| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Make sure we have a clean exit on error, everything needs to be properly
released.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release the child_process structure in case that fork() fails.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Otherwise this can result in an off-by-one array access.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
The maximum number of attribute is NTA_EXP_MAX for expectation sync messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Extensions register protocols by lowercase protocol name, but value of
proto command line option may be uppercase. Extension related options
cannot be used when protocol name comparision fails.
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Szilárd Pfeiffer <pfeiffer.szilard@balabit.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
ct and myct have both already been checked for non-NULL,
so there's no need to check either of them again later.
Signed-off-by: Paul Aitken <paitken@brocade.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
'numbytes' isn't used and can be removed.
Signed-off-by: Paul Aitken <paitken@brocade.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
memset fills bytes, not ulongs - so the second parameter
(the fill value) has to be a byte.
Reported-by: Paul Aitken <paitken@brocade.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
If the user didn't specify a queue length in the configuration file it
will have a length of 0. Allow the kernel's default to take precedence
instead.
Signed-off-by: Charles (Chas) Williams <ciwillia@brocade.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The source uses linux names for members of tcphdr. For example
"source" instead of "th_sport", ... musl libc's headers need
_GNU_SOURCE defined in order to expose these.
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Some people use interface names with underscores, so allow them from the
flex scanner.
Original patch from http://patchwork.ozlabs.org/patch/440600/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When updating labels we always have to send the same sized bitmask as
we received, as the bits we do omit will otherwise cleared as "padding".
Mask has to have the same size as the labels, otherwise it will not be
encoded by libnetfilter_conntrack, as different sizes are not accepted
by the kernel either.
Finally, kernel only retains old bit values that we send as zeroes in
BOTH the label and the mask, due to XOR used in bit manipulation.
This patch fixes all these issues and allows updates to set new labels
without accidentally clearing old ones.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Detected by cppcheck
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Fix a possible crash if conntrackd sees DCCP, SCTP and ICMPv6 traffic
and the corresponding kernel modules that track this traffic are not
available.
Fixes: http://bugzilla.netfilter.org/show_bug.cgi?id=910
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Otherwise, the kernel may select a different interface for the client
side. Original patch from Michael Griego.
While at it, remove some trailing whitespaces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new interface supersedes the /proc interface:
/proc/sys/net/netfilter/nf_conntrack_PROTO_STATE_timeout
to tune default conntrack timeout helpers.
# nfct timeout default-get inet tcp
.l3proto = 2,
.l4proto = 6,
.policy = {
.SYN_SENT = 120,
.SYN_RECV = 60,
.ESTABLISHED = 432000,
.FIN_WAIT = 120,
.CLOSE_WAIT = 60,
.LAST_ACK = 30,
.TIME_WAIT = 120,
.CLOSE = 10,
.SYN_SENT2 = 120,
.RETRANS = 300,
.UNACKNOWLEDGED = 300,
},
};
# nfct timeout default-set inet tcp ESTABLISHED 100
As replacement for the existing /proc interfaces for timeout tweaking.
This feature requires a Linux kernel >= 3.13.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This fixes a compilation breakage when libnetfilter_cttimeout.h is
not installed.
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Here is a patch which adds a userspace conntrack helper for the SSDP
protocol. This is based on the code found at:
http://marc.info/?t=132945775100001&r=1&w=2
I'm not sure how to get my laptop to play at IPv6, so I've not tested
this part, but I've tested the IPv4 section and it works.
Signed-off-by: Ash Hughes <ashley.hughes@blueyonder.co.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use CONNTRACKD_LIB_DIR instead of hardcoded path.
Signed-off-by: Hani Benhabiles <kroosec@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
helper's list and flush commands handlers shouldn't call
mnl_socket_close on the passed netlink socket as it is done in the
main function after parse_params call.
Bug introduced in (3c78a45 nfct: src: consolidate netlink
socket creation).
Signed-off-by: Hani Benhabiles <kroosec@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds a userspace port of the amanda helper that is
currently implemented in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
| |
|
|
|
|
|
|
| |
This patch adds an userspace port of the TFTP helper that is currently
implemented in the kernel. This includes NAT support. It requires a
Linux kernel 3.12.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
This patch adds an userspace port of the SANE helper that is currently
implemented in the kernel. This requires Linux kernel 3.12 to work.
|
| |
|
|
|
|
|
| |
Open the socket from the main function, then pass it as parameter
to the corresponding interpreter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add helper function nfct_mnl_talk and use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch is a cleanup to split this function in smaller chunks.
It is required to prepare default protocol timeout tuning via
netlink.
|
| |
|
|
|
|
|
| |
The kernel bails out for unsupported protocols. Moreover, we
don't need to upgrade to support new protocols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch allows you to disable userspace helper support and
conntrack timeout tuning at build stage.
By default, both features are enabled, to avoid breaking backward
compatibility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Modularize timeout and helper extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the DHCPv6 helper.
1) nfct helper add dhcpv6 inet6 udp
2) ip6tables -I OUTPUT -t raw -p udp --sport 546 -j CT --helper dhcpv6
3) run conntrackd
You should see:
% conntrack -L exp -f ipv6
279 proto=17 src=:: dst=ff02::1:2 sport=0 dport=546 mask-src=:: mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=fe80::221:ccff:fe4a:7f9c master-dst=ff02::1:2 sport=546 dport=547 PERMANENT class=0 helper=dhcpv6
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This requires the Linux kernel 3.12.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
If we fail to update an entry, just try to continue with the next one
instead of exiting.
Can happen f.e. when using "conntrack -U --add-label bla", but the
conntrack entry in the kernel does not have the label extension set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
new options "--label-add" and "--label-delete" to alter connlabels
assigned to a connection.
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Using -l foo -l bar caused the "foo" label to be lost.
Merge multiple -l options so "-l foo,bar" and "-l foo -l bar" have same
effect.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Rename get_table to generic "optional argument handling" helper,
so it can be re-used in upcoming patch.
While at it, avoid copy&paste of "labelmap" handling.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Use selected the family, instead of inconditionally request for IPv4.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Set to zero the entire address if needed, not just 4 bytes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
short options were always reported as "unknown argument".
getopt(3) says:
if [it] finds an option character in argv that was not included in
optstring, or if it detects a missing option argument, it returns '?'
and sets the external variable optopt to the actual option character.
If the first character [...] of optstring is a colon (':'),
then getopt() returns ':' instead of '?' to indicate a missing option
argument.
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
commit d343b8c (conntrack: add connlabel format attribute) erronously
removed _UNKNOWN format, i.e. conntrack -L displayed
[UPDATE] tcp 6 114 TIME_WAIT src=..
^^^^^
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- check if ct has label attribute, and at least one label
(bit) is set
- serialize bitmap into array-of-u32, in network byte order
- add code to build new nfct_bitmask object from array-of-u32
Current parse functions don't have length information,
this adds optional parse2() which gets struct netattr pointer.
Attributes that want to use parse2 need to set .maxsize to nonzero
value.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Clemence Faure <clemence.faure@sophos.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch simplifies the expectation filtering by looking up for the
master conntrack. If it does not exists, then we assume that we don't
want this expectation either.
This simplification also fixes the current broken expectation filtering,
since the master conntrack from expectations has neither reply tuple
nor state, however, the filtering code assumes the opposite.
This partially reverts (479a37a conntrackd: fix crash with IPv6 expectation
in the filtering code) since it was incorrectly setting the reply tuple
of the master conntrack.
Thanks to Bill Fink for providing feedback to resolve this issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]
> #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99
> a = 2654435769 b = 2654435769 c = 0 len = 4
> #1 0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57
> #2 0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63
> #3 0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265
> id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0
The master conntrack of the expectation has no reply tuple. However, the
filtering routine needs it. To avoid this issue, emulate the source
address in the reply tuple.
While at it, fix incorrect sanity checking that should have caught
this issue.
Thanks to Florian Westphal for initial diagnosing of this bug.
Reported-by: Bill Fink <billfink@mindspring.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch deprecates the `Family' tweak in the configuration file.
Several reasons for this:
* If not specified, this was default to IPv4 only in table dumps from
the kernel. However, non-IPv4 events were still received. This is
inconsistent.
* It's an early tweak that was not documented (not included in any
of the example files).
If we want to support any sort of consistent filtering based on the
family, this should happen in the filtering code.
After this patch, conntrackd uses AF_UNSPEC to dump the conntrack and
expectation tables from the kernel.
Reported-by: Bill Fink <billfink@mindspring.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use source and destination address, not only source address for
hashing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
