| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.
Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.
This patch was motivated by the removal of the lazy binding.
Phil Sutter says:
"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.
In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel defines NFCTH_TUPLE_L4PROTONUM as of type NLA_U8. When adding a
helper, NFCTH_ATTR_PROTO_L4NUM attribute is correctly set using
nfct_helper_attr_set_u8(), though when deleting
nfct_helper_attr_set_u32() was incorrectly used. Due to alignment, this
causes trouble only on Big Endian.
Fixes: 5e8f64f46cb1d ("conntrackd: add cthelper infrastructure (+ example FTP helper)")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch gets the nfct syntax in sync with nft so it looks like this:
nfct <add|delete|...> object ...
instead of:
nfct object <add|delete|...> ...
This patch retains backward compatibility so you can still use the old syntax.
The manpage and tests have been also updated to promote the adoption of this
syntax. We should have little existing clients of this tool as we can only use
this to configure the cttimeout and cthelper infrastructures.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
helper's list and flush commands handlers shouldn't call
mnl_socket_close on the passed netlink socket as it is done in the
main function after parse_params call.
Bug introduced in (3c78a45 nfct: src: consolidate netlink
socket creation).
Signed-off-by: Hani Benhabiles <kroosec@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Open the socket from the main function, then pass it as parameter
to the corresponding interpreter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add helper function nfct_mnl_talk and use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Modularize timeout and helper extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Instead of hardcoded path to /usr/lib/conntrack-tools/ which might
not be true if options like --prefix with different location is
passed to conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|