move nfct related functionality to NetfilterConntrack_Functions.ttcn
This commit is contained in:
parent
a5c6eaf8fb
commit
9041b45139
|
@ -12,16 +12,6 @@ module IPL4_example {
|
|||
import from http_www_netfilter_org_xml_libnetfilter_conntrack all;
|
||||
import from XSD all;
|
||||
|
||||
external function enc_Flow(in Flow pdu) return octetstring
|
||||
with { extension "prototype (convert) encode(XER:XER_EXTENDED)" }
|
||||
external function dec_Flow(in octetstring stream) return Flow
|
||||
with { extension "prototype (convert) decode(XER:XER_EXTENDED)" }
|
||||
|
||||
external function enc_Flows(in Flows pdu) return octetstring
|
||||
with { extension "prototype (convert) encode(XER:XER_EXTENDED)" }
|
||||
external function dec_Flows(in octetstring stream) return Flows
|
||||
with { extension "prototype (convert) decode(XER:XER_EXTENDED)" }
|
||||
|
||||
type component dummy_CT {
|
||||
port TunDevice_PT TUN;
|
||||
port TunDevice_PT TUN2;
|
||||
|
@ -32,22 +22,8 @@ module IPL4_example {
|
|||
template (value) Tun_send tunmsg(octetstring p_data) := { msg := p_data };
|
||||
template (value) Tun_recv tunrcv(octetstring p_data) := { msg := p_data };
|
||||
|
||||
const integer AF_INET := 2;
|
||||
const integer AF_INET6 := 23;
|
||||
|
||||
import from UsefulTtcn3Types all;
|
||||
|
||||
type enumerated nfct_direction { DIR_ORIG, DIR_REPLY };
|
||||
|
||||
type record flow_info {
|
||||
unsignedbyte l3_protocol,
|
||||
charstring src_ip,
|
||||
charstring dst_ip,
|
||||
unsignedbyte l4_protocol,
|
||||
unsignedshort src_port,
|
||||
unsignedshort dst_port
|
||||
}
|
||||
|
||||
type record pkt_info {
|
||||
nfct_direction direction,
|
||||
octetstring payload,
|
||||
|
@ -265,114 +241,6 @@ module IPL4_example {
|
|||
return data;
|
||||
}
|
||||
|
||||
/* generate a packet according to the input flow + pkt information */
|
||||
/*
|
||||
function flow_gen_pkt_(flow_info flowi, pkt_info pkti) return octetstring {
|
||||
var octetstring ret;
|
||||
var unsignedshort src_port, dst_port;
|
||||
var charstring src_ip, dst_ip;
|
||||
if (pkti.direction == DIR_ORIG) {
|
||||
src_ip := flowi.src_ip
|
||||
src_port := flowi.src_port
|
||||
dst_ip := flowi.dst_ip
|
||||
dst_port := flowi.dst_port
|
||||
} else {
|
||||
src_ip := flowi.dst_ip
|
||||
src_port := flowi.dst_port
|
||||
dst_ip := flowi.src_ip
|
||||
dst_port := flowi.src_port
|
||||
}
|
||||
if (flowi.l4_protocol == c_ip_proto_udp) {
|
||||
ret := f_IPv4IPv6_AnyUdpPacket(src_ip, dst_ip, src_port, dst_port);
|
||||
}
|
||||
if (pkti.trunc_len > 0 and pkti.trunc_len < lengthof(ret)) {
|
||||
ret := substr(ret, 0, pkti.trunc_len);
|
||||
}
|
||||
return ret
|
||||
}
|
||||
*/
|
||||
|
||||
/* reverse the L3 portion */
|
||||
private function f_nfct_l3_reverse(template Layer3_type input) return template Layer3_type {
|
||||
return {
|
||||
protoname := input.protoname,
|
||||
protonum := input.protonum,
|
||||
src := input.dst,
|
||||
dst := input.src
|
||||
}
|
||||
}
|
||||
|
||||
/* reverse the L4 portion */
|
||||
private function f_nfct_l4_reverse(template Layer4_type input) return template Layer4_type {
|
||||
return { protoname := input.protoname,
|
||||
protonum := input.protonum,
|
||||
sport := input.dport,
|
||||
dport := input.sport }
|
||||
}
|
||||
|
||||
/* reverse an Orig_repl_group template */
|
||||
private function f_nfct_orig_repl_reverse(template Orig_repl_group input) return template Orig_repl_group {
|
||||
var template Orig_repl_group output
|
||||
|
||||
output.layer3 := f_nfct_l3_reverse(input.layer3)
|
||||
output.layer4 := f_nfct_l4_reverse(input.layer4)
|
||||
output.zone := input.zone
|
||||
/* we cannot assume inverse direction counters have any relation to the forward direction */
|
||||
output.counters := *
|
||||
return output
|
||||
}
|
||||
|
||||
function f_proto_to_af(integer proto) return integer {
|
||||
if (proto == c_ip_proto_ipv4) {
|
||||
return AF_INET;
|
||||
} else if (proto == c_ip_proto_ipv6) {
|
||||
return AF_INET6;
|
||||
} else {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* construct a template that can be used to match nf-conntrack XML */
|
||||
function f_nfct_templ_from_flow(flow_info flowi) return template Flow {
|
||||
/* construct original tuple from flow */
|
||||
var template Orig_repl_group orig := {
|
||||
layer3 := {
|
||||
protoname := *,
|
||||
protonum := int2str(f_proto_to_af(flowi.l3_protocol)),
|
||||
src := flowi.src_ip,
|
||||
dst := flowi.dst_ip
|
||||
},
|
||||
layer4 := {
|
||||
protoname := *,
|
||||
protonum := int2str(flowi.l4_protocol),
|
||||
sport := flowi.src_port,
|
||||
dport := flowi.dst_port
|
||||
},
|
||||
zone := *,
|
||||
counters := *
|
||||
}
|
||||
/* create the inverse of the original tuple */
|
||||
var template Orig_repl_group repl := f_nfct_orig_repl_reverse(orig)
|
||||
|
||||
return {
|
||||
meta := { direction := "original", choice := { orig_repl_group := orig } },
|
||||
meta_1 := { direction := "reply", choice := { orig_repl_group := repl } },
|
||||
meta_2 := ?,
|
||||
when := * }
|
||||
}
|
||||
|
||||
/* get a single conntrack entry derived from the specified flow_info */
|
||||
//{ meta := { direction := "original", choice := { orig_repl_group := { layer3 := { protoname := "ipv4", protonum := "2", src := "1.1.1.200", dst := "2.2.2.200" }, layer4 := { protoname := "udp", protonum := "17", sport := 1001, dport := 2001 }, zone := omit, counters := omit } } }, meta_1 := { direction := "reply", choice := { orig_repl_group := { layer3 := { protoname := "ipv4", protonum := "2", src := "2.2.2.200", dst := "1.1.1.200" }, layer4 := { protoname := "udp", protonum := "17", sport := 2001, dport := 1001 }, zone := omit, counters := omit } } }, meta_2 := { direction := "independent", choice := { indep_group := { state := omit, timeout_ := 30, mark := 0, secmark := omit, zone := omit, use := 2, id := 2741869312, assured := omit, unreplied := { }, timestamp := omit, deltatime := omit } } }, when := omit }
|
||||
function f_get_conntracks(flow_info flowi) return Flows {
|
||||
var charstring xml := f_get_conntrack_xml(flowi.src_ip, flowi.dst_ip, flowi.l4_protocol, flowi.src_port, flowi.dst_port)
|
||||
return dec_Flows(unichar2oct(xml));
|
||||
}
|
||||
|
||||
function f_get_conntrack(flow_info flowi) return Flow {
|
||||
var Flows flows := f_get_conntracks(flowi);
|
||||
return flows.flow_list[0];
|
||||
}
|
||||
|
||||
/* generate + send packet for given flow through TUN */
|
||||
function flow_send_pkt_tun1(flow_info flowi, pkt_info pkti) runs on dummy_CT {
|
||||
var octetstring pkt := flow_gen_pkt(flowi, pkti);
|
||||
|
|
|
@ -3,4 +3,113 @@ module NetfilterConntrack_Functions {
|
|||
external function f_get_conntracks_xml() return charstring;
|
||||
external function f_get_conntrack_xml(charstring src_ip, charstring dst_ip, integer l4_proto, integer src_port, integer dst_port) return charstring;
|
||||
|
||||
import from UsefulTtcn3Types all;
|
||||
import from IP_Types all;
|
||||
import from http_www_netfilter_org_xml_libnetfilter_conntrack all;
|
||||
|
||||
external function enc_Flow(in Flow pdu) return octetstring
|
||||
with { extension "prototype (convert) encode(XER:XER_EXTENDED)" }
|
||||
external function dec_Flow(in octetstring stream) return Flow
|
||||
with { extension "prototype (convert) decode(XER:XER_EXTENDED)" }
|
||||
|
||||
external function enc_Flows(in Flows pdu) return octetstring
|
||||
with { extension "prototype (convert) encode(XER:XER_EXTENDED)" }
|
||||
external function dec_Flows(in octetstring stream) return Flows
|
||||
with { extension "prototype (convert) decode(XER:XER_EXTENDED)" }
|
||||
|
||||
const integer AF_INET := 2;
|
||||
const integer AF_INET6 := 23;
|
||||
|
||||
type enumerated nfct_direction { DIR_ORIG, DIR_REPLY };
|
||||
|
||||
type record flow_info {
|
||||
unsignedbyte l3_protocol,
|
||||
charstring src_ip,
|
||||
charstring dst_ip,
|
||||
unsignedbyte l4_protocol,
|
||||
unsignedshort src_port,
|
||||
unsignedshort dst_port
|
||||
}
|
||||
|
||||
/* reverse the L3 portion */
|
||||
private function f_nfct_l3_reverse(template Layer3_type input) return template Layer3_type {
|
||||
return {
|
||||
protoname := input.protoname,
|
||||
protonum := input.protonum,
|
||||
src := input.dst,
|
||||
dst := input.src
|
||||
}
|
||||
}
|
||||
|
||||
/* reverse the L4 portion */
|
||||
private function f_nfct_l4_reverse(template Layer4_type input) return template Layer4_type {
|
||||
return { protoname := input.protoname,
|
||||
protonum := input.protonum,
|
||||
sport := input.dport,
|
||||
dport := input.sport }
|
||||
}
|
||||
|
||||
/* reverse an Orig_repl_group template */
|
||||
function f_nfct_orig_repl_reverse(template Orig_repl_group input) return template Orig_repl_group {
|
||||
var template Orig_repl_group output
|
||||
|
||||
output.layer3 := f_nfct_l3_reverse(input.layer3)
|
||||
output.layer4 := f_nfct_l4_reverse(input.layer4)
|
||||
output.zone := input.zone
|
||||
/* we cannot assume inverse direction counters have any relation to the forward direction */
|
||||
output.counters := *
|
||||
return output
|
||||
}
|
||||
|
||||
private function f_proto_to_af(integer proto) return integer {
|
||||
if (proto == c_ip_proto_ipv4) {
|
||||
return AF_INET;
|
||||
} else if (proto == c_ip_proto_ipv6) {
|
||||
return AF_INET6;
|
||||
} else {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* construct a template that can be used to match nf-conntrack XML */
|
||||
function f_nfct_templ_from_flow(flow_info flowi) return template Flow {
|
||||
/* construct original tuple from flow */
|
||||
var template Orig_repl_group orig := {
|
||||
layer3 := {
|
||||
protoname := *,
|
||||
protonum := int2str(f_proto_to_af(flowi.l3_protocol)),
|
||||
src := flowi.src_ip,
|
||||
dst := flowi.dst_ip
|
||||
},
|
||||
layer4 := {
|
||||
protoname := *,
|
||||
protonum := int2str(flowi.l4_protocol),
|
||||
sport := flowi.src_port,
|
||||
dport := flowi.dst_port
|
||||
},
|
||||
zone := *,
|
||||
counters := *
|
||||
}
|
||||
/* create the inverse of the original tuple */
|
||||
var template Orig_repl_group repl := f_nfct_orig_repl_reverse(orig)
|
||||
|
||||
return {
|
||||
meta := { direction := "original", choice := { orig_repl_group := orig } },
|
||||
meta_1 := { direction := "reply", choice := { orig_repl_group := repl } },
|
||||
meta_2 := ?,
|
||||
when := * }
|
||||
}
|
||||
|
||||
/* get a single conntrack entry derived from the specified flow_info */
|
||||
//{ meta := { direction := "original", choice := { orig_repl_group := { layer3 := { protoname := "ipv4", protonum := "2", src := "1.1.1.200", dst := "2.2.2.200" }, layer4 := { protoname := "udp", protonum := "17", sport := 1001, dport := 2001 }, zone := omit, counters := omit } } }, meta_1 := { direction := "reply", choice := { orig_repl_group := { layer3 := { protoname := "ipv4", protonum := "2", src := "2.2.2.200", dst := "1.1.1.200" }, layer4 := { protoname := "udp", protonum := "17", sport := 2001, dport := 1001 }, zone := omit, counters := omit } } }, meta_2 := { direction := "independent", choice := { indep_group := { state := omit, timeout_ := 30, mark := 0, secmark := omit, zone := omit, use := 2, id := 2741869312, assured := omit, unreplied := { }, timestamp := omit, deltatime := omit } } }, when := omit }
|
||||
function f_get_conntracks(flow_info flowi) return Flows {
|
||||
var charstring xml := f_get_conntrack_xml(flowi.src_ip, flowi.dst_ip, flowi.l4_protocol, flowi.src_port, flowi.dst_port)
|
||||
return dec_Flows(unichar2oct(xml));
|
||||
}
|
||||
|
||||
function f_get_conntrack(flow_info flowi) return Flow {
|
||||
var Flows flows := f_get_conntracks(flowi);
|
||||
return flows.flow_list[0];
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue