| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
| |
So we can properly sync NATed IPv6 connections.
Thanks to Florian Westphal for originally ponting me to this lack of
support in conntrackd, which saved me a lot of time.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
If we include tests/ in the release tarball, downstream distributors
can run the testsuites themselves while developing the packages.
This way, tests can be run in a more integrated environment and they can
discover errors related to the integration with the given distribution itself.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The missing commands: flush, disable, default-set and default-get
were added to the manpage.
The description of the subsystem has been corrected.
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default, conntrackd is compiled with no built-in systemd support.
This patch updates the default runtime behaviour to be consistent
with what ./configure provides by default.
Thus, users should explicitly indicate "Systemd On" in their configuration
file to enable this. This shouldn't cause any problem to old users of
conntrackd.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for using CIDR notation in --{orig,tuple}-{src,dst} arguments,
instead of free-form formatting netmask in --mask-{src,dst}.
Example:
conntrack -L -s 2001:db8::/56
Instead of:
conntrack -L -s 2001:db8:: --mask-src ffff:ffff:ffff:ff00::
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
|
|
|
|
|
|
|
|
|
| |
Prepare for CIDR support, by splitting nfct_set_addr_from_opt()
into nfct_parse_addr_from_opt() for parsing
and nfct_set_addr_opt() for storing.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch extends --mask-src and --mask-dst to also work
with the conntrack table, with commands -L, -D, -E and -U.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This option was already silently allowed by 991fc4ae,
but didn't have any effect.
This patch adds the check and documents it.
Cc: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The binary under test should be the one, this ensures
that it is in sync with the tests performed, and that
users who build from source, can test the binary prior
to `make install`.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Got tired of having to exit the editor, before testing.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Use scandir(3) instead of opendir(3), so that the tests are
run in the expected order, otherwise it doesn't make
sense to prefix the testfiles with a two digit number,
giving the impression that they are run in order.
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Store tuple-src and tuple-dst in exptuple,
as used by the EXP_CREATE case.
Verified with doc/cli/test.sh
Also reorder the cases, so the netmask case is last.
Reported-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
{} is mask-src and mask-dst, [] is tuple-src and tuple-dst
mask-* should be stored in mask, tuple-* should be stored in exptuple.
This reverts commit 3309fdb4413cb32f9b95e05064dc9dbb56550939
since it mixed up {} and [].
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This new manpage describes all the configuration options of the conntrackd.conf
file.
While at it, point conntrackd(8) to this new manpage.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The GNU version of 'struct tcphdr' is not exposed by musl libc headers
unless _GNU_SOURCE is defined. Without this definition, the build fails
with:
rpc.c: In function 'rpc_helper_cb':
rpc.c:351:15: error: 'struct tcphdr' has no member named 'doff'
offset += th->doff * 4;
^
Signed-off-by: Rodrigo Rebello <rprebello@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds basic systemd support.
The feature can be enabled/disabled at configure time:
./configure --disable-systemd
Also, at runtime in conntrackd.conf
General {
Systemd on|off
}
(by default it's enabled both at runtime and at configure time)
* tell systemd about conntrackd readiness:
When conntrackd starts, it will send systemd the data "READY=1".
At the point the data is sent, conntrackd is fully ready to work
(configuration was OK, sockets OK, et all), so other actions depending
on conntrackd can be safely chained in the machine boot process.
* tell systemd about conntrackd shutting down:
If the admin kills conntrackd with `conntrackd -k', the data "STOPPING=1"
will be send to systemd so it learns about the daemon shutting down. Same
for manual signals.
* watchdog support:
The admin can configure systemd to watch the conntrackd daemon and perform
some actions if conntrackd dies: restart it, reboot the machine, etc...
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Let's improve feature selection with feedback from Jan Engelhardt
and Pablo Neira Ayuso.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for zone directions.
Since all options have the orig/reply as a prefix, I named it --orig-zone
and --reply-zone to stay consistent with the rest of the cmdline options.
As for the option chars, there was no unallocated reasonable combination,
thus only long options are officially exposed in the help, similarly as in
other cases.
Test suite results, after patch: OK: 79 BAD: 0
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Since dd73ceecdbe8 ("nfct: Update syntax to specify command before subsystem")
the command comes before the object type. Update documentation accordingly.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch gets the nfct syntax in sync with nft so it looks like this:
nfct <add|delete|...> object ...
instead of:
nfct object <add|delete|...> ...
This patch retains backward compatibility so you can still use the old syntax.
The manpage and tests have been also updated to promote the adoption of this
syntax. We should have little existing clients of this tool as we can only use
this to configure the cttimeout and cthelper infrastructures.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This reports:
run-test.sh: line 3: UID: read-only variable
rename it to _UID.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nfct program uses none of the symbols of libnetfilter_conntrack.
Linking against it means that distributors have to maintain an useless
depedency.
This was spotted by the dpkg-shlibdeps tool.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This file is likely dead code. It's outdated.
Also I think distributors should manage themselves to integrate daemons in
their operating systems. Following this idea, this file doesn't belong here.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[...]
CC conntrack.o
In file included from ../include/conntrack.h:4:0,
from conntrack.c:41:
conntrack.c: In function ‘findproto’:
../include/linux_list.h:385:59: warning: right-hand operand of comma expression has no effect [-Wunused-value]
for (pos = list_entry((head)->next, typeof(*pos), member), \
^
[...]
The original patch is from Patrick McHardy <kaber@trash.net>.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Fortunately, the TLVs come in order in the message, however, if the order is
changed we'll incorrectly set up the expectation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This is not exposed, but use the strncpy() variant to calm down static code
validators.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
The same code is executed regardless the reason why accept() has failed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Make sure we have a clean exit on error, everything needs to be properly
released.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Release the child_process structure in case that fork() fails.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Otherwise this can result in an off-by-one array access.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
The maximum number of attribute is NTA_EXP_MAX for expectation sync messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Extensions register protocols by lowercase protocol name, but value of
proto command line option may be uppercase. Extension related options
cannot be used when protocol name comparision fails.
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|