Exemple #1
0
def delete_existing_conntrack_entry(ip):
    conntrack = Conntrack()
    for entry in conntrack.dump_table():
        dst = socket.inet_ntoa(struct.pack('!I', entry.orig_ipv4_dst))
        if 0 == entry.mark and ip == dst:
            LOGGER.info('delete %s' % entry)
            conntrack.destroy_conntrack(entry)
Exemple #2
0
def main():
    conntrack = Conntrack(subscriptions=NFCT_ALL_CT_GROUPS)
    event_cb.conntrack = conntrack
    try:
        conntrack.catch(event_cb)
    except KeyboardInterrupt:
        print "Interrupted."
Exemple #3
0
def main():
    conntrack = Conntrack(subscriptions=NFCT_ALL_CT_GROUPS)
    event_cb.conntrack = conntrack
    try:
        conntrack.catch(event_cb)
    except KeyboardInterrupt:
        print "Interrupted."
Exemple #4
0
    def getrealdest_ct(self, newip, newport):
        if self.config.debug > 1:
            self.log.debug("Netfilter: BEGIN")
        try:
            # Create conntrack object; get conntrack table
            nf = Conntrack()
            table = nf.dump_table(socket.AF_INET)
        except:
            if self.config.debug > 0:
                self.log.error(sys.exc_info())
            return -1, -1
        if self.config.debug > 1:
            self.log.debug("Netfilter: local socket %s:%s" % \
                (newip, newport))

        # Search conntrack table for target destination IP:port
        for entry in table:
            repl_ipv4_dst_ip = self.ltoip(entry.repl_ipv4_dst)
            orig_ipv4_dst_ip = self.ltoip(entry.orig_ipv4_dst)

            if self.config.debug > 1:
                self.log.debug("Netfilter: Trying: %s:%s" %
                               (repl_ipv4_dst_ip, entry.repl_port_dst))

            if repl_ipv4_dst_ip == newip and entry.repl_port_dst == newport:
                if self.config.debug > 1:
                    self.log.debug("Netfilter: remote socket %s:%s" % \
                        (orig_ipv4_dst_ip, entry.orig_port_dst))
                return orig_ipv4_dst_ip, entry.orig_port_dst
        if self.config.debug > 0:
            self.log.debug("Netfilter: no socket match")
            self.log.debug("Netfilter: END")

        return -1, -1
Exemple #5
0
 def getrealdest_ct(self, newip, newport):
     if self.config.debug > 1:
         self.log.debug("Netfilter: BEGIN")
     try:
         # Create conntrack object; get conntrack table
         nf = Conntrack()
         table = nf.dump_table(socket.AF_INET)
     except:
         if self.config.debug > 0:
             self.log.error(sys.exc_info())                
         return -1,-1
     if self.config.debug > 1:
         self.log.debug("Netfilter: local socket %s:%s" % \
             (newip, newport))
         
     # Search conntrack table for target destination IP:port
     for entry in table:
         repl_ipv4_dst_ip = self.ltoip(entry.repl_ipv4_dst)
         orig_ipv4_dst_ip = self.ltoip(entry.orig_ipv4_dst)
         
         if self.config.debug > 1:
             self.log.debug("Netfilter: Trying: %s:%s" % (repl_ipv4_dst_ip, entry.repl_port_dst))
             
         if repl_ipv4_dst_ip == newip and entry.repl_port_dst == newport:
             if self.config.debug > 1:
                 self.log.debug("Netfilter: remote socket %s:%s" % \
                     (orig_ipv4_dst_ip, entry.orig_port_dst))
             return orig_ipv4_dst_ip, entry.orig_port_dst
     if self.config.debug > 0:
         self.log.debug("Netfilter: no socket match")            
         self.log.debug("Netfilter: END")
     
     return -1, -1
Exemple #6
0
def main():
    if len(sys.argv) != 2 or sys.argv[1] not in OUTPUT_FORMAT:
        print("usage: %s command" % sys.argv[0], file=sys.stderr)
        print(file=sys.stderr)
        print("command: list or xml", file=sys.stderr)
        sys.exit(1)
    mode = sys.argv[1]
    output = OUTPUT_FORMAT[mode]

    checkKernelModule('nf_conntrack', 'nf_ct_attach')
    checkKernelModule('nf_conntrack_netlink', 'ctnetlink_net_init')
    try:
        if mode == "xml":
            print('<?xml version="1.0" encoding="ISO-8859-1"?>')
            print('<flows>')
        nf = Conntrack()
        (table, count) = nf.dump_table(AF_INET)
        for entry in table:
            print(entry.format(output))
        if mode == "xml":
            print('</flows>')
    except RuntimeError as err:
        print("ERROR: %s" % err)
    except KeyboardInterrupt:
        print("Interrupted.")
Exemple #7
0
def delete_existing_conntrack_entry(ip):
    conntrack = Conntrack()
    for entry in conntrack.dump_table():
        dst = socket.inet_ntoa(struct.pack('!I', entry.orig_ipv4_dst))
        if 0 == entry.mark and ip == dst:
            LOGGER.info('delete %s' % entry)
            conntrack.destroy_conntrack(entry)
Exemple #8
0
def main():
    if len(sys.argv) != 2 or sys.argv[1] not in OUTPUT_FORMAT:
        print >> sys.stderr, "usage: %s command" % sys.argv[0]
        print >> sys.stderr
        print >> sys.stderr, "command: list or xml"
        sys.exit(1)
    mode = sys.argv[1]
    output = OUTPUT_FORMAT[mode]

    checkKernelModule('nf_conntrack', 'nf_ct_attach')
    checkKernelModule('nf_conntrack_netlink', 'ctnetlink_net_init')
    try:
        if mode == "xml":
            print '<?xml version="1.0" encoding="ISO-8859-1"?>'
            print '<flows>'
        nf = Conntrack()
        (table, count) = nf.dump_table(AF_INET)
        for entry in table:
            print entry.format(output)
        if mode == "xml":
            print '</flows>'
    except RuntimeError, err:
        print "ERROR: %s" % err
Exemple #9
0
def main():
    if len(sys.argv) != 2 or sys.argv[1] not in OUTPUT_FORMAT:
        print >>sys.stderr, "usage: %s command" % sys.argv[0]
        print >>sys.stderr
        print >>sys.stderr, "command: list or xml"
        sys.exit(1)
    mode = sys.argv[1]
    output = OUTPUT_FORMAT[mode]

    checkKernelModule('nf_conntrack', 'nf_ct_cache')
    checkKernelModule('nf_conntrack_netlink', 'ctnetlink_init')
    try:
        if mode == "xml":
            print '<?xml version="1.0" encoding="ISO-8859-1"?>'
            print '<flows>'
        nf = Conntrack()
        table = nf.dump_table(AF_INET)
        for entry in table:
            print entry.format(output)
        if mode == "xml":
            print '</flows>'
    except RuntimeError, err:
        print "ERROR: %s" % err
Exemple #10
0
def create_conntrack():
    # ----------- create conntrack entry -----------
    conntrack = Conntrack()

    master = ConntrackEntry.new(conntrack)
    master.orig_l3proto = AF_INET
    master.orig_ipv4_src = IP("172.16.127.201")
    master.orig_ipv4_dst = IP("204.152.191.36")
    master.orig_l4proto = IPPROTO_TCP
    master.orig_port_src = 1025
    master.orig_port_dst = 21
    master.setobjopt(NFCT_SOPT_SETUP_REPLY)
    master.tcp_state = TCP_CONNTRACK_LISTEN
    master.timeout = 10
    master.create()

    # ----------- create expect entry -----------
    expect = Expect()

    expected = ConntrackEntry.new(expect)
    expected.orig_l3proto = AF_INET
    expected.orig_ipv4_src = IP("172.16.127.201")
    expected.orig_ipv4_dst = IP("204.152.191.36")
    expected.orig_l4proto = IPPROTO_TCP
    expected.orig_port_src = 10240
    expected.orig_port_dst = 10241

    mask = ConntrackEntry.new(expect)
    mask.orig_l3proto = AF_INET
    mask.orig_ipv4_src = 0xffffffff
    mask.orig_ipv4_dst = 0xffffffff
    mask.orig_l4proto = IPPROTO_TCP
    mask.orig_port_src = 0xffff
    mask.orig_port_dst = 0xffff

    print("add")
    exp = ExpectEntry.new(expect)
    ATTR_EXP_MASTER = 0
    ATTR_EXP_EXPECTED = 1
    ATTR_EXP_MASK = 2
    ATTR_EXP_TIMEOUT = 3
    nfexp_set_attr(exp._handle, ATTR_EXP_MASTER, master._handle)
    nfexp_set_attr(exp._handle, ATTR_EXP_EXPECTED, expected._handle)
    nfexp_set_attr(exp._handle, ATTR_EXP_MASK, mask._handle)
    nfexp_set_attr_u32(exp._handle, ATTR_EXP_TIMEOUT, 200)
    print("FINAL: Create entry")
    exp.create()