| /* |
| * (C) 2005-2011 by Pablo Neira Ayuso <pablo@netfilter.org> |
| * |
| * This program is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License as published by |
| * the Free Software Foundation; either version 2 of the License, or |
| * (at your option) any later version. |
| */ |
| |
| #include "internal/internal.h" |
| #include <stdbool.h> |
| |
| static int __cmp(int attr, |
| const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags, |
| int (*cmp)(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags), bool strict) |
| { |
| int a = test_bit(attr, ct1->head.set); |
| int b = test_bit(attr, ct2->head.set); |
| if (a && b) { |
| return cmp(ct1, ct2, flags); |
| } else if (!a && !b) { |
| return 1; |
| } else if (flags & NFCT_CMP_MASK && |
| test_bit(attr, ct1->head.set)) { |
| return strict ? 0 : cmp(ct1, ct2, flags); |
| } else if (flags & NFCT_CMP_STRICT) { |
| return strict ? 0 : cmp(ct1, ct2, flags); |
| } |
| return 1; |
| } |
| |
| static int |
| cmp_orig_l3proto(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->head.orig.l3protonum == ct2->head.orig.l3protonum); |
| } |
| |
| static int |
| cmp_icmp_id(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->head.orig.l4src.icmp.id == ct2->head.orig.l4src.icmp.id); |
| } |
| |
| static int |
| cmp_icmp_type(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->head.orig.l4dst.icmp.type == |
| ct2->head.orig.l4dst.icmp.type); |
| } |
| |
| static int |
| cmp_icmp_code(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->head.orig.l4dst.icmp.code == |
| ct2->head.orig.l4dst.icmp.code); |
| } |
| |
| static int |
| cmp_orig_port_src(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->head.orig.l4src.all == ct2->head.orig.l4src.all); |
| } |
| |
| static int |
| cmp_orig_port_dst(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->head.orig.l4dst.all == ct2->head.orig.l4dst.all); |
| } |
| |
| static int |
| cmp_orig_l4proto(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| if (ct1->head.orig.protonum != ct2->head.orig.protonum) |
| return 0; |
| |
| switch(ct1->head.orig.protonum) { |
| case IPPROTO_ICMP: |
| case IPPROTO_ICMPV6: |
| if (!__cmp(ATTR_ICMP_ID, ct1, ct2, flags, cmp_icmp_id, true)) |
| return 0; |
| if (!__cmp(ATTR_ICMP_CODE, ct1, ct2, flags, cmp_icmp_code, true)) |
| return 0; |
| if (!__cmp(ATTR_ICMP_TYPE, ct1, ct2, flags, cmp_icmp_type, true)) |
| return 0; |
| break; |
| case IPPROTO_TCP: |
| case IPPROTO_UDP: |
| case IPPROTO_UDPLITE: |
| case IPPROTO_DCCP: |
| case IPPROTO_SCTP: |
| if (!__cmp(ATTR_ORIG_PORT_SRC, ct1, ct2, |
| flags, cmp_orig_port_src, true)) |
| return 0; |
| if (!__cmp(ATTR_ORIG_PORT_DST, ct1, ct2, |
| flags, cmp_orig_port_dst, true)) |
| return 0; |
| break; |
| } |
| return 1; |
| } |
| |
| static int |
| cmp_orig_ipv4_src(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->head.orig.src.v4 == ct2->head.orig.src.v4);} |
| |
| static int |
| cmp_orig_ipv4_dst(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->head.orig.dst.v4 == ct2->head.orig.dst.v4);} |
| |
| static int |
| cmp_orig_ipv6_src(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (memcmp(&ct1->head.orig.src.v6, &ct2->head.orig.src.v6, |
| sizeof(struct in6_addr)) == 0); |
| } |
| |
| static int |
| cmp_orig_ipv6_dst(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (memcmp(&ct1->head.orig.dst.v6, &ct2->head.orig.dst.v6, |
| sizeof(struct in6_addr)) == 0); |
| } |
| |
| static int |
| cmp_orig_zone(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return nfct_get_attr_u16(ct1, ATTR_ORIG_ZONE) == |
| nfct_get_attr_u16(ct2, ATTR_ORIG_ZONE); |
| } |
| |
| int __cmp_orig(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| if (!__cmp(ATTR_ORIG_L3PROTO, ct1, ct2, flags, cmp_orig_l3proto, true)) |
| return 0; |
| if (!__cmp(ATTR_ORIG_L4PROTO, ct1, ct2, flags, cmp_orig_l4proto, true)) |
| return 0; |
| if (!__cmp(ATTR_ORIG_IPV4_SRC, ct1, ct2, flags, cmp_orig_ipv4_src, true)) |
| return 0; |
| if (!__cmp(ATTR_ORIG_IPV4_DST, ct1, ct2, flags, cmp_orig_ipv4_dst, true)) |
| return 0; |
| if (!__cmp(ATTR_ORIG_IPV6_SRC, ct1, ct2, flags, cmp_orig_ipv6_src, true)) |
| return 0; |
| if (!__cmp(ATTR_ORIG_IPV6_DST, ct1, ct2, flags, cmp_orig_ipv6_dst, true)) |
| return 0; |
| if (!__cmp(ATTR_ORIG_ZONE, ct1, ct2, flags, cmp_orig_zone, false)) |
| return 0; |
| |
| return 1; |
| } |
| |
| static int |
| cmp_repl_l3proto(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->repl.l3protonum == ct2->repl.l3protonum); |
| } |
| |
| static int |
| cmp_repl_port_src(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->repl.l4src.all == ct2->repl.l4src.all); |
| } |
| |
| static int |
| cmp_repl_port_dst(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->repl.l4dst.all == ct2->repl.l4dst.all); |
| } |
| |
| static int |
| cmp_repl_l4proto(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| if (ct1->repl.protonum != ct2->repl.protonum) |
| return 0; |
| |
| switch(ct1->repl.protonum) { |
| case IPPROTO_ICMP: |
| case IPPROTO_ICMPV6: |
| if (!__cmp(ATTR_ICMP_ID, ct1, ct2, flags, cmp_icmp_id, true)) |
| return 0; |
| if (!__cmp(ATTR_ICMP_CODE, ct1, ct2, flags, cmp_icmp_code, true)) |
| return 0; |
| if (!__cmp(ATTR_ICMP_TYPE, ct1, ct2, flags, cmp_icmp_type, true)) |
| return 0; |
| break; |
| case IPPROTO_TCP: |
| case IPPROTO_UDP: |
| case IPPROTO_UDPLITE: |
| case IPPROTO_DCCP: |
| case IPPROTO_SCTP: |
| if (!__cmp(ATTR_REPL_PORT_SRC, ct1, ct2, |
| flags, cmp_repl_port_src, true)) |
| return 0; |
| if (!__cmp(ATTR_REPL_PORT_DST, ct1, ct2, |
| flags, cmp_repl_port_dst, true)) |
| return 0; |
| break; |
| } |
| return 1; |
| } |
| |
| static int |
| cmp_repl_ipv4_src(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->repl.src.v4 == ct2->repl.src.v4);} |
| |
| static int |
| cmp_repl_ipv4_dst(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->repl.dst.v4 == ct2->repl.dst.v4);} |
| |
| static int |
| cmp_repl_ipv6_src(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (memcmp(&ct1->repl.src.v6, &ct2->repl.src.v6, |
| sizeof(struct in6_addr)) == 0); |
| } |
| |
| static int |
| cmp_repl_ipv6_dst(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (memcmp(&ct1->repl.dst.v6, &ct2->repl.dst.v6, |
| sizeof(struct in6_addr)) == 0); |
| } |
| |
| static int |
| cmp_repl_zone(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return nfct_get_attr_u16(ct1, ATTR_REPL_ZONE) == |
| nfct_get_attr_u16(ct2, ATTR_REPL_ZONE); |
| } |
| |
| static int cmp_repl(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| if (!__cmp(ATTR_REPL_L3PROTO, ct1, ct2, flags, cmp_repl_l3proto, true)) |
| return 0; |
| if (!__cmp(ATTR_REPL_L4PROTO, ct1, ct2, flags, cmp_repl_l4proto, true)) |
| return 0; |
| if (!__cmp(ATTR_REPL_IPV4_SRC, ct1, ct2, flags, cmp_repl_ipv4_src, true)) |
| return 0; |
| if (!__cmp(ATTR_REPL_IPV4_DST, ct1, ct2, flags, cmp_repl_ipv4_dst, true)) |
| return 0; |
| if (!__cmp(ATTR_REPL_IPV6_SRC, ct1, ct2, flags, cmp_repl_ipv6_src, true)) |
| return 0; |
| if (!__cmp(ATTR_REPL_IPV6_DST, ct1, ct2, flags, cmp_repl_ipv6_dst, true)) |
| return 0; |
| if (!__cmp(ATTR_REPL_ZONE, ct1, ct2, flags, cmp_repl_zone, false)) |
| return 0; |
| |
| return 1; |
| } |
| |
| static int |
| cmp_id(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->id == ct2->id); |
| } |
| |
| static int |
| cmp_mark(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return nfct_get_attr_u32(ct1, ATTR_MARK) == |
| nfct_get_attr_u32(ct2, ATTR_MARK); |
| } |
| |
| static int |
| cmp_timeout(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| int ret = 0; |
| |
| #define __NFCT_CMP_TIMEOUT (NFCT_CMP_TIMEOUT_LE | NFCT_CMP_TIMEOUT_GT) |
| |
| if (!(flags & __NFCT_CMP_TIMEOUT) && |
| ct1->timeout == ct2->timeout) |
| return 1; |
| else { |
| if (flags & NFCT_CMP_TIMEOUT_GT && |
| ct1->timeout > ct2->timeout) |
| ret = 1; |
| else if (flags & NFCT_CMP_TIMEOUT_LT && |
| ct1->timeout < ct2->timeout) |
| ret = 1; |
| else if (flags & NFCT_CMP_TIMEOUT_EQ && |
| ct1->timeout == ct2->timeout) |
| ret = 1; |
| } |
| return ret; |
| } |
| |
| static int |
| cmp_status(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return ((ct1->status & ct2->status) == ct1->status); |
| } |
| |
| static int |
| cmp_tcp_state(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->protoinfo.tcp.state == ct2->protoinfo.tcp.state); |
| } |
| |
| static int |
| cmp_sctp_state(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->protoinfo.sctp.state == ct2->protoinfo.sctp.state); |
| } |
| |
| static int |
| cmp_dccp_state(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return (ct1->protoinfo.dccp.state == ct2->protoinfo.dccp.state); |
| } |
| |
| static int |
| cmp_zone(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return nfct_get_attr_u16(ct1, ATTR_ZONE) == |
| nfct_get_attr_u16(ct2, ATTR_ZONE); |
| } |
| |
| static int |
| cmp_secctx(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| if (ct1->secctx == NULL || ct2->secctx == NULL) |
| return ct1->secctx == ct2->secctx; |
| return strcmp(ct1->secctx, ct2->secctx) == 0; |
| } |
| |
| static int __cmp_clabel(const struct nfct_bitmask *a, |
| const struct nfct_bitmask *b) |
| { |
| unsigned int len, max; |
| const uint32_t *bits; |
| |
| if (a == NULL || b == NULL) |
| return a == b; |
| |
| if (a->words < b->words) { |
| bits = b->bits; |
| max = b->words; |
| len = a->words; |
| } else { |
| bits = a->bits; |
| max = a->words; |
| len = b->words; |
| } |
| |
| while (max > len) { |
| if (bits[--max]) |
| return 0; |
| } |
| /* bitmask sizes are equal or extra bits are not set */ |
| return memcmp(a->bits, b->bits, len * sizeof(a->bits[0])) == 0; |
| } |
| |
| static int cmp_clabel(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return __cmp_clabel(nfct_get_attr(ct1, ATTR_CONNLABELS), |
| nfct_get_attr(ct2, ATTR_CONNLABELS)); |
| |
| } |
| |
| static int cmp_clabel_mask(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| return __cmp_clabel(nfct_get_attr(ct1, ATTR_CONNLABELS_MASK), |
| nfct_get_attr(ct2, ATTR_CONNLABELS_MASK)); |
| |
| } |
| |
| static int cmp_meta(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| if (!__cmp(ATTR_ID, ct1, ct2, flags, cmp_id, true)) |
| return 0; |
| if (!__cmp(ATTR_MARK, ct1, ct2, flags, cmp_mark, false)) |
| return 0; |
| if (!__cmp(ATTR_TIMEOUT, ct1, ct2, flags, cmp_timeout, true)) |
| return 0; |
| if (!__cmp(ATTR_STATUS, ct1, ct2, flags, cmp_status, true)) |
| return 0; |
| if (!__cmp(ATTR_TCP_STATE, ct1, ct2, flags, cmp_tcp_state, true)) |
| return 0; |
| if (!__cmp(ATTR_SCTP_STATE, ct1, ct2, flags, cmp_sctp_state, true)) |
| return 0; |
| if (!__cmp(ATTR_DCCP_STATE, ct1, ct2, flags, cmp_dccp_state, true)) |
| return 0; |
| if (!__cmp(ATTR_ZONE, ct1, ct2, flags, cmp_zone, false)) |
| return 0; |
| if (!__cmp(ATTR_SECCTX, ct1, ct2, flags, cmp_secctx, true)) |
| return 0; |
| if (!__cmp(ATTR_CONNLABELS, ct1, ct2, flags, cmp_clabel, true)) |
| return 0; |
| if (!__cmp(ATTR_CONNLABELS_MASK, ct1, ct2, flags, cmp_clabel_mask, true)) |
| return 0; |
| |
| return 1; |
| } |
| |
| int __compare(const struct nf_conntrack *ct1, |
| const struct nf_conntrack *ct2, |
| unsigned int flags) |
| { |
| if ((flags & ~(NFCT_CMP_MASK|NFCT_CMP_STRICT)) == NFCT_CMP_ALL) |
| return cmp_meta(ct1, ct2, flags) && |
| __cmp_orig(ct1, ct2, flags) && |
| cmp_repl(ct1, ct2, flags); |
| |
| if (flags & NFCT_CMP_ORIG && !__cmp_orig(ct1, ct2, flags)) |
| return 0; |
| |
| if (flags & NFCT_CMP_REPL && !cmp_repl(ct1, ct2, flags)) |
| return 0; |
| |
| return 1; |
| } |