| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
sh -e (-x) will provide the same functionality as the run function
previously.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Similar to the commit in iptables, add Libs.private to tell about
dependencies for static linking.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
This patch adds some missing attribute checkings in the XML
output that may result in inconsistent output (thus, displaying
some attributes out of <meta dir="independent">...</meta>)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds missing tags such as [UPDATE] and [DESTROY]
for expectation events. The Linux kernel does not support
any of this expectation events yet, but we include it for
future use.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds an example on how to set up a user-space expectation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch changes the existing example to make it more realistic.
It also removes the timeout setup since this field is ignored by
ctnetlink if we specify a kernel-space conntrack helper to be used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch allows to set the expectation flags from user-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We also remove the reference to CTA_EXPECT_QUEUENR with was not ever
pushed into Linux kernel mainline.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This warning has been there for quite some time, fix it by relaxing the
const type checking.
callback.c: In function `__expect_callback':
callback.c:30: warning: passing argument 2 of `__parse_expect' from incompatible pointer type
../../include/internal/prototypes.h:32: note: expected `const struct nfattr **' but argument is of type `struct nfattr **'
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
PKG_CHECK_MODULES already produces its own (and more verbose) messsage
when a module cannot be found.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
There is no need to call AC_CANONICAL_SYSTEM when only AC_CANONICAL_HOST
is needed. Also, checking for $target is factually incorrect, since we
do not produce object code like a compiler. Use $host, which specifies
the triple/quadrople where the compiled program is supposed to run.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Note: the use of -i seems required, otherwise autoreconf barfs about
missing tools (depcomp, etc.). Since they are provided in the tarballs
as files anyway rather than like previously as symlinks, I do not see a
problem using -i.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Make_global.am:7: "INCLUDES" is the old name for "AM_CPPFLAGS" (or "*_CPPFLAGS")
qa/Makefile.am:1: "Make_global.am" included from here
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
automake options also need to definitely go into configure.ac, otherwise
they only apply to a single directory.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
With this patch, we put stack.c and bsf.c out of the documentation
since they are only for internal use. We also include the relevant
exported libnetfilter_*.h headers.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch bumps version to 0.9.0 and it bumps the API revision number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an EINVAL error that we hit in Linux kernel <= 2.6.25.
Basically, if we send an empty CTA_PROTOINFO_TCP attribute nest, the
kernel returns EINVAL. To fix this, we previously check if there is
any TCP attribute set.
Reported-by: Rui Sousa <rui.sousa@mindspeed.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Still missing several enumerations that should be documented.
You still have to look at libnetfilter_conntrack.h to check
conntrack object attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.in and
libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Since Linux kernel 2.6.34, the attribute validation for CTA_HELP_NAME
requires that the string must be NULL terminated. I think that this
should be fixed in the kernel instead since it breaks old binaries of
the library. However, we're already in 2.6.36-rc, so let's fix it
in user-space and hope that everyone upgrades.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch bumps version to 0.0.102 and it bumps the API revision number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch fixes the NAT sequence adjustment setter (they were swapped!).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes kernel-space filtering via BSF for several
network addresses. The problem is that we store the network
address of the netlink message in the ALU. Then, we perform
an AND of the network mask and the address, this operation
is stored again in the ALU. If we compare the address with
a second address, we have to reload the address to the ALU.
The following example clarifies the problem, in the following
order, we want to filter:
1) 224.0.0.0/4
2) 127.0.0.1/32
Now, we receive traffic from 127.0.0.1, it should be filtered.
However, without this patch, it is not. Let's see why:
ALU 7f000001 (addr=127.0.0.1)
AND f0000000 (cidr=4)
-------------------------------
ALU 70000000
this is stored in the ALU. Then, we check for 127.0.0.1:
ALU 70000000 (addr=127.0.0.1) <-- it should be 7f000001
AND ffffffff (cidr=32)
-------------------------------
ALU 70000000
This does not match 7f000001. To fix this, we have to reload
7f000001 to the ALU. Thus, the second comparison works fine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
make output of nfct_snprintf() similar to /proc/net/nf_conntrack.
tcp 6 23 TIME_WAIT src=XX.208.XX.243 dst=XX.14.XX.100 sport=35917 dport=80 packets=10 bytes=2555 src=XX.14.XX.100 dst=XX.208.XX.243 sport=80 dport=35917 packets=9 bytes=1163 [ASSURED] mark=0 secmark=0 use=2 zone=1
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add Patrick's zone support for libnetfilter_conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes parsing of 64 bits attributes (that are unaligned)
in ctnetlink. It would be better to add nfnl_get_uX() functions
similar to those in include/net/netlink.h to libnfnetlink to avoid
this sort of errors.
Reported-by: Jan Engelhardt <jengelh@medozas.es>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the missing bits to support the modification of the
TCP window scale factor in a conntrack entry. The kernel support
has been already there since 2.6.23.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes wrong comments in the libnetfilter_conntrack.h header
file. The counters of the user-space conntrack object has always been
64-bits long (even if during some time they were 32-bits long in the
kernel). This does not break backward compatibility, but users (like
ulogd2) has to fix this to avoid truncating the counters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch bumps libnetfilter_conntrack version to 0.0.101.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes the autocomplete feature for ICMP[v6] entries
that makes the kernel return EINVAL. Basically, we skip the
autocomplete since this is already done in the setter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Hannes Eder <heder@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch bumps libnetfilter_conntrack version to 0.0.100.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch unsets all the existing callbacks if we call
nfct_close().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch the new expectation callback interface. This change is
like 20ed81b10714dfe78e31e9721e2d4f42b4beabb2 but related to
expectations. The netlink message contains the portID that is useful
to identify the origin of the message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes missing endianess conversion of the new
attribute ATTR_HANDSHAKE_SEQ that was included in
19f35b21dbe2bb4386eeced4e0d87f3b2e1d.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch renames the attribute constant to access the DCCP
handshake sequence number that was recently committed in
19f35b21dbe2bb4386eeced4e0d87f3b2e1dd8bf. No release with
the old name has been done, so no problems about backward
compatibility although it'd be better if I don't push changes
that I have to modify very soon afterwards.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds the prototype of the u64 getter/setter to the header
file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds the support for the DCCP sequence number tracking
that is included in the upcoming Linux kernel 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to auto-generate BSF code for IPv6. It
requires a Linux kernel >= 2.6.29. The maximum number of addresses
is limited to 20 (12 BSF lines per IPv6 address comparison). I am
not sure that to remove this limit is useful given that oprofile
does not show very good numbers for very large (in terms of lines)
filters. This completes one feature that is available in IPv4 but
that was missing in IPv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch removes a checking that is performed before building the
protocol private information. This checking silently removed any
protocol attribute if the configuration is inconsistent. With this
change, the kernel reports the error to tell that some attributes
are missing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch updates the version dependency checking.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch partially reverts 76e6042107de23790f0532e3bf3c396cba27e5aa
since it recovers some obsolete enums and constants that are required
to avoid breaking compilation of old versions of the conntrack-tools.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the new SYN_SENT2 state that Jozsef
has introduced to support TCP simultaneous open in 2.6.31. We can
safely include support for this feature now since the LISTEN state
was not ever really used.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
xt_helper uses a length size of 30 bytes. However, no helper name in
the tree has exceeded 16 bytes length so far. Since 2.6.29, the
maximum length accepted limited to 16 bytes, this limit is enforced
during module loading. With this patch we save bytes in the
conntrack objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|