| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
| |
struct cache::features is of type struct cache_feature **, allocate and
populate accordingly.
Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
This is cosmetics only, but stops valgrind from complaining about
definitely lost memory.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.
Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.
This patch was motivated by the removal of the lazy binding.
Phil Sutter says:
"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.
In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to flush the conntrack
table entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to delete
the conntrack table entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to update the conntrack
table entries.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Provide a helper function to build and send the netlink request, this allows
to consolidate nfct_mnl_get() and nfct_mnl_create().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
nfct_mnl_recv() is misleading, this helper function allows you to
perform a netlink dump, rename it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
.... those do not indicate bugs, but they are distracting.
'exp_filter_add' at filter.c:513:2:
__builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation]
This warning is because the size argument passed to strncpy() is
identical to buffer size, i.e. if hit the resulting string is not
0-terminated.
read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=]
1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ...
1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
read_config_yy.y:707: warning: '__builtin_snprintf' output may be ...
707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
read_config_yy.y:179: warning: '__builtin_snprintf' output may be ...
179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
read_config_yy.y:124: warning: '__builtin_snprintf' output may be ...
124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
... its because the _MAXLEN constants are one less than the output
buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses
sizeof().
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Use the already correctly determined transport header offset instead of
assuming that the packet is IPv4.
Signed-off-by: Aaron Thompson <dev@aaront.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In preparation for using multiple instances of mnl sockets
required for conntrack entries update and delete support.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use libmnl to create entries through the new nfct_mnl_create() helper
function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Moreover, remove NLM_F_DUMP for IPCTNL_MSG_CT_GET_STATS since ctnetlink
ignores this flag, this is simple netlink get command, not a dump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add helper function to consolidate nfct_mnl_dump() and nfct_mnl_get().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`AM_PROG_LEX` calls `AC_PROG_LEX` with no arguments, but this usage is
deprecated. The only difference between `AM_PROG_LEX` and `AC_PROG_LEX`
is that the former defines `$LEX` as "./build-aux/missing lex" if no lex
is found to ensure a useful error is reported when make is run. How-
ever, the configure script checks that we have a working lex and exits
with an error if none is available, so `$LEX` will never be called and
we can replace `AM_PROG_LEX` with `AC_PROG_LEX`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
automake generates rules to remove the files generated by bison
and flex by default, so there is no need to add them explicitly to
MAINTAINERCLEANFILES.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
automake recommends including the files generated by bison and flex in
distribution tar-balls and runs bison and flex during `make dist` to
generate them. Thus, in the normal case where the software is being
compiled by an end-user, the generated files already exist and bison and
flex are not required. Therefore, amend the configure script only to
require them if the generated files do not exist.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use libmnl and libnetfilter_conntrack mnl helpers to dump the conntrack
table entries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add missing features in dump_cb() to mnl_nfct_dump_cb().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
In preparation for kernel filtering support for nfct_mnl_dump().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Depending on your conntrackd configuration, events might get lost,
leaving stuck entries in the cache forever. Skip checking the conntrack
ID to allow for lazy cleanup by when a new entry that is represented by
the same tuple is added.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
List it as a built source in order to force make to create it before
compilation. Otherwise, a parallel make can end up attempting to
compile the output of lex before yacc has finished generating its own
output:
$ make -j17
[...]
YACC read_config_yy.c
LEX read_config_lex.c
CC stack.o
CC resync.o
CC cthelper.o
CC helpers.o
CC utils.o
CC expect.o
CC systemd.o
CC nfct.o
CC nfct-extensions/helper.o
CC nfct-extensions/timeout.o
CC read_config_lex.o
read_config_lex.l:25:10: fatal error: read_config_yy.h: No such file or directory
25 | #include "read_config_yy.h"
| ^~~~~~~~~~~~~~~~~~
compilation terminated.
make[2]: *** [Makefile:701: read_config_lex.o] Error 1
make[2]: *** Waiting for unfinished jobs....
updating read_config_yy.h
make[2]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src'
make[1]: *** [Makefile:743: all-recursive] Error 1
make[1]: Leaving directory '/space/azazel/work/git/netfilter/conntrack-tools/src'
make: *** [Makefile:541: all-recursive] Error 1
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Automake expects to distribute yacc- and lex-generated sources, so that
the user doesn't need to regenerate them. Therefore, the appropriate
target to clean them is `maintainer-clean`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Automake generates yacc and lex output files and includes them in
distributions as a matter of course.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
`AM_PROG_LIBTOOL` is superseded by `LT_INIT`, which also accepts options
to control the defaults for creating shared or static libraries.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This code has been commented out since at least 2007.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds a script (from 2010!) to set up an active-active
setup with the cluster match.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This fixes this warning:
#warning "libnetfilter_queue/linux_nfnetlink_queue.h is deprecated, add #include <linux/netfilter/nfnetlink_queue.h> to your source code before #include <libnetfilter_queue/libnetfilter_queue.h>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
In some use-cases, zone is used to differetiate conntrack state. This preserves that uniqueness by adding zone into the cache in addtion to 5-tuple data
This preserves external-cache uniqueness per zone when synced.
Fixes: a08af5d26297 ("conntrack: fix zone sync issue")
Signed-off-by: Adam Casella <adam.casella1984@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While at it, also fix up commit
5ec55c2a0a264 ("conntrack: add support for CLASH_RESOLVED counter").
The intention was to also print unknown statistic counters provided
the attributes are of type u32, but mnl_attr_type_valid() needs the
correct max-attr number for this to work.
With this fix in place, conntrack -S shows:
cpu=3 found=0 inv[..] clash_resolve=0 unknown1=8200
on a modified kernel.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
The tests/conntrack/bulk-load-stress.sh is intended to be used for
stress-testing the bulk load of ct entries from a file (-R option).
Script usage detail is given by the ./bulk-load-stress.sh -h
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
conntrack tool prints [UNREPLIED] if a conntrack entry lacks the
SEEN_REPLY bit. Accept this as '-u' argument too.
If requested, mask is set to SEEN_REPLY and value remains 0 (bit not set).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
This change is backwards compatible:
Old kernels do not recognize CTA_STATUS_MASK attribute and will
ignore it (no filtering in kernel).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Userspace helpers cannot have overlapping queue number, update the
example file to fix the existing overlap.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Describe how to configure conntrackd using the new simple setup approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add a new setting to allow conntrackd to autoconfigure the userspace
helpers at startup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add ct_parse_be32() and ct_parse_be128() and use them to deal with
an IP address which is already in network byte order.
Reported-by: Tao Gong <gongtao0607@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tests to cover conntrack -L and conntrack -D with and w/o
family (-f) specfied.
conntrack -L and contnrack -D shold list/delete
both IPv4 and IPv6 entries if no family is specified,
and should ony display the corresponding entries if
the family is given.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit implements the --load-file option which allows processing
conntrack commands stored in file. Most often this would be used as
a counter-part for the -o save option, which outputs conntrack entries
in the format of the conntrack tool options. This could be useful when
one needs to add/update/delete a large set of ct entries with a single
conntrack tool invocation. This patch introduces a ct_cmd_list, which
represents a list of ct_cmd elements.
Expected syntax is "conntrack --load-file file". If "-" is given as a
file name, stdin is used. No other commands or options are allowed to
be specified in conjunction with the --load-file command. It is however
possible to specify multiple --load-file file pairs.
Example:
Copy all entries from ct zone 11 to ct zone 12:
conntrack -L -w 11 -o save | sed "s/-w 11/-w 12/g" | \
conntrack --load-file -
Joint work with Pablo.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix memleak in parser:
==8445== 3,808 bytes in 2 blocks are definitely lost in loss record 6 of 6
==8445== at 0x483577F: malloc (vg_replace_malloc.c:299)
==8445== by 0x112636: merge_options (conntrack.c:1056)
==8445== by 0x112636: do_parse (conntrack.c:2903)
==8445== by 0x11343E: ct_file_parse_line (conntrack.c:3672)
==8445== by 0x11343E: ct_parse_file (conntrack.c:3693)
==8445== by 0x10D819: main (conntrack.c:3750)
Fixes: 8f76d6360dbf ("conntrack: add struct ct_cmd")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Wrap code to display command stats in a function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Prepare for the batch support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Pass the command object to the nat, mark and IP address userspace
filters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Pass the command object to the userspace filter routine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Pass command object to initialize the userspace filter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Pass the command object to prepare for batch support.
Move ct_cmd structure definition right at the top of file otherwise
compilation breaks.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|