| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel defines NFCTH_TUPLE_L4PROTONUM as of type NLA_U8. When adding a
helper, NFCTH_ATTR_PROTO_L4NUM attribute is correctly set using
nfct_helper_attr_set_u8(), though when deleting
nfct_helper_attr_set_u32() was incorrectly used. Due to alignment, this
causes trouble only on Big Endian.
Fixes: 5e8f64f46cb1d ("conntrackd: add cthelper infrastructure (+ example FTP helper)")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Code assumed host architecture to be Little Endian. Instead produce a
proper mask by pushing the set bits into most significant position and
apply htonl() on the result.
Fixes: 3f6a2e90936bb ("conntrack: add support for CIDR notation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-Wstringop-truncation warning was introduced in GCC-8 as truncation
checker for strncpy and strncat.
Systems using gcc version >= 8 would receive the following warnings:
read_config_yy.c: In function ‘yyparse’:
read_config_yy.y:1594:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:1384:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:692:2: warning: ‘strncpy’ specified bound 108 equals destination size [-Wstringop-truncation]
692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:169:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:119:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
main.c: In function ‘main’:
main.c:168:5: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
168 | strncpy(config_file, argv[i], PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix the issue by checking for string length first. Also using
snprintf instead.
In addition, correct an off-by-one when warning about maximum config
file path length.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
# conntrack -L -u OFFLOAD
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32824 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32824 [OFFLOAD] mark=0 secctx=null use=2
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32826 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0 secctx=null use=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Service Location Protocol (SLP) uses multicast requests for DA (Directory
agent) and SA (Service agent) discovery. Replies to these requests are
unicast and their source address does not match destination address of the
request so that we need a conntrack helper. A kernel helper was submitted
back in 2013 but was rejected as userspace helper infrastructure is
preferred. This adds an SLP helper to conntrackd.
As the function of SLP helper is the same as what existing mDNS helper
does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c,
except for the default timeout and example usage. As with mDNS helper,
there is no NAT support for the time being as that would probably require
kernel side changes and certainly further study (and could possibly work
only for source NAT).
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
When copying value of "Path" option for unix socket, target buffer size is
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
that the path is null terminated and bail out if user provided path is too
long rather than silently truncate it.
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Use strdup in the config file lexer to copy strings to yylval.string. This
should solve the "[ERROR] unknown layer 3 protocol" problem here:
https://www.spinics.net/lists/netfilter/msg58628.html.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Attempts to get RPC headers from libtirpc if they aren't otherwise
available.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Always apply the userspace filter when doing a direct sync from the
kernel when internal cache is disabled, since a dump does not apply a
kernelspace filter.
Signed-off-by: Robin Geuze <robing@transip.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This makes the behaviour of "conntrackd -f" match that of "conntrackd
-f internal" with resepect to stopping a timer ("conntrackd -t") from
possibly flushing again in the future.
Signed-off-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
/etc/protocols defines protocol zero as 'ip' for IPv4, and
'hopopt' for IPv6, which can be used with conntrack as '-p ip'
or '-p hopopt'. However it's equivalent, '-p 0' is considered
unsupported. Change the range check in findproto() to allow
zero as well.
Signed-off-by: Brian Haley <bhaley@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Make sure we don't go over the buffer boundary.
Reported-by: Rijnard van Tonder <rvt@cmu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following command:
# conntrack -E -o userspace &
# conntrack -F
[DESTROY] tcp 6 src=122.127.186.172 dst=192.168.10.195 sport=443 dport=48232 packets=56 bytes=5313 src=192.168.10.195 dst=122.127.186.172 sport=48232 dport=443 packets=49 bytes=5174 [ASSURED] [USERSPACE]
prints the [USERSPACE] tag at the end of the event, this tells users if
this event has been triggered by process, eg. via conntrack command
invocation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use libmnl instead libnfnetlink infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add parameter to nfct_mnl_socket_open() to subscribe to events.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Mark fall through cases as such. Note that correctness of those fall
throughs have not been verified.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the first switch() in that function, default case in second one
is unreachable. Given that both of them contain the same cases but the
first one merely acts as an invalid command barrier (adding no value to
the second one), drop the first one to make invalid commands actually
hit default case in the second switch().
Fixes: dd73ceecdbe87 ("nfct: Update syntax to specify command before subsystem")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts
array, so upper boundary check has to treat a value of
ARRAY_SIZE(dhcpv6_timeouts) as invalid.
Fixes: 36118bfc4901b ("conntrackd: helpers: add DHCPv6 helper")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Missing 'for TCP' induces errors.
This was reported in Debian bug #916138 https://bugs.debian.org/916138
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CC read_config_lex.o
read_config_lex.c: In function ‘yy_get_next_buffer’:
read_config_lex.c:2101:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for ( n = 0; n < max_size && \
^
read_config_lex.c:3016:3: note: in expansion of macro ‘YY_INPUT’
YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
^~~~~~~~
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
"conntrack -L -f ipv4" and "conntrack -L -f ipv6" each prints both
protocols. This is because the family filtering is now enabled only if
filter_mark_kernel_set is true.
Fixes: 8b8377163697 ("conntrack: send mark filter to kernel iff set")
Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We may assume that if an user does build conntrackd with such feature, is with
the intention to use it. So, if that's the case, default to use it.
This eases some downstream use cases when dealing with default configs to
be shipped to final users.
This could be a mid-point solution, given some users are asking for a full
revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Move this to test/
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Back in 2008, there was no TCP flags support in the kernel, hence the
workaround was to infer the flags from the TCP state.
This patch is implicitly fixing a problem, since the existing RETRANS
and UNACK TCP conntrack states plus the _CLOSE_INIT flag that is bogusly
infered (to be frank, it was correctly infered back in 2008, but after
adding new TCP states, it was not).
Let's just use the flags that we get via synchronization messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Typos, duplicated systemd word in the sentence and 'obviously'.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Refresh manpage, fixing typos, rearranging some sentences, introducing line
breaks at max. 80 columns, markup fixes, and so on.
Apart of some minor cosmetics fixes, no actual content is changed.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Any of these nf drivers could be built-ins instead of modules; don't cause
the testsuite to fail on modprobe, instead let it proceed and succeed/fail
later based on actual test results.
Ideally we would check up front if the driver is loaded rather than trying
to modprobe and ignoring failures, but there doesn't seem to be a reliable
place to check this in the kernel filesystem.
Signed-off-by: Steve Langasek <steve.langasek@ubuntu.com>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
For musl libc to expose the members of `struct tcphdr`, _GNU_SOURCE
needs to be defined.
Fixes: b61c4543cbde ("conntrackd: cthelper: ssdp: Track UPnP eventing")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
When read cpu conntrack stats from /proc/net/stat/nf_conntrack,
it only shows stats from cpu0.
This patch list all cpus' conntrack stats like what `nfexp_stats_cb` did.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Remove the warning message for the -S option which has been deprecated for
years now.
Users calling conntrackd with this switch activated will now get an error.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to prevent netlink buffer overrun, conntrackd is recommended to run
at max priority.
Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority.
This is common among other HA daemons. For example corosync uses SCHED_RR
by default.
The scheduler configuration option is kept in order to allow admins to perform
fine-tuning, but it is deleted from example configuration files.
Note that this default sched priority is so high that it makes the nice value
useless, so deprecate the nice configuration. Anyway the nice value can be set
externally at runtime using nice/renice.
The code is moved to the init() routine. In case of error setting the
scheduler, the system default will be used. Report a message to the user
and continue working.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This configuration option doesn't add any value to users.
Use the magic value of 100 (i.e, the socket will keep 100 pending connections),
which I think is fair enough for what conntrackd can do in the unix socket.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Close the logs and lockfile if error while forking.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Run the evaluation step sooner in the conntrackd startup routine.
Don't close log or unlink lockfile at this stage.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The goal of this patch is to fix the ipv6 support when conntrackd is
cross-compiled. The AC_RUN_IFELSE macro must be avoided as much as possible.
See section 6.6 of the gnu autoconf:
"If you really need to test for a runtime behavior while configuring, you can
write a test program to determine the result, and compile and run it using
AC_RUN_IFELSE. Avoid running test programs if possible, because this prevents
people from configuring your package for cross-compiling."
Let's remove this check and test the returned error to handle the case where
ipv6 is not supported (inet_pton() returns -1 when the family is not supported).
Reported-by: Zhenlin Zhang <zhenlin.zhang@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
If a node goes to live, ask the other for resync at startup.
This has to be done usually by hand, but I guess is an operation common
enough to add some bits to ease people life here.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
These digest_msg() functions can use resync_send() as well.
While at it, bring back a call to kernel_resync() in notrack_local() which was
lost in a previous commit.
Fixes: 131df891f77dc75515d5eabdedd9818105d29f5a ("conntrackd: factorize resync operations")
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Resync operations factorization. There are two:
* resync_send --> conntrackd -B (send bulk resync)
* resync_req --> conntrackd -n (request resync)
Future patches reuse this factorized code.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
They are shared by both sync-ftfw and sync-notrack.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Refactor and improve nat support to allow conntrack to manage IPv6
NAT entries.
Refactor and improve conntrack nat tests to include IPv6 NAT.
Signed-off-by: Neil Wilson <neil@aldur.co.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new evaluate() function that can be used to spot
inconsistent configurations.
Don't allow CommitTimeout with DisableExternalCache On since this
results in EINVAL errors. CommitTimeout makes no sense with no external
cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This warning has been there for long time, and the example files we
provide already come with the right syntax, so remove this old chunk.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The UPnP Device Architecture spec provides a way for devices to connect
back to control points, called "Eventing" (chapter 4). This sequence can
look something like:
1) Outbound multicast M-SEARCH packet (dst: 1900/udp)
- Create expectation for unicast reply from <any host> to source port
2) Inbound unicast reply (there may be several of these from different devices)
- Find the device's URL, e.g.
LOCATION: http://192.168.1.123:1400/xml/device_description.xml
- Create expectation to track connections to this host:port (tcp)
3) Outbound connection to device's web server (there will be several of these)
- Watch for a SUBSCRIBE request
- Find the control point's callback URL, e.g.
CALLBACK: <http://192.168.1.124:3500/notify>
- Create expectation to open up inbound connections to this host:port
4) Inbound connections to control point's web server
- The device will send NOTIFY HTTP requests to inform the control point
of new events. These can continue indefinitely. Each NOTIFY
request arrives on a new TCP connection and may have a different
source port.
Add the necessary code to create expectations for each of these
connections and rewrite the IP in the CALLBACK URL. Tested with and
without NAT.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
We can just remove the strdup() from the lexer, given that we always
copy these strings in the parser.
Reported-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
According to valgrind, this currently leaks ~512B to 2kB for each
packet sent to the userspace helper.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
nfexp_set_attr() copies |nat_tuple| rather than taking ownership, so
it should be freed at the end of the loop. Some of the other helpers
(like rpc.c) do this, but it is missing here.
Reported-by: Eric Caruso <ejcaruso@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Do not set a mark filter to ctnetlink if the user doesn't explicitly
specify this.
Fixes: aa925010951e ("conntrack: allow to filter by mark from kernel-space")
Reported-by: Joseph Conley <joseph.j.conley@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|