| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
My email address has changed, let's update it.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Review fprintf() and perror() calls and replace them with proper logs,
since it now supports being called anytime during runtime.
While at it, several messages are fixed, deleting \n, adjusting
coding style and some typos.
Also, the 'conntrackd cannot start, please review your configuration' is
printed before closing the log engine.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Now that our main log function is able to handle the case of the log engine
not being initialised, we can use the general function instead of a custom
one in the parser.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will allow to call dlog() function from all the points in the
execution at runtime.
If the log was not initialized, then we just fprintf and return.
By now, we can't init the log engine earlier because we require config
from the user, so there is a egg-chicken problem.
This means that we can't log parsing messages to logfiles but only to
stderr/stdout.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If conntrackd is running in console mode (i.e. in foreground)
then we can print the log messages to stdout/stderr.
This eases the workflow for admins, since we condensate more info into
the same terminal output.
Example:
% sudo conntrackd -C /etc/conntrackd.conf
WARNING: XXXX is an invalid interface
[Thu Oct 27 13:57:09 2016] (pid=7581) [notice] disabling internal cache
[Thu Oct 27 13:57:09 2016] (pid=7581) [notice] disabling external cache
[Thu Oct 27 13:57:09 2016] (pid=7581) [ERROR] can't open channel socket: No such device
[Thu Oct 27 13:57:09 2016] (pid=7581) [ERROR] initialization failed
ERROR: conntrackd cannot start, please check the logfile for more info
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I have observed this message several times:
[ERROR] can't open channel socket
[ERROR] initialization failed
which is very difficult to understand.
The errno message should help this to be a bit more explicit.
With this patch, in the case of wrong interface:
[ERROR] can't open channel socket: No such device
[ERROR] initialization failed
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some distributions, such as Gentoo and Chrome OS, try to link all
programs with `-z now` as a security hardening measure. This breaks
nfct, because nfct cannot satisfy all of the helper modules' symbols.
Therefore nfct implicitly depends on lazy binding.
Have autoconf probe the linker to see if `-z lazy` works, and if so,
use it to link nfct and the helpers.
conntrackd itself is unaffected, and should still work with `-z now`.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This allows unicast replies to multicast DNS (mDNS / RFC6762) queries.
These queries are often used when a full-featured mDNS service (such as
avahi-daemon) is not running, or if an mDNS client does not have
permission to bind to port 5353.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
matchoff is relative to dataoff, i.e. matchoff=0 (as utilized by
nfq_tcp_mangle_ipv4()) points to the first byte of the TCP payload.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently matchoff and matchlen are 0, so IP mangling is performed in
the wrong place if NAT is used:
FTP_NAT: type 0, off 0 len 0
The resultant packet is clearly incorrect:
0x0000: 9410 3eb8 00ab 00e0 4c68 0012 0800 4510 ..>.....Lh....E.
0x0010: 0081 9ed9 4000 4006 cd35 646b 0370 646b ....@.@..5dk.pdk
0x0020: 0212 0015 87c5 8cc2 de50 aa28 4842 8018 .........P.(HB..
0x0030: 00e3 459d 0000 0101 080a e916 985e 2a3b ..E..........^*;
0x0040: b82d 3530 3020 2731 3030 2c31 3037 2c32 .-500.'100,107,2
0x0050: 2c31 382c 3134 392c 3739 504f 5254 2031 ,18,149,79PORT.1
0x0060: 3932 2c31 3638 2c32 3534 2c32 2c31 3439 92,168,254,2,149
0x0070: 2c37 3927 3a20 636f 6d6d 616e 6420 6e6f ,79':.command.no
0x0080: 7420 756e 6465 7273 746f 6f64 2e0d 0a t.understood...
Add the missing assignments.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update the conntrack-tools manual to include some bits regarding init systems
and the integration with systemd.
More on this topic here:
http://ral-arturo.blogspot.com.es/2016/08/why-conntrackd-in-debian-is-better-with.html
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add reference to systemd integration in the manpage.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Refresh conntrackd.8 manpage to match the help message in the binary.
Changes are related to the syntax and options of conntrackd,
the syntax of the manpage itself and clarification of some aspects.
Also, break lines at 80 characters.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
It seems there are two kind of options:
* general commands (-d, -v, -h, -C)
* client commands (which requires another conntrackd instance)
Refresh the help message to better reflect this.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This release includes NAT IPv6 support for state synchronization,
list filtering with address masks, a new conntrackd.conf manpage,
initial systemd integration and other minor documentation updates.
Bump dependency to libnetfilter_conntrack 1.0.6 to make sure the
NAT IPv6 bits are there in place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Remove the warning about outdated version of flex as it is not needed
anymore. This check was introduced back in 2008 to skip a broken flex
version that doesn't seem to be packaged by any distribution anymore.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We don't use 'struct nfct_attr_grp_ipv6', actually 'uint32_t * 4'.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
So we can properly sync NATed IPv6 connections.
Thanks to Florian Westphal for originally ponting me to this lack of
support in conntrackd, which saved me a lot of time.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If we include tests/ in the release tarball, downstream distributors
can run the testsuites themselves while developing the packages.
This way, tests can be run in a more integrated environment and they can
discover errors related to the integration with the given distribution itself.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The missing commands: flush, disable, default-set and default-get
were added to the manpage.
The description of the subsystem has been corrected.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
|
| |
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
By default, conntrackd is compiled with no built-in systemd support.
This patch updates the default runtime behaviour to be consistent
with what ./configure provides by default.
Thus, users should explicitly indicate "Systemd On" in their configuration
file to enable this. This shouldn't cause any problem to old users of
conntrackd.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for using CIDR notation in --{orig,tuple}-{src,dst} arguments,
instead of free-form formatting netmask in --mask-{src,dst}.
Example:
conntrack -L -s 2001:db8::/56
Instead of:
conntrack -L -s 2001:db8:: --mask-src ffff:ffff:ffff:ff00::
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
|
| |
|
|
|
|
|
|
|
| |
Prepare for CIDR support, by splitting nfct_set_addr_from_opt()
into nfct_parse_addr_from_opt() for parsing
and nfct_set_addr_opt() for storing.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch extends --mask-src and --mask-dst to also work
with the conntrack table, with commands -L, -D, -E and -U.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This option was already silently allowed by 991fc4ae,
but didn't have any effect.
This patch adds the check and documents it.
Cc: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The binary under test should be the one, this ensures
that it is in sync with the tests performed, and that
users who build from source, can test the binary prior
to `make install`.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Got tired of having to exit the editor, before testing.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Use scandir(3) instead of opendir(3), so that the tests are
run in the expected order, otherwise it doesn't make
sense to prefix the testfiles with a two digit number,
giving the impression that they are run in order.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Store tuple-src and tuple-dst in exptuple,
as used by the EXP_CREATE case.
Verified with doc/cli/test.sh
Also reorder the cases, so the netmask case is last.
Reported-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
{} is mask-src and mask-dst, [] is tuple-src and tuple-dst
mask-* should be stored in mask, tuple-* should be stored in exptuple.
This reverts commit 3309fdb4413cb32f9b95e05064dc9dbb56550939
since it mixed up {} and [].
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This new manpage describes all the configuration options of the conntrackd.conf
file.
While at it, point conntrackd(8) to this new manpage.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The GNU version of 'struct tcphdr' is not exposed by musl libc headers
unless _GNU_SOURCE is defined. Without this definition, the build fails
with:
rpc.c: In function 'rpc_helper_cb':
rpc.c:351:15: error: 'struct tcphdr' has no member named 'doff'
offset += th->doff * 4;
^
Signed-off-by: Rodrigo Rebello <rprebello@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds basic systemd support.
The feature can be enabled/disabled at configure time:
./configure --disable-systemd
Also, at runtime in conntrackd.conf
General {
Systemd on|off
}
(by default it's enabled both at runtime and at configure time)
* tell systemd about conntrackd readiness:
When conntrackd starts, it will send systemd the data "READY=1".
At the point the data is sent, conntrackd is fully ready to work
(configuration was OK, sockets OK, et all), so other actions depending
on conntrackd can be safely chained in the machine boot process.
* tell systemd about conntrackd shutting down:
If the admin kills conntrackd with `conntrackd -k', the data "STOPPING=1"
will be send to systemd so it learns about the daemon shutting down. Same
for manual signals.
* watchdog support:
The admin can configure systemd to watch the conntrackd daemon and perform
some actions if conntrackd dies: restart it, reboot the machine, etc...
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Let's improve feature selection with feedback from Jan Engelhardt
and Pablo Neira Ayuso.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for zone directions.
Since all options have the orig/reply as a prefix, I named it --orig-zone
and --reply-zone to stay consistent with the rest of the cmdline options.
As for the option chars, there was no unallocated reasonable combination,
thus only long options are officially exposed in the help, similarly as in
other cases.
Test suite results, after patch: OK: 79 BAD: 0
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
