxt_connlabel.c   |  142 ++++++++--------------------------------
 extensions/libxt_connlabel.man |    1 +
 6 files changed, 45 insertions(+), 127 deletions(-)
 delete mode 100644 etc/xtables/connlabel.conf

diff --git a/Makefile.am b/Makefile.am
index 73f1352..c38d360 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -24,9 +24,5 @@ tarball:
 	tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/;
 	rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION};
 
-install-data-hook:
-	@mkdir -p -m 755 @sysconfdir@/xtables/ || :
-	@test -f @sysconfdir@/xtables/connlabel.conf || $(INSTALL) -m 644 etc/xtables/connlabel.conf @sysconfdir@/xtables/connlabel.conf || :
-
 config.status: extensions/GNUmakefile.in \
 	include/xtables-version.h.in include/iptables/internal.h.in
diff --git a/configure.ac b/configure.ac
index d209494..be216b0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -82,6 +82,15 @@ if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then
 	blacklist_modules="$blacklist_modules ipvs";
 fi;
 
+PKG_CHECK_MODULES([libnetfilter_conntrack], [libnetfilter_conntrack >= 1.0.4],
+	[nfconntrack=1], [nfconntrack=0])
+AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1])
+
+if test "$nfconntrack" -ne 1; then
+	blacklist_modules="$blacklist_modules connlabel";
+	echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
+fi;
+
 AC_SUBST([blacklist_modules])
 AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include <netinet/ip6.h>])
 
@@ -180,3 +189,6 @@ fi;
 
 echo "  Host:					${host}
   GCC binary:				${CC}"
+
+test x"$blacklist_modules" = "x" || echo "
+Iptables modules that will not be built: $blacklist_modules"
diff --git a/etc/xtables/connlabel.conf b/etc/xtables/connlabel.conf
deleted file mode 100644
index 9167029..0000000
--- a/etc/xtables/connlabel.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# example connlabel.conf mapping file.
-# used by the "connlabel" match to translate names to their bit-value.
-0	eth0-in
-1	eth0-out
-2	ppp-in
-3	ppp-out
-4	bulk-traffic
-5	interactive
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 1ae7f74..14e7c57 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -93,7 +93,7 @@ lib%.so: lib%.oo
 	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
 
 lib%.oo: ${srcdir}/lib%.c
-	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} ${$*_CFLAGADD} -o $@ -c $<;
 
 libxt_NOTRACK.so: libxt_CT.so
 	ln -fs $< $@
@@ -103,6 +103,9 @@ libxt_state.so: libxt_conntrack.so
 # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
 xt_RATEEST_LIBADD   = -lm
 xt_statistic_LIBADD = -lm
+@HAVE_LIBNETFILTER_CONNTRACK_TRUE@xt_connlabel_LIBADD = @libnetfilter_conntrack_LIBS@
+
+@HAVE_LIBNETFILTER_CONNTRACK_TRUE@xt_connlabel_CFLAGADD = @libnetfilter_conntrack_CFLAGS@
 
 #
 #	Static bits
diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
index ae52901..c84a167 100644
--- a/extensions/libxt_connlabel.c
+++ b/extensions/libxt_connlabel.c
@@ -5,13 +5,14 @@
 #include <stdint.h>
 #include <xtables.h>
 #include <linux/netfilter/xt_connlabel.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
 
 enum {
 	O_LABEL = 0,
 	O_SET = 1,
 };
 
-#define CONNLABEL_CFG "/etc/xtables/connlabel.conf"
+static struct nfct_labelmap *map;
 
 static void connlabel_mt_help(void)
 {
@@ -28,107 +29,6 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
 	XTOPT_TABLEEND,
 };
 
-static int
-xtables_parse_connlabel_numerical(const char *s, char **end)
-{
-	uintmax_t value;
-
-	if (!xtables_strtoul(s, end, &value, 0, XT_CONNLABEL_MAXBIT))
-		return -1;
-	return value;
-}
-
-static bool is_space_posix(int c)
-{
-	return c == ' ' || c == '\f' || c == '\r' || c == '\t' || c == '\v';
-}
-
-static char * trim_label(char *label)
-{
-	char *end;
-
-	while (is_space_posix(*label))
-		label++;
-	end = strchr(label, '\n');
-	if (end)
-		*end = 0;
-	else
-		end = strchr(label, '\0');
-	end--;
-
-	while (is_space_posix(*end) && end > label) {
-		*end = 0;
-		end--;
-	}
-
-	return *label ? label : NULL;
-}
-
-static void
-xtables_get_connlabel(uint16_t bit, char *buf, size_t len)
-{
-	FILE *fp = fopen(CONNLABEL_CFG, "r");
-	char label[1024];
-	char *end;
-
-	if (!fp)
-		goto error;
-
-	while (fgets(label, sizeof(label), fp)) {
-		int tmp;
-
-		if (label[0] == '#')
-			continue;
-		tmp = xtables_parse_connlabel_numerical(label, &end);
-		if (tmp < 0 || tmp < (int) bit)
-			continue;
-		if (tmp > (int) bit)
-			break;
-
-		end = trim_label(end);
-		if (!end)
-			continue;
-		snprintf(buf, len, "%s", end);
-		fclose(fp);
-		return;
-	}
-	fclose(fp);
- error:
-	snprintf(buf, len, "%u", (unsigned int) bit);
-}
-
-
-static uint16_t xtables_parse_connlabel(const char *s)
-{
-	FILE *fp = fopen(CONNLABEL_CFG, "r");
-	char label[1024];
-	char *end;
-	int bit;
-
-	if (!fp)
-		xtables_error(PARAMETER_PROBLEM, "label '%s': could not open '%s': %s",
-						s, CONNLABEL_CFG, strerror(errno));
-
-	while (fgets(label, sizeof(label), fp)) {
-		if (label[0] == '#' || !strstr(label, s))
-			continue;
-		bit = xtables_parse_connlabel_numerical(label, &end);
-		if (bit < 0)
-			continue;
-
-		end = trim_label(end);
-		if (!end)
-			continue;
-		if (strcmp(end, s) == 0) {
-			fclose(fp);
-			return bit;
-		}
-	}
-	fclose(fp);
-	xtables_error(PARAMETER_PROBLEM, "label '%s' not found in config file %s",
-					s, CONNLABEL_CFG);
-}
-
 static void connlabel_mt_parse(struct xt_option_call *cb)
 {
 	struct xt_connlabel_mtinfo *info = cb->data;
@@ -138,9 +38,10 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
 
 	switch (cb->entry->id) {
 	case O_LABEL:
-		tmp = xtables_parse_connlabel_numerical(cb->arg, NULL);
-		info->bit = tmp < 0 ? xtables_parse_connlabel(cb->arg) : tmp;
-
+		tmp = nfct_labelmap_get_bit(map, cb->arg);
+		if (tmp < 0)
+			xtables_error(PARAMETER_PROBLEM, "label '%s' not found", cb->arg);
+		info->bit = tmp;
 		if (cb->invert)
 			info->options |= XT_CONNLABEL_OP_INVERT;
 		break;
@@ -151,6 +52,14 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
 
 }
 
+static const char *connlabel_get_name(int b)
+{
+	const char *name = nfct_labelmap_get_name(map, b);
+	if (name && strcmp(name, ""))
+		return name;
+	return NULL;
+}
+
 static void
 connlabel_mt_print_op(const struct xt_connlabel_mtinfo *info, const char *prefix)
 {
@@ -162,16 +71,15 @@ static void
 connlabel_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
 {
 	const struct xt_connlabel_mtinfo *info = (const void *)match->data;
-	char buf[1024];
+	const char *name = connlabel_get_name(info->bit);
 
 	printf(" connlabel");
 	if (info->options & XT_CONNLABEL_OP_INVERT)
 		printf(" !");
-	if (numeric) {
+	if (numeric || name == NULL) {
 		printf(" %u", info->bit);
 	} else {
-		xtables_get_connlabel(info->bit, buf, sizeof(buf));
-		printf(" '%s'", buf);
+		printf(" '%s'", name);
 	}
 	connlabel_mt_print_op(info, "");
 }
@@ -180,14 +88,14 @@ static void
 connlabel_mt_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_connlabel_mtinfo *info = (const void *)match->data;
-	char buf[1024];
+	const char *name = connlabel_get_name(info->bit);
 
 	if (info->options & XT_CONNLABEL_OP_INVERT)
 		printf(" !");
-
-	xtables_get_connlabel(info->bit, buf, sizeof(buf));
-	printf(" --label \"%s\"", buf);
-
+	if (name)
+		printf(" --label \"%s\"", name);
+	else
+		printf(" --label \"%u\"", info->bit);
 	connlabel_mt_print_op(info, "--");
 }
 
@@ -206,5 +114,11 @@ static struct xtables_match connlabel_mt_reg = {
 
 void _init(void)
 {
+	map = nfct_labelmap_new(NULL);
+	if (!map) {
+		fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n",
+			connlabel_mt_reg.name, strerror(errno));
+		return;
+	}
 	xtables_register_match(&connlabel_mt_reg);
 }
diff --git a/extensions/libxt_connlabel.man b/extensions/libxt_connlabel.man
index 9fd2043..bdaa51e 100644
--- a/extensions/libxt_connlabel.man
+++ b/extensions/libxt_connlabel.man
@@ -17,6 +17,7 @@ the time the connection is created.
 In this case, the match will fail (or succeed, in case \fB\-\-label\fP
 option was negated).
 .PP
+This match depends on libnetfilter_conntrack 1.0.4 or later.
 Label translation is done via the \fB/etc/xtables/connlabel.conf\fP configuration file.
 .PP
 Example:
-- 
1.7.8.6

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux