| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-Wstringop-truncation warning was introduced in GCC-8 as truncation
checker for strncpy and strncat.
Systems using gcc version >= 8 would receive the following warnings:
read_config_yy.c: In function ‘yyparse’:
read_config_yy.y:1594:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:1384:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:692:2: warning: ‘strncpy’ specified bound 108 equals destination size [-Wstringop-truncation]
692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:169:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:119:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
main.c: In function ‘main’:
main.c:168:5: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
168 | strncpy(config_file, argv[i], PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix the issue by checking for string length first. Also using
snprintf instead.
In addition, correct an off-by-one when warning about maximum config
file path length.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
# conntrack -L -u OFFLOAD
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32824 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32824 [OFFLOAD] mark=0 secctx=null use=2
tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32826 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0 secctx=null use=2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Service Location Protocol (SLP) uses multicast requests for DA (Directory
agent) and SA (Service agent) discovery. Replies to these requests are
unicast and their source address does not match destination address of the
request so that we need a conntrack helper. A kernel helper was submitted
back in 2013 but was rejected as userspace helper infrastructure is
preferred. This adds an SLP helper to conntrackd.
As the function of SLP helper is the same as what existing mDNS helper
does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c,
except for the default timeout and example usage. As with mDNS helper,
there is no NAT support for the time being as that would probably require
kernel side changes and certainly further study (and could possibly work
only for source NAT).
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
When copying value of "Path" option for unix socket, target buffer size is
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
that the path is null terminated and bail out if user provided path is too
long rather than silently truncate it.
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Use strdup in the config file lexer to copy strings to yylval.string. This
should solve the "[ERROR] unknown layer 3 protocol" problem here:
https://www.spinics.net/lists/netfilter/msg58628.html.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Attempts to get RPC headers from libtirpc if they aren't otherwise
available.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Always apply the userspace filter when doing a direct sync from the
kernel when internal cache is disabled, since a dump does not apply a
kernelspace filter.
Signed-off-by: Robin Geuze <robing@transip.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This makes the behaviour of "conntrackd -f" match that of "conntrackd
-f internal" with resepect to stopping a timer ("conntrackd -t") from
possibly flushing again in the future.
Signed-off-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
/etc/protocols defines protocol zero as 'ip' for IPv4, and
'hopopt' for IPv6, which can be used with conntrack as '-p ip'
or '-p hopopt'. However it's equivalent, '-p 0' is considered
unsupported. Change the range check in findproto() to allow
zero as well.
Signed-off-by: Brian Haley <bhaley@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Make sure we don't go over the buffer boundary.
Reported-by: Rijnard van Tonder <rvt@cmu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following command:
# conntrack -E -o userspace &
# conntrack -F
[DESTROY] tcp 6 src=122.127.186.172 dst=192.168.10.195 sport=443 dport=48232 packets=56 bytes=5313 src=192.168.10.195 dst=122.127.186.172 sport=48232 dport=443 packets=49 bytes=5174 [ASSURED] [USERSPACE]
prints the [USERSPACE] tag at the end of the event, this tells users if
this event has been triggered by process, eg. via conntrack command
invocation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use libmnl instead libnfnetlink infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add parameter to nfct_mnl_socket_open() to subscribe to events.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Mark fall through cases as such. Note that correctness of those fall
throughs have not been verified.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the first switch() in that function, default case in second one
is unreachable. Given that both of them contain the same cases but the
first one merely acts as an invalid command barrier (adding no value to
the second one), drop the first one to make invalid commands actually
hit default case in the second switch().
Fixes: dd73ceecdbe87 ("nfct: Update syntax to specify command before subsystem")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts
array, so upper boundary check has to treat a value of
ARRAY_SIZE(dhcpv6_timeouts) as invalid.
Fixes: 36118bfc4901b ("conntrackd: helpers: add DHCPv6 helper")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CC read_config_lex.o
read_config_lex.c: In function ‘yy_get_next_buffer’:
read_config_lex.c:2101:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for ( n = 0; n < max_size && \
^
read_config_lex.c:3016:3: note: in expansion of macro ‘YY_INPUT’
YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
^~~~~~~~
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
"conntrack -L -f ipv4" and "conntrack -L -f ipv6" each prints both
protocols. This is because the family filtering is now enabled only if
filter_mark_kernel_set is true.
Fixes: 8b8377163697 ("conntrack: send mark filter to kernel iff set")
Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We may assume that if an user does build conntrackd with such feature, is with
the intention to use it. So, if that's the case, default to use it.
This eases some downstream use cases when dealing with default configs to
be shipped to final users.
This could be a mid-point solution, given some users are asking for a full
revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Back in 2008, there was no TCP flags support in the kernel, hence the
workaround was to infer the flags from the TCP state.
This patch is implicitly fixing a problem, since the existing RETRANS
and UNACK TCP conntrack states plus the _CLOSE_INIT flag that is bogusly
infered (to be frank, it was correctly infered back in 2008, but after
adding new TCP states, it was not).
Let's just use the flags that we get via synchronization messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
For musl libc to expose the members of `struct tcphdr`, _GNU_SOURCE
needs to be defined.
Fixes: b61c4543cbde ("conntrackd: cthelper: ssdp: Track UPnP eventing")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
When read cpu conntrack stats from /proc/net/stat/nf_conntrack,
it only shows stats from cpu0.
This patch list all cpus' conntrack stats like what `nfexp_stats_cb` did.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Remove the warning message for the -S option which has been deprecated for
years now.
Users calling conntrackd with this switch activated will now get an error.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to prevent netlink buffer overrun, conntrackd is recommended to run
at max priority.
Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority.
This is common among other HA daemons. For example corosync uses SCHED_RR
by default.
The scheduler configuration option is kept in order to allow admins to perform
fine-tuning, but it is deleted from example configuration files.
Note that this default sched priority is so high that it makes the nice value
useless, so deprecate the nice configuration. Anyway the nice value can be set
externally at runtime using nice/renice.
The code is moved to the init() routine. In case of error setting the
scheduler, the system default will be used. Report a message to the user
and continue working.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This configuration option doesn't add any value to users.
Use the magic value of 100 (i.e, the socket will keep 100 pending connections),
which I think is fair enough for what conntrackd can do in the unix socket.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Close the logs and lockfile if error while forking.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Run the evaluation step sooner in the conntrackd startup routine.
Don't close log or unlink lockfile at this stage.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The goal of this patch is to fix the ipv6 support when conntrackd is
cross-compiled. The AC_RUN_IFELSE macro must be avoided as much as possible.
See section 6.6 of the gnu autoconf:
"If you really need to test for a runtime behavior while configuring, you can
write a test program to determine the result, and compile and run it using
AC_RUN_IFELSE. Avoid running test programs if possible, because this prevents
people from configuring your package for cross-compiling."
Let's remove this check and test the returned error to handle the case where
ipv6 is not supported (inet_pton() returns -1 when the family is not supported).
Reported-by: Zhenlin Zhang <zhenlin.zhang@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
If a node goes to live, ask the other for resync at startup.
This has to be done usually by hand, but I guess is an operation common
enough to add some bits to ease people life here.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
These digest_msg() functions can use resync_send() as well.
While at it, bring back a call to kernel_resync() in notrack_local() which was
lost in a previous commit.
Fixes: 131df891f77dc75515d5eabdedd9818105d29f5a ("conntrackd: factorize resync operations")
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Resync operations factorization. There are two:
* resync_send --> conntrackd -B (send bulk resync)
* resync_req --> conntrackd -n (request resync)
Future patches reuse this factorized code.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
They are shared by both sync-ftfw and sync-notrack.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Refactor and improve nat support to allow conntrack to manage IPv6
NAT entries.
Refactor and improve conntrack nat tests to include IPv6 NAT.
Signed-off-by: Neil Wilson <neil@aldur.co.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new evaluate() function that can be used to spot
inconsistent configurations.
Don't allow CommitTimeout with DisableExternalCache On since this
results in EINVAL errors. CommitTimeout makes no sense with no external
cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This warning has been there for long time, and the example files we
provide already come with the right syntax, so remove this old chunk.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The UPnP Device Architecture spec provides a way for devices to connect
back to control points, called "Eventing" (chapter 4). This sequence can
look something like:
1) Outbound multicast M-SEARCH packet (dst: 1900/udp)
- Create expectation for unicast reply from <any host> to source port
2) Inbound unicast reply (there may be several of these from different devices)
- Find the device's URL, e.g.
LOCATION: http://192.168.1.123:1400/xml/device_description.xml
- Create expectation to track connections to this host:port (tcp)
3) Outbound connection to device's web server (there will be several of these)
- Watch for a SUBSCRIBE request
- Find the control point's callback URL, e.g.
CALLBACK: <http://192.168.1.124:3500/notify>
- Create expectation to open up inbound connections to this host:port
4) Inbound connections to control point's web server
- The device will send NOTIFY HTTP requests to inform the control point
of new events. These can continue indefinitely. Each NOTIFY
request arrives on a new TCP connection and may have a different
source port.
Add the necessary code to create expectations for each of these
connections and rewrite the IP in the CALLBACK URL. Tested with and
without NAT.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
We can just remove the strdup() from the lexer, given that we always
copy these strings in the parser.
Reported-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
According to valgrind, this currently leaks ~512B to 2kB for each
packet sent to the userspace helper.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
nfexp_set_attr() copies |nat_tuple| rather than taking ownership, so
it should be freed at the end of the loop. Some of the other helpers
(like rpc.c) do this, but it is missing here.
Reported-by: Eric Caruso <ejcaruso@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Do not set a mark filter to ctnetlink if the user doesn't explicitly
specify this.
Fixes: aa925010951e ("conntrack: allow to filter by mark from kernel-space")
Reported-by: Joseph Conley <joseph.j.conley@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
There has been a long adaptation time already, with several conntrack-tools
releases in the meantime.
Users migrating from an old conntrackd to a current one are required
to update their config file.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Produces this:
warning: implicit declaration of function 'dlog'
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
If a resync is requested with 'conntrackd -n', a log message is printed
in the caller node, but no message is printed in the other.
Print a message so tracking the behaviour of a cluster is a bit easier.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
My email address has changed, let's update it.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Review fprintf() and perror() calls and replace them with proper logs,
since it now supports being called anytime during runtime.
While at it, several messages are fixed, deleting \n, adjusting
coding style and some typos.
Also, the 'conntrackd cannot start, please review your configuration' is
printed before closing the log engine.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Now that our main log function is able to handle the case of the log engine
not being initialised, we can use the general function instead of a custom
one in the parser.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will allow to call dlog() function from all the points in the
execution at runtime.
If the log was not initialized, then we just fprintf and return.
By now, we can't init the log engine earlier because we require config
from the user, so there is a egg-chicken problem.
This means that we can't log parsing messages to logfiles but only to
stderr/stdout.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If conntrackd is running in console mode (i.e. in foreground)
then we can print the log messages to stdout/stderr.
This eases the workflow for admins, since we condensate more info into
the same terminal output.
Example:
% sudo conntrackd -C /etc/conntrackd.conf
WARNING: XXXX is an invalid interface
[Thu Oct 27 13:57:09 2016] (pid=7581) [notice] disabling internal cache
[Thu Oct 27 13:57:09 2016] (pid=7581) [notice] disabling external cache
[Thu Oct 27 13:57:09 2016] (pid=7581) [ERROR] can't open channel socket: No such device
[Thu Oct 27 13:57:09 2016] (pid=7581) [ERROR] initialization failed
ERROR: conntrackd cannot start, please check the logfile for more info
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I have observed this message several times:
[ERROR] can't open channel socket
[ERROR] initialization failed
which is very difficult to understand.
The errno message should help this to be a bit more explicit.
With this patch, in the case of wrong interface:
[ERROR] can't open channel socket: No such device
[ERROR] initialization failed
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|