| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -A command works exactly the same way as -I except that it
does not fail if the ct entry already exists.
This command is useful for the batched ct loads to not abort if
some entries being applied exist.
The ct entry dump in the "save" format is now switched to use the
-A command as well for the generated output.
Also tests added to cover the -A command.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The old way of the commands_v_options initialization made it more
difficult and error-prone to add a map for a new command, because one
would have to calculate a proper "index" for the initializer and fill
the gap with zeros.
As a preparation step for adding the new "-A" command support,
switch to C99 initializer syntax for commands_v_options.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit allows dumping conntrack entries in the format
used by the conntrack parameters, aka "save" output format.
This is useful for saving ct entry data to allow applying
it later on.
To enable the "save" output the "-o save" parameter needs
to be passed to the conntrack tool invocation.
[ pablo@netfilter.org: several updates to the original patch ]
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@cloud.ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
# conntrack -L -u OFFLOAD
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32824 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32824 [OFFLOAD] mark=0 secctx=null use=2
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32826 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0 secctx=null use=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for zone directions.
Since all options have the orig/reply as a prefix, I named it --orig-zone
and --reply-zone to stay consistent with the rest of the cmdline options.
As for the option chars, there was no unallocated reasonable combination,
thus only long options are officially exposed in the help, similarly as in
other cases.
Test suite results, after patch: OK: 79 BAD: 0
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
new options "--label-add" and "--label-delete" to alter connlabels
assigned to a connection.
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Linux kernel >= 3.6.x, we can dump the conntrack statistics
via ctnetlink instead of using the /proc interface:
conntrack -S
cpu=0 searched=9177 found=387086 new=250451 invalid=1 ignore=4 delete=254093 delete_list=5467 insert=1825 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=1 searched=390 found=37493 new=1531 invalid=0 ignore=0 delete=345 delete_list=345 insert=1531 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=2 searched=333 found=68061 new=1895 invalid=0 ignore=1 delete=607 delete_list=607 insert=1896 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=3 searched=71 found=13364 new=1254 invalid=0 ignore=0 delete=75 delete_list=75 insert=1254 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
conntrack -S exp
cpu=0 expect_new=9177 expect_create=387284 expect_delete=251141
cpu=1 expect_new=390 expect_create=37496 expect_delete=1531
cpu=2 expect_new=333 expect_create=68117 expect_delete=1895
cpu=3 expect_new=71 expect_create=13366 expect_delete=1255
Note that the output is not backward-compatible, but we fail back to previous
output in case that ctnetlink stats dumping is not available.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds `--zone' to the command line tool. This adds
the missing user-space support for Patrick's McHardy iptables
CT target.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds GRE support for the command line tool conntrack.
With this patch, we support all protocols available in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.
|
| |
|
|
|
|
| |
This patch adds DCCP support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds SCTP support to the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds UDPlite support for the command line tool conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the generic_opt_check() function to add
extra information on the possible option combinations. Under
some specific situations, like the creation and getting of
a conntrack, you may specify the original or the reply tuple
but at least one MUST be present. This handling has been
always tricky, it still remains but we're more user friendly
at least.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds `-S' command to display kernel statistics. Using
raw `cat' on /proc and the hexadecimal output is not very handy.
This option parses the /proc entry and display the information
is a more human friendly way.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds the -C command, to display the table counter. In the
case of `-C conntrack' the tool reads the proc interface. For
expectation, it loops on the table to count the number of entries
(as there is not proc interface to display the number of
expectations).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch fixes filtering for unsupported protocol. Thus, you can
use -L -p 47 or -L -p gre to filter `gre' traffic.
Based on an initial patch from Bryan Duff <bduff@astrocorp.com>.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch removes the use of snprintf and directly print the XML header
to the standard output. This simplifies the handling.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add new option --buffer-size for -E to set the netlink socket buffer
size.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
|
| |
|
|
|
|
| |
o recover the ID support
o show display counters to stderr
o enable filtering by status and ID
|
| | |
|
| |
|
|
|
| |
o add ICMPv6 (-p icmpv6) support
o add possibility to distinguish between invalid (unknown) and empty proto
|
| |
|
|
| |
import only required C headers and put local headers on top to check
|
| |
|
|
| |
use C99 integers (uint32_t instead of u_int32_t)
|
| |
|
|
| |
Fix tons of gcc warnings
|
| |
|
|
|
|
|
|
|
|
|
| |
o fix missing `-g' and `-n' options in getopt_long control string
o add support for secmark (requires Linux kernel >= 2.6.25)
o add mark and secmark information to the manpage
o cleanup error message
= conntrackd =
o add support for secmark (requires Linux kernel >= 2.6.25)
o add conntrackd (8) manpage
|
| |
|
|
|
|
|
|
|
| |
- use buffer of MTU size
conntrack:
- better protocol argument checkings
- fix per-protocol filtering, eg. conntrack -[L|E] -p tcp now works
- show per-protocol help, ie. conntrack -h -p tcp
- add alias --src for --orig-src and alias --dst for --orig-dst
|
| | |
|
| |
|
|
| |
o several fixes for the output of usage messages
|
| |
|
|
|
|
|
|
| |
- split expect_api_test.c into small example files expect_*.c
- introduce alias tags for original tuple attributes
- introduce nfexp_sizeof and nfexp_maxsize
- build expectation attributes iif they are set
- fix l3num setting in expect/build.c
|
| |
|
|
| |
chain
|
| | |
|
| | |
|
| |
|
|
| |
o Bumped version to 1.00beta2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
o add IPv6 support: main change
o removed dead code: iptables_insmod and get_modprobe
o compact the commands vs. options table
o move working vars from the stack to the BSS section
o update manpage
o Bumped version to 1.0beta1
<yasuyuki.kozakai@toshiba.co.jp>
o check address family mismatch
o fix incomplete copying IPv6 addresses
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
